Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zyx3qItgQK.exe

Overview

General Information

Sample name:zyx3qItgQK.exe
renamed because original name is a hash value
Original sample name:1D641A341DF0631BF135F5767440DF01.exe
Analysis ID:1384274
MD5:1d641a341df0631bf135f5767440df01
SHA1:2e76be5d5a7f0bae3657a649eb60f47c4fbde3cf
SHA256:3fa1b0d5ab8cc2b3435718e8b625e63e651a6d3df4d7657dc8c3859caeb5b4e9
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops fake system file at system root drive
Snort IDS alert for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Protects its processes via BreakOnTermination flag
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses netsh to modify the Windows network and firewall settings
Uses taskkill to terminate AV processes
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Process Tree

  • System is w10x64
  • zyx3qItgQK.exe (PID: 5576 cmdline: C:\Users\user\Desktop\zyx3qItgQK.exe MD5: 1D641A341DF0631BF135F5767440DF01)
    • ESET Service.exe (PID: 5872 cmdline: "C:\Users\user\AppData\Roaming\ESET Service.exe" MD5: 1D641A341DF0631BF135F5767440DF01)
      • netsh.exe (PID: 3908 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 3536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 1812 cmdline: taskkill /F /IM taskmgr.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • ESET Service.exe (PID: 3492 cmdline: "C:\Users\user\AppData\Roaming\ESET Service.exe" .. MD5: 1D641A341DF0631BF135F5767440DF01)
  • ESET Service.exe (PID: 3928 cmdline: "C:\Users\user\AppData\Roaming\ESET Service.exe" .. MD5: 1D641A341DF0631BF135F5767440DF01)
  • ESET Service.exe (PID: 4044 cmdline: "C:\Users\user\AppData\Roaming\ESET Service.exe" .. MD5: 1D641A341DF0631BF135F5767440DF01)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "6.tcp.eu.ngrok.io", "Port": "12041", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "ESET Service.exe", "Install Dir": "AppData"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
zyx3qItgQK.exeJoeSecurity_NjratYara detected NjratJoe Security
    zyx3qItgQK.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x64c1:$a1: get_Registry
    • 0x7efe:$a3: Download ERROR
    • 0x81f0:$a5: netsh firewall delete allowedprogram "
    zyx3qItgQK.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x80e6:$a1: netsh firewall add allowedprogram
    • 0x82e0:$b1: [TAP]
    • 0x8286:$b2: & exit
    • 0x8252:$c1: md.exe /k ping 0 & del
    zyx3qItgQK.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x81f0:$s1: netsh firewall delete allowedprogram
    • 0x80e6:$s2: netsh firewall add allowedprogram
    • 0x8250:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
    • 0x7eda:$s4: Execute ERROR
    • 0x7f3a:$s4: Execute ERROR
    • 0x7efe:$s5: Download ERROR
    • 0x8296:$s6: [kl]

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\ESET Service.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Users\user\AppData\Roaming\ESET Service.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x64c1:$a1: get_Registry
      • 0x7efe:$a3: Download ERROR
      • 0x81f0:$a5: netsh firewall delete allowedprogram "
      C:\Users\user\AppData\Roaming\ESET Service.exenjrat1Identify njRatBrian Wallace @botnet_hunter
      • 0x80e6:$a1: netsh firewall add allowedprogram
      • 0x82e0:$b1: [TAP]
      • 0x8286:$b2: & exit
      • 0x8252:$c1: md.exe /k ping 0 & del
      C:\Users\user\AppData\Roaming\ESET Service.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
      • 0x81f0:$s1: netsh firewall delete allowedprogram
      • 0x80e6:$s2: netsh firewall add allowedprogram
      • 0x8250:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
      • 0x7eda:$s4: Execute ERROR
      • 0x7f3a:$s4: Execute ERROR
      • 0x7efe:$s5: Download ERROR
      • 0x8296:$s6: [kl]
      C:\svchost.exeJoeSecurity_NjratYara detected NjratJoe Security
        Click to see the 7 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
          • 0x62c1:$a1: get_Registry
          • 0x7cfe:$a3: Download ERROR
          • 0x7ff0:$a5: netsh firewall delete allowedprogram "
          00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
          • 0x7ee6:$a1: netsh firewall add allowedprogram
          • 0x80e0:$b1: [TAP]
          • 0x8086:$b2: & exit
          • 0x8052:$c1: md.exe /k ping 0 & del
          00000002.00000002.4507767686.0000000002B61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
            Process Memory Space: zyx3qItgQK.exe PID: 5576JoeSecurity_NjratYara detected NjratJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.zyx3qItgQK.exe.850000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
                0.0.zyx3qItgQK.exe.850000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
                • 0x64c1:$a1: get_Registry
                • 0x7efe:$a3: Download ERROR
                • 0x81f0:$a5: netsh firewall delete allowedprogram "
                0.0.zyx3qItgQK.exe.850000.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
                • 0x80e6:$a1: netsh firewall add allowedprogram
                • 0x82e0:$b1: [TAP]
                • 0x8286:$b2: & exit
                • 0x8252:$c1: md.exe /k ping 0 & del
                0.0.zyx3qItgQK.exe.850000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
                • 0x81f0:$s1: netsh firewall delete allowedprogram
                • 0x80e6:$s2: netsh firewall add allowedprogram
                • 0x8250:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
                • 0x7eda:$s4: Execute ERROR
                • 0x7f3a:$s4: Execute ERROR
                • 0x7efe:$s5: Download ERROR
                • 0x8296:$s6: [kl]

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Files With System Process Name In Unsuspected Locations
                Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\ESET Service.exe, ProcessId: 5872, TargetFilename: D:\svchost.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\ESET Service.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\ESET Service.exe, ProcessId: 5872, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7891fdab3e9ec8884436ba440a809c8a
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\ESET Service.exe, ProcessId: 5872, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe
                Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\ESET Service.exe" , CommandLine: "C:\Users\user\AppData\Roaming\ESET Service.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\ESET Service.exe, NewProcessName: C:\Users\user\AppData\Roaming\ESET Service.exe, OriginalFileName: C:\Users\user\AppData\Roaming\ESET Service.exe, ParentCommandLine: C:\Users\user\Desktop\zyx3qItgQK.exe, ParentImage: C:\Users\user\Desktop\zyx3qItgQK.exe, ParentProcessId: 5576, ParentProcessName: zyx3qItgQK.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\ESET Service.exe" , ProcessId: 5872, ProcessName: ESET Service.exe
                Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\ESET Service.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\ESET Service.exe, ProcessId: 5872, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7891fdab3e9ec8884436ba440a809c8a

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Sigma detected: Drops fake system file at system root drive
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\ESET Service.exe, ProcessId: 5872, TargetFilename: C:\svchost.exe

                Snort Signatures

                Timestamp:192.168.2.63.69.115.17849707120412033132 01/31/24-18:02:40.293747
                SID:2033132
                Source Port:49707
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849711120412825564 01/31/24-18:03:57.860489
                SID:2825564
                Source Port:49711
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.618.197.239.10949713120412814856 01/31/24-18:04:50.646104
                SID:2814856
                Source Port:49713
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.68.171.11949714120412825563 01/31/24-18:05:23.258517
                SID:2825563
                Source Port:49714
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.618.197.239.10949712120412033132 01/31/24-18:04:17.975768
                SID:2033132
                Source Port:49712
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.68.171.11949714120412825564 01/31/24-18:05:51.313700
                SID:2825564
                Source Port:49714
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.68.171.11949715120412825564 01/31/24-18:05:55.916285
                SID:2825564
                Source Port:49715
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849707120412825563 01/31/24-18:02:40.497750
                SID:2825563
                Source Port:49707
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849710120412825564 01/31/24-18:03:36.423392
                SID:2825564
                Source Port:49710
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.618.197.239.10949712120412814856 01/31/24-18:04:18.182874
                SID:2814856
                Source Port:49712
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849699120412814860 01/31/24-18:02:13.547863
                SID:2814860
                Source Port:49699
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849707120412825564 01/31/24-18:03:10.096095
                SID:2825564
                Source Port:49707
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.618.197.239.10949713120412033132 01/31/24-18:04:50.445338
                SID:2033132
                Source Port:49713
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849711120412825563 01/31/24-18:03:45.587236
                SID:2825563
                Source Port:49711
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849707120412814856 01/31/24-18:02:40.497750
                SID:2814856
                Source Port:49707
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849710120412033132 01/31/24-18:03:12.896650
                SID:2033132
                Source Port:49710
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.68.171.11949714120412814856 01/31/24-18:05:23.258517
                SID:2814856
                Source Port:49714
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.68.171.11949715120412814856 01/31/24-18:05:55.717331
                SID:2814856
                Source Port:49715
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849710120412814860 01/31/24-18:03:43.043933
                SID:2814860
                Source Port:49710
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849711120412814860 01/31/24-18:03:57.860489
                SID:2814860
                Source Port:49711
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849711120412033132 01/31/24-18:03:45.382419
                SID:2033132
                Source Port:49711
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849710120412814856 01/31/24-18:03:13.103025
                SID:2814856
                Source Port:49710
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.618.197.239.10949712120412814860 01/31/24-18:04:48.199794
                SID:2814860
                Source Port:49712
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849699120412825564 01/31/24-18:02:13.547863
                SID:2825564
                Source Port:49699
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849711120412814856 01/31/24-18:03:45.587236
                SID:2814856
                Source Port:49711
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849699120412825563 01/31/24-18:02:08.215265
                SID:2825563
                Source Port:49699
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849699120412033132 01/31/24-18:02:07.907549
                SID:2033132
                Source Port:49699
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.618.197.239.10949713120412814860 01/31/24-18:05:18.691447
                SID:2814860
                Source Port:49713
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849699120412814856 01/31/24-18:02:08.215265
                SID:2814856
                Source Port:49699
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.618.197.239.10949712120412825563 01/31/24-18:04:18.182874
                SID:2825563
                Source Port:49712
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.69.115.17849707120412814860 01/31/24-18:03:10.096095
                SID:2814860
                Source Port:49707
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.618.197.239.10949712120412825564 01/31/24-18:04:47.577535
                SID:2825564
                Source Port:49712
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.68.171.11949714120412033132 01/31/24-18:05:23.054371
                SID:2033132
                Source Port:49714
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.68.171.11949715120412814860 01/31/24-18:05:55.916285
                SID:2814860
                Source Port:49715
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.68.171.11949714120412814860 01/31/24-18:05:51.313700
                SID:2814860
                Source Port:49714
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.618.197.239.10949713120412825564 01/31/24-18:05:18.691447
                SID:2825564
                Source Port:49713
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.63.68.171.11949715120412033132 01/31/24-18:05:55.518415
                SID:2033132
                Source Port:49715
                Destination Port:12041
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: zyx3qItgQK.exeAvira: detected
                Antivirus detection for URL or domain
                Source: 6.tcp.eu.ngrok.ioAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\svchost.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                Found malware configuration
                Source: 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Njrat {"Host": "6.tcp.eu.ngrok.io", "Port": "12041", "Version": "im523", "Campaign ID": "HacKed", "Install Name": "ESET Service.exe", "Install Dir": "AppData"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeReversingLabs: Detection: 97%
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exeReversingLabs: Detection: 97%
                Source: C:\svchost.exeReversingLabs: Detection: 97%
                Multi AV Scanner detection for submitted file
                Source: zyx3qItgQK.exeReversingLabs: Detection: 97%
                Yara detected Njrat
                Source: Yara matchFile source: zyx3qItgQK.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.zyx3qItgQK.exe.850000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4507767686.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: zyx3qItgQK.exe PID: 5576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ESET Service.exe PID: 5872, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED
                Source: Yara matchFile source: C:\svchost.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, type: DROPPED
                Machine Learning detection for dropped file
                Source: C:\svchost.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: zyx3qItgQK.exeJoe Sandbox ML: detected
                Source: zyx3qItgQK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                Source: zyx3qItgQK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Spreading

                barindex
                Creates autorun.inf (USB autostart)
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeFile created: C:\autorun.infJump to behavior
                Source: zyx3qItgQK.exe, 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
                Source: zyx3qItgQK.exe, 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                Source: zyx3qItgQK.exe, 00000000.00000002.2120098959.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                Source: zyx3qItgQK.exe, 00000000.00000002.2120098959.0000000002F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002B61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002B61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                Source: zyx3qItgQK.exeBinary or memory string: autorun.inf
                Source: zyx3qItgQK.exeBinary or memory string: [autorun]
                Source: autorun.inf.2.drBinary or memory string: [autorun]
                Source: svchost.exe.2.drBinary or memory string: autorun.inf
                Source: svchost.exe.2.drBinary or memory string: [autorun]
                Source: 7891fdab3e9ec8884436ba440a809c8a.exe.2.drBinary or memory string: autorun.inf
                Source: 7891fdab3e9ec8884436ba440a809c8a.exe.2.drBinary or memory string: [autorun]
                Source: ESET Service.exe.0.drBinary or memory string: autorun.inf
                Source: ESET Service.exe.0.drBinary or memory string: [autorun]

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49699 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49699 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.6:49699 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49699 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49699 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49707 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49707 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.6:49707 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49707 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49707 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49710 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49710 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49710 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49710 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49711 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49711 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.6:49711 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49711 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49711 -> 3.69.115.178:12041
                Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49712 -> 18.197.239.109:12041
                Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49712 -> 18.197.239.109:12041
                Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.6:49712 -> 18.197.239.109:12041
                Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49712 -> 18.197.239.109:12041
                Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49712 -> 18.197.239.109:12041
                Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49713 -> 18.197.239.109:12041
                Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49713 -> 18.197.239.109:12041
                Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49713 -> 18.197.239.109:12041
                Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49713 -> 18.197.239.109:12041
                Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49714 -> 3.68.171.119:12041
                Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49714 -> 3.68.171.119:12041
                Source: TrafficSnort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.6:49714 -> 3.68.171.119:12041
                Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49714 -> 3.68.171.119:12041
                Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49714 -> 3.68.171.119:12041
                Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.6:49715 -> 3.68.171.119:12041
                Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.6:49715 -> 3.68.171.119:12041
                Source: TrafficSnort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.6:49715 -> 3.68.171.119:12041
                Source: TrafficSnort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.6:49715 -> 3.68.171.119:12041
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 6.tcp.eu.ngrok.io
                Source: global trafficTCP traffic: 192.168.2.6:49699 -> 3.69.115.178:12041
                Source: global trafficTCP traffic: 192.168.2.6:49712 -> 18.197.239.109:12041
                Source: global trafficTCP traffic: 192.168.2.6:49714 -> 3.68.171.119:12041
                Source: Joe Sandbox ViewIP Address: 18.197.239.109 18.197.239.109
                Source: Joe Sandbox ViewIP Address: 3.69.115.178 3.69.115.178
                Source: Joe Sandbox ViewIP Address: 3.68.171.119 3.68.171.119
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownDNS traffic detected: queries for: 6.tcp.eu.ngrok.io
                Source: zyx3qItgQK.exe, svchost.exe.2.dr, 7891fdab3e9ec8884436ba440a809c8a.exe.2.dr, ESET Service.exe.0.drString found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: zyx3qItgQK.exe, kl.cs.Net Code: VKCodeToUnicode
                Source: ESET Service.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode
                Source: 7891fdab3e9ec8884436ba440a809c8a.exe.2.dr, kl.cs.Net Code: VKCodeToUnicode
                Source: svchost.exe.2.dr, kl.cs.Net Code: VKCodeToUnicode

                E-Banking Fraud

                barindex
                Yara detected Njrat
                Source: Yara matchFile source: zyx3qItgQK.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.zyx3qItgQK.exe.850000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4507767686.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: zyx3qItgQK.exe PID: 5576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ESET Service.exe PID: 5872, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED
                Source: Yara matchFile source: C:\svchost.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, type: DROPPED

                Operating System Destruction

                barindex
                Protects its processes via BreakOnTermination flag
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: 01 00 00 00 Jump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: zyx3qItgQK.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: zyx3qItgQK.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: zyx3qItgQK.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: 0.0.zyx3qItgQK.exe.850000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: 0.0.zyx3qItgQK.exe.850000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: 0.0.zyx3qItgQK.exe.850000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\svchost.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: C:\svchost.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: C:\svchost.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeCode function: 2_2_04C90346 NtQuerySystemInformation,2_2_04C90346
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeCode function: 2_2_04C9010E NtSetInformationProcess,2_2_04C9010E
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeCode function: 2_2_04C900EC NtSetInformationProcess,2_2_04C900EC
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeCode function: 2_2_04C9030B NtQuerySystemInformation,2_2_04C9030B
                Source: zyx3qItgQK.exe, 00000000.00000002.2119808718.0000000000EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs zyx3qItgQK.exe
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeSection loaded: uxtheme.dllJump to behavior
                Source: zyx3qItgQK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: zyx3qItgQK.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: zyx3qItgQK.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: zyx3qItgQK.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: 0.0.zyx3qItgQK.exe.850000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: 0.0.zyx3qItgQK.exe.850000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: 0.0.zyx3qItgQK.exe.850000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\svchost.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: C:\svchost.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: C:\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                Source: classification engineClassification label: mal100.spre.troj.adwa.spyw.evad.winEXE@12/10@4/3
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeCode function: 2_2_00A8BDA2 AdjustTokenPrivileges,2_2_00A8BDA2
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeCode function: 2_2_00A8BD6B AdjustTokenPrivileges,2_2_00A8BD6B
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeFile created: C:\Users\user\AppData\Roaming\ESET Service.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMutant created: NULL
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMutant created: \Sessions\1\BaseNamedObjects\7891fdab3e9ec8884436ba440a809c8a
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_03
                Source: zyx3qItgQK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: zyx3qItgQK.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "taskmgr.exe")
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: zyx3qItgQK.exeReversingLabs: Detection: 97%
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeFile read: C:\Users\user\Desktop\zyx3qItgQK.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\zyx3qItgQK.exe C:\Users\user\Desktop\zyx3qItgQK.exe
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess created: C:\Users\user\AppData\Roaming\ESET Service.exe "C:\Users\user\AppData\Roaming\ESET Service.exe"
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLE
                Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM taskmgr.exe
                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\ESET Service.exe "C:\Users\user\AppData\Roaming\ESET Service.exe" ..
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\ESET Service.exe "C:\Users\user\AppData\Roaming\ESET Service.exe" ..
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\ESET Service.exe "C:\Users\user\AppData\Roaming\ESET Service.exe" ..
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess created: C:\Users\user\AppData\Roaming\ESET Service.exe "C:\Users\user\AppData\Roaming\ESET Service.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLEJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM taskmgr.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                Source: zyx3qItgQK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                Source: zyx3qItgQK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: zyx3qItgQK.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: ESET Service.exe.0.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: 7891fdab3e9ec8884436ba440a809c8a.exe.2.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: svchost.exe.2.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeCode function: 2_2_010631E4 push FFFFFFE8h; iretd 2_2_010631ED

                Persistence and Installation Behavior

                barindex
                Drops PE files with benign system names
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeFile created: C:\svchost.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeFile created: C:\svchost.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exeJump to dropped file
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeFile created: C:\Users\user\AppData\Roaming\ESET Service.exeJump to dropped file

                Boot Survival

                barindex
                Creates autostart registry keys with suspicious names
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7891fdab3e9ec8884436ba440a809c8aJump to behavior
                Drops PE files to the startup folder
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe\:Zone.Identifier:$DATAJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7891fdab3e9ec8884436ba440a809c8aJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7891fdab3e9ec8884436ba440a809c8aJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 7891fdab3e9ec8884436ba440a809c8aJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 7891fdab3e9ec8884436ba440a809c8aJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeMemory allocated: 1230000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMemory allocated: C40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMemory allocated: 2B60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMemory allocated: E80000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMemory allocated: 1510000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMemory allocated: 5190000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMemory allocated: 1690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMemory allocated: 30A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMemory allocated: 1690000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMemory allocated: 9C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMemory allocated: 2710000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeMemory allocated: A30000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeCode function: 0_2_0131000C rdtsc 0_2_0131000C
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeWindow / User API: threadDelayed 3214Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeWindow / User API: threadDelayed 934Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeWindow / User API: threadDelayed 4219Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeWindow / User API: foregroundWindowGot 458Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeWindow / User API: foregroundWindowGot 1254Jump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exe TID: 3660Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exe TID: 5844Thread sleep time: -934000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exe TID: 5844Thread sleep time: -4219000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exe TID: 4396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exe TID: 3652Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exe TID: 6460Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: zyx3qItgQK.exe, 00000000.00000002.2119808718.0000000000F0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: zyx3qItgQK.exe, 00000000.00000002.2119808718.0000000000F0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                Source: netsh.exe, 00000003.00000003.2187308440.00000000008C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
                Source: ESET Service.exe, 00000002.00000002.4507512114.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeCode function: 0_2_0131000C rdtsc 0_2_0131000C
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: zyx3qItgQK.exe, kl.csReference to suspicious API methods: MapVirtualKey(a, 0u)
                Source: zyx3qItgQK.exe, kl.csReference to suspicious API methods: GetAsyncKeyState(num2)
                Source: zyx3qItgQK.exe, OK.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
                Uses taskkill to terminate AV processes
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM taskmgr.exeJump to behavior
                Source: C:\Users\user\Desktop\zyx3qItgQK.exeProcess created: C:\Users\user\AppData\Roaming\ESET Service.exe "C:\Users\user\AppData\Roaming\ESET Service.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM taskmgr.exeJump to behavior
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002DA3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.Ll\
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000002.00000002.4507767686.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000002.00000002.4507767686.0000000002DA3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002B61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.Llh
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000002.00000002.4507767686.0000000003094000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000002.00000002.4507767686.0000000002DEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@9Ll
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002E9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.LlL
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002B61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.Lll
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002B61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.Ll,
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002E9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.LlQ
                Source: ESET Service.exe, 00000002.00000002.4507512114.0000000000CF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Rh Program Manager,
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000002.00000002.4507767686.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000002.00000002.4507767686.0000000002B61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program manager
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002D6F000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000002.00000002.4507767686.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000002.00000002.4507767686.0000000002DA3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.Ll
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002E9F000.00000004.00000800.00020000.00000000.sdmp, ESET Service.exe, 00000002.00000002.4507767686.0000000002DEA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.LlhA
                Source: ESET Service.exe, 00000002.00000002.4507767686.0000000002E9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerL.Lll%
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Modifies the windows firewall
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLE
                Uses netsh to modify the Windows network and firewall settings
                Source: C:\Users\user\AppData\Roaming\ESET Service.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLE

                Stealing of Sensitive Information

                barindex
                Yara detected Njrat
                Source: Yara matchFile source: zyx3qItgQK.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.zyx3qItgQK.exe.850000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4507767686.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: zyx3qItgQK.exe PID: 5576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ESET Service.exe PID: 5872, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED
                Source: Yara matchFile source: C:\svchost.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, type: DROPPED

                Remote Access Functionality

                barindex
                Yara detected Njrat
                Source: Yara matchFile source: zyx3qItgQK.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.zyx3qItgQK.exe.850000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4507767686.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: zyx3qItgQK.exe PID: 5576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: ESET Service.exe PID: 5872, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\ESET Service.exe, type: DROPPED
                Source: Yara matchFile source: C:\svchost.exe, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure11
                Replication Through Removable Media                		1
                Windows Management Instrumentation                		221
                Registry Run Keys / Startup Folder                		1
                Access Token Manipulation                		11
                Masquerading                		1
                Input Capture                		111
                Security Software Discovery                		Remote Services1
                Input Capture                		1
                Non-Standard Port                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Native API                		1
                DLL Side-Loading                		12
                Process Injection                		311
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Application Layer Protocol                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)221
                Registry Run Keys / Startup Folder                		31
                Virtualization/Sandbox Evasion                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive11
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		1
                Access Token Manipulation                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Process Injection                		LSA Secrets1
                Peripheral Device Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Obfuscated Files or Information                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Software Packing                		DCSync13
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1384274 Sample: zyx3qItgQK.exe Startdate: 31/01/2024 Architecture: WINDOWS Score: 100 39 6.tcp.eu.ngrok.io 2->39 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 18 other signatures 2->53 9 zyx3qItgQK.exe 1 6 2->9         started        12 ESET Service.exe 3 2->12         started        14 ESET Service.exe 2 2->14         started        16 ESET Service.exe 2 2->16         started        signatures3 process4 file5 37 C:\Users\user\AppData\...SET Service.exe, PE32 9->37 dropped 18 ESET Service.exe 2 11 9->18         started        process6 dnsIp7 41 18.197.239.109, 12041, 49712, 49713 AMAZON-02US United States 18->41 43 3.68.171.119, 12041, 49714, 49715 AMAZON-02US United States 18->43 45 6.tcp.eu.ngrok.io 3.69.115.178, 12041, 49699, 49707 AMAZON-02US United States 18->45 31 C:\svchost.exe, PE32 18->31 dropped 33 C:\...\7891fdab3e9ec8884436ba440a809c8a.exe, PE32 18->33 dropped 35 C:\autorun.inf, Microsoft 18->35 dropped 55 Uses taskkill to terminate AV processes 18->55 57 Protects its processes via BreakOnTermination flag 18->57 59 Creates autorun.inf (USB autostart) 18->59 61 Creates autostart registry keys with suspicious names 18->61 23 taskkill.exe 1 18->23         started        25 netsh.exe 2 18->25         started        file8 signatures9 process10 process11 27 conhost.exe 23->27         started        29 conhost.exe 25->29         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                zyx3qItgQK.exe97%ReversingLabsByteCode-MSIL.Backdoor.Ratenjay
                zyx3qItgQK.exe100%AviraTR/ATRAPS.Gen
                zyx3qItgQK.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\svchost.exe100%AviraTR/ATRAPS.Gen
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe100%AviraTR/ATRAPS.Gen
                C:\Users\user\AppData\Roaming\ESET Service.exe100%AviraTR/ATRAPS.Gen
                C:\svchost.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\ESET Service.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\ESET Service.exe97%ReversingLabsByteCode-MSIL.Backdoor.Ratenjay
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe97%ReversingLabsByteCode-MSIL.Backdoor.Ratenjay
                C:\svchost.exe97%ReversingLabsByteCode-MSIL.Backdoor.Ratenjay

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                6.tcp.eu.ngrok.io100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                6.tcp.eu.ngrok.io
                		3.69.115.178
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  6.tcp.eu.ngrok.iotrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0zyx3qItgQK.exe, svchost.exe.2.dr, 7891fdab3e9ec8884436ba440a809c8a.exe.2.dr, ESET Service.exe.0.drfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    18.197.239.109
                    		unknownUnited States
                    		16509AMAZON-02UStrue
                    3.69.115.178
                    		6.tcp.eu.ngrok.ioUnited States
                    		16509AMAZON-02UStrue
                    3.68.171.119
                    		unknownUnited States
                    		16509AMAZON-02UStrue

                    General Information

                    Joe Sandbox version:39.0.0 Ruby
                    Analysis ID:1384274
                    Start date and time:2024-01-31 18:01:06 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 40s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:14
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:zyx3qItgQK.exe
                    renamed because original name is a hash value
                    Original Sample Name:1D641A341DF0631BF135F5767440DF01.exe
                    Detection:MAL
                    Classification:mal100.spre.troj.adwa.spyw.evad.winEXE@12/10@4/3
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 206
                    • Number of non-executed functions: 1
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: zyx3qItgQK.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    18:02:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 7891fdab3e9ec8884436ba440a809c8a "C:\Users\user\AppData\Roaming\ESET Service.exe" ..
                    18:02:14AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run 7891fdab3e9ec8884436ba440a809c8a "C:\Users\user\AppData\Roaming\ESET Service.exe" ..
                    18:02:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 7891fdab3e9ec8884436ba440a809c8a "C:\Users\user\AppData\Roaming\ESET Service.exe" ..
                    18:02:32AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe
                    18:02:37API Interceptor119976x Sleep call for process: ESET Service.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    18.197.239.109226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                      IsJb5hB84q.exeGet hashmaliciousNjratBrowse
                        rkIcS0Y2WY.exeGet hashmaliciousNjratBrowse
                          30b4CoDmKk.exeGet hashmaliciousNjratBrowse
                            N1aqZIb7KG.exeGet hashmaliciousNjratBrowse
                              dKe1GfZOs1.exeGet hashmaliciousNjratBrowse
                                bRxR.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                  ZuXcnAYgVp.exeGet hashmaliciousNjratBrowse
                                    d09l64ZAW6.exeGet hashmaliciousNjratBrowse
                                      8AKGdJOQ8N.exeGet hashmaliciousNjratBrowse
                                        3.69.115.178ziTLBa3N50.exeGet hashmaliciousNjratBrowse
                                          IsJb5hB84q.exeGet hashmaliciousNjratBrowse
                                            myidJB8lDL.exeGet hashmaliciousNjratBrowse
                                              rkIcS0Y2WY.exeGet hashmaliciousNjratBrowse
                                                30b4CoDmKk.exeGet hashmaliciousNjratBrowse
                                                  QsKtlzYaKF.exeGet hashmaliciousNjratBrowse
                                                    xZLQ8X9Cxo.exeGet hashmaliciousNjratBrowse
                                                      sCXwkZrcZ3.exeGet hashmaliciousNjratBrowse
                                                        wiUnP1h5Ex.exeGet hashmaliciousNjratBrowse
                                                          d09l64ZAW6.exeGet hashmaliciousNjratBrowse
                                                            3.68.171.119NfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                              226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                                                                N1aqZIb7KG.exeGet hashmaliciousNjratBrowse
                                                                  m5l9v13hIi.exeGet hashmaliciousNjratBrowse
                                                                    sCXwkZrcZ3.exeGet hashmaliciousNjratBrowse
                                                                      X5eo58PPCB.exeGet hashmaliciousNjratBrowse
                                                                        wiUnP1h5Ex.exeGet hashmaliciousNjratBrowse
                                                                          d09l64ZAW6.exeGet hashmaliciousNjratBrowse
                                                                            8AKGdJOQ8N.exeGet hashmaliciousNjratBrowse
                                                                              uPMGLG7QnV.exeGet hashmaliciousNjratBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                6.tcp.eu.ngrok.ioNfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                                                • 3.69.157.220
                                                                                ziTLBa3N50.exeGet hashmaliciousNjratBrowse
                                                                                • 3.69.157.220
                                                                                1.exeGet hashmaliciousNjratBrowse
                                                                                • 3.66.38.117
                                                                                226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                                                                                • 3.69.157.220
                                                                                IsJb5hB84q.exeGet hashmaliciousNjratBrowse
                                                                                • 3.66.38.117
                                                                                Terraria.exeGet hashmaliciousNjratBrowse
                                                                                • 3.66.38.117
                                                                                myidJB8lDL.exeGet hashmaliciousNjratBrowse
                                                                                • 3.69.115.178
                                                                                rkIcS0Y2WY.exeGet hashmaliciousNjratBrowse
                                                                                • 3.69.115.178
                                                                                30b4CoDmKk.exeGet hashmaliciousNjratBrowse
                                                                                • 18.197.239.109
                                                                                N1aqZIb7KG.exeGet hashmaliciousNjratBrowse
                                                                                • 3.68.171.119

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                AMAZON-02USNfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                                                • 3.69.157.220
                                                                                UnvB121TyH.elfGet hashmaliciousUnknownBrowse
                                                                                • 34.249.145.219
                                                                                qz91XNGYhe.elfGet hashmaliciousMiraiBrowse
                                                                                • 63.32.218.208
                                                                                UDABfsLPdO.elfGet hashmaliciousMiraiBrowse
                                                                                • 44.244.87.62
                                                                                rdDs41qwgi.elfGet hashmaliciousMiraiBrowse
                                                                                • 34.249.145.219
                                                                                tml3sr196t.elfGet hashmaliciousUnknownBrowse
                                                                                • 54.217.10.153
                                                                                https://dogfriendlytahoe.com/s/_.php?uni=jasmine.salazar-bryan@filterresources.com&aidna=Ki5kb2dmcmllbmRseXRhaG9lLmNvbQ=&u=aGlyZW9mZnNob3JlLmNvL3MveXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eWUvamFzbWluZS5zYWxhemFyLWJyeWFuQGZpbHRlcnJlc291cmNlcy5jb20=Get hashmaliciousUnknownBrowse
                                                                                • 54.230.31.114
                                                                                https://dogfriendlytahoe.com/s/_.php?uni=jasmine.salazar-bryan@filterresources.com&aidna=Ki5kb2dmcmllbmRseXRhaG9lLmNvbQ=&u=aGlyZW9mZnNob3JlLmNvL3MveXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eWUvamFzbWluZS5zYWxhemFyLWJyeWFuQGZpbHRlcnJlc291cmNlcy5jb20=Get hashmaliciousUnknownBrowse
                                                                                • 52.85.151.98
                                                                                file.exeGet hashmaliciousPureLog Stealer, RisePro StealerBrowse
                                                                                • 99.86.229.15
                                                                                a5hbkmGD7N.exeGet hashmaliciousPushdoBrowse
                                                                                • 52.219.142.64
                                                                                AMAZON-02USNfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                                                • 3.69.157.220
                                                                                UnvB121TyH.elfGet hashmaliciousUnknownBrowse
                                                                                • 34.249.145.219
                                                                                qz91XNGYhe.elfGet hashmaliciousMiraiBrowse
                                                                                • 63.32.218.208
                                                                                UDABfsLPdO.elfGet hashmaliciousMiraiBrowse
                                                                                • 44.244.87.62
                                                                                rdDs41qwgi.elfGet hashmaliciousMiraiBrowse
                                                                                • 34.249.145.219
                                                                                tml3sr196t.elfGet hashmaliciousUnknownBrowse
                                                                                • 54.217.10.153
                                                                                https://dogfriendlytahoe.com/s/_.php?uni=jasmine.salazar-bryan@filterresources.com&aidna=Ki5kb2dmcmllbmRseXRhaG9lLmNvbQ=&u=aGlyZW9mZnNob3JlLmNvL3MveXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eWUvamFzbWluZS5zYWxhemFyLWJyeWFuQGZpbHRlcnJlc291cmNlcy5jb20=Get hashmaliciousUnknownBrowse
                                                                                • 54.230.31.114
                                                                                https://dogfriendlytahoe.com/s/_.php?uni=jasmine.salazar-bryan@filterresources.com&aidna=Ki5kb2dmcmllbmRseXRhaG9lLmNvbQ=&u=aGlyZW9mZnNob3JlLmNvL3MveXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eWUvamFzbWluZS5zYWxhemFyLWJyeWFuQGZpbHRlcnJlc291cmNlcy5jb20=Get hashmaliciousUnknownBrowse
                                                                                • 52.85.151.98
                                                                                file.exeGet hashmaliciousPureLog Stealer, RisePro StealerBrowse
                                                                                • 99.86.229.15
                                                                                a5hbkmGD7N.exeGet hashmaliciousPushdoBrowse
                                                                                • 52.219.142.64
                                                                                AMAZON-02USNfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                                                • 3.69.157.220
                                                                                UnvB121TyH.elfGet hashmaliciousUnknownBrowse
                                                                                • 34.249.145.219
                                                                                qz91XNGYhe.elfGet hashmaliciousMiraiBrowse
                                                                                • 63.32.218.208
                                                                                UDABfsLPdO.elfGet hashmaliciousMiraiBrowse
                                                                                • 44.244.87.62
                                                                                rdDs41qwgi.elfGet hashmaliciousMiraiBrowse
                                                                                • 34.249.145.219
                                                                                tml3sr196t.elfGet hashmaliciousUnknownBrowse
                                                                                • 54.217.10.153
                                                                                https://dogfriendlytahoe.com/s/_.php?uni=jasmine.salazar-bryan@filterresources.com&aidna=Ki5kb2dmcmllbmRseXRhaG9lLmNvbQ=&u=aGlyZW9mZnNob3JlLmNvL3MveXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eWUvamFzbWluZS5zYWxhemFyLWJyeWFuQGZpbHRlcnJlc291cmNlcy5jb20=Get hashmaliciousUnknownBrowse
                                                                                • 54.230.31.114
                                                                                https://dogfriendlytahoe.com/s/_.php?uni=jasmine.salazar-bryan@filterresources.com&aidna=Ki5kb2dmcmllbmRseXRhaG9lLmNvbQ=&u=aGlyZW9mZnNob3JlLmNvL3MveXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eWUvamFzbWluZS5zYWxhemFyLWJyeWFuQGZpbHRlcnJlc291cmNlcy5jb20=Get hashmaliciousUnknownBrowse
                                                                                • 52.85.151.98
                                                                                file.exeGet hashmaliciousPureLog Stealer, RisePro StealerBrowse
                                                                                • 99.86.229.15
                                                                                a5hbkmGD7N.exeGet hashmaliciousPushdoBrowse
                                                                                • 52.219.142.64

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ESET Service.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ESET Service.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):525
                                                                                Entropy (8bit):5.259753436570609
                                                                                Encrypted:false
                                                                                SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\zyx3qItgQK.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\zyx3qItgQK.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):525
                                                                                Entropy (8bit):5.259753436570609
                                                                                Encrypted:false
                                                                                SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                C:\Users\user\AppData\Roaming\ESET Service.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\zyx3qItgQK.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):37888
                                                                                Entropy (8bit):5.573297734149507
                                                                                Encrypted:false
                                                                                SSDEEP:384:KstKUiDtblmJEpRGyEf7JfJuQCY6iX1rAF+rMRTyN/0L+EcoinblneHQM3epzXk/:dtiHpR9Ef7JsQCFilrM+rMRa8Nuelt
                                                                                MD5:1D641A341DF0631BF135F5767440DF01
                                                                                SHA1:2E76BE5D5A7F0BAE3657A649EB60F47C4FBDE3CF
                                                                                SHA-256:3FA1B0D5AB8CC2B3435718E8B625E63E651A6D3DF4D7657DC8C3859CAEB5B4E9
                                                                                SHA-512:08D78D42B96734006BF0986DD666D0C5A15E2EC4C13817E82F3FE6AF55CEDE59F3685466A2B004AD765FE291B360625490C17E97FA89EF0965B09E7A448CE853
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: unknown
                                                                                • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: Brian Wallace @botnet_hunter
                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 97%
                                                                                Reputation:low
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................. ........@.. ....................................@.................................p...K.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                C:\Users\user\AppData\Roaming\ESET Service.exe:Zone.Identifier

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\zyx3qItgQK.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ESET Service.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):37888
                                                                                Entropy (8bit):5.573297734149507
                                                                                Encrypted:false
                                                                                SSDEEP:384:KstKUiDtblmJEpRGyEf7JfJuQCY6iX1rAF+rMRTyN/0L+EcoinblneHQM3epzXk/:dtiHpR9Ef7JsQCFilrM+rMRa8Nuelt
                                                                                MD5:1D641A341DF0631BF135F5767440DF01
                                                                                SHA1:2E76BE5D5A7F0BAE3657A649EB60F47C4FBDE3CF
                                                                                SHA-256:3FA1B0D5AB8CC2B3435718E8B625E63E651A6D3DF4D7657DC8C3859CAEB5B4E9
                                                                                SHA-512:08D78D42B96734006BF0986DD666D0C5A15E2EC4C13817E82F3FE6AF55CEDE59F3685466A2B004AD765FE291B360625490C17E97FA89EF0965B09E7A448CE853
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, Author: unknown
                                                                                • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, Author: Brian Wallace @botnet_hunter
                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 97%
                                                                                Reputation:low
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................. ........@.. ....................................@.................................p...K.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7891fdab3e9ec8884436ba440a809c8a.exe:Zone.Identifier

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ESET Service.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:false
                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                C:\autorun.inf

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ESET Service.exe
                                                                                File Type:Microsoft Windows Autorun file
                                                                                Category:dropped
                                                                                Size (bytes):50
                                                                                Entropy (8bit):4.320240000427043
                                                                                Encrypted:false
                                                                                SSDEEP:3:It1KV2LKMACovK0x:e1KzxvD
                                                                                MD5:5B0B50BADE67C5EC92D42E971287A5D9
                                                                                SHA1:90D5C99143E7A56AD6E5EE401015F8ECC093D95A
                                                                                SHA-256:04DDE2489D2D2E6846D42250D813AB90B5CA847D527F8F2C022E6C327DC6DB53
                                                                                SHA-512:C064DC3C4185A38D1CAEBD069ACB9FDBB85DFB650D6A241036E501A09BC89FD06E267BE9D400D20E6C14B4068473D1C6557962E8D82FDFD191DB7EABB6E66821
                                                                                Malicious:true
                                                                                Preview:[autorun]..open=C:\svchost.exe..shellexecute=C:\..

                                                                                C:\svchost.exe

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ESET Service.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):37888
                                                                                Entropy (8bit):5.573297734149507
                                                                                Encrypted:false
                                                                                SSDEEP:384:KstKUiDtblmJEpRGyEf7JfJuQCY6iX1rAF+rMRTyN/0L+EcoinblneHQM3epzXk/:dtiHpR9Ef7JsQCFilrM+rMRa8Nuelt
                                                                                MD5:1D641A341DF0631BF135F5767440DF01
                                                                                SHA1:2E76BE5D5A7F0BAE3657A649EB60F47C4FBDE3CF
                                                                                SHA-256:3FA1B0D5AB8CC2B3435718E8B625E63E651A6D3DF4D7657DC8C3859CAEB5B4E9
                                                                                SHA-512:08D78D42B96734006BF0986DD666D0C5A15E2EC4C13817E82F3FE6AF55CEDE59F3685466A2B004AD765FE291B360625490C17E97FA89EF0965B09E7A448CE853
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\svchost.exe, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\svchost.exe, Author: unknown
                                                                                • Rule: njrat1, Description: Identify njRat, Source: C:\svchost.exe, Author: Brian Wallace @botnet_hunter
                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\svchost.exe, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 97%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................. ........@.. ....................................@.................................p...K.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                C:\svchost.exe:Zone.Identifier

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\ESET Service.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:false
                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                \Device\ConDrv

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\netsh.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):313
                                                                                Entropy (8bit):4.971939296804078
                                                                                Encrypted:false
                                                                                SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                                                                MD5:689E2126A85BF55121488295EE068FA1
                                                                                SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                                                                SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                                                                SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                                                                Malicious:false
                                                                                Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):5.573297734149507
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                File name:zyx3qItgQK.exe
                                                                                File size:37'888 bytes
                                                                                MD5:1d641a341df0631bf135f5767440df01
                                                                                SHA1:2e76be5d5a7f0bae3657a649eb60f47c4fbde3cf
                                                                                SHA256:3fa1b0d5ab8cc2b3435718e8b625e63e651a6d3df4d7657dc8c3859caeb5b4e9
                                                                                SHA512:08d78d42b96734006bf0986dd666d0c5a15e2ec4c13817e82f3fe6af55cede59f3685466a2b004ad765fe291b360625490c17e97fa89ef0965b09e7a448ce853
                                                                                SSDEEP:384:KstKUiDtblmJEpRGyEf7JfJuQCY6iX1rAF+rMRTyN/0L+EcoinblneHQM3epzXk/:dtiHpR9Ef7JsQCFilrM+rMRa8Nuelt
                                                                                TLSH:3D032A4D7FE18168C5FD467B05B2D41207BBE04B6E23D90ECEE564AA37636C18B50AF2
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e................................. ........@.. ....................................@................................

                                                                                File Icon

                                                                                Icon Hash:00928e8e8686b000

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x40abbe
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x65B41CD0 [Fri Jan 26 20:57:52 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xab700x4b.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x240.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x8bc40x8c00459c332f63a31fff36bf80b50c01a6e0False0.4636160714285714data5.604798648983626IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0xc0000x2400x400f7ce2f7b506ce16c06c85a549ef2cd98False0.3134765625data4.968771659524424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0xe0000xc0x200163d66697186c0743c0da6f82247a39aFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_MANIFEST0xc0580x1e7XML 1.0 document, ASCII text, with CRLF line terminators0.5338809034907598

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                192.168.2.63.69.115.17849707120412033132 01/31/24-18:02:40.293747TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970712041192.168.2.63.69.115.178
                                                                                192.168.2.63.69.115.17849711120412825564 01/31/24-18:03:57.860489TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4971112041192.168.2.63.69.115.178
                                                                                192.168.2.618.197.239.10949713120412814856 01/31/24-18:04:50.646104TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971312041192.168.2.618.197.239.109
                                                                                192.168.2.63.68.171.11949714120412825563 01/31/24-18:05:23.258517TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)4971412041192.168.2.63.68.171.119
                                                                                192.168.2.618.197.239.10949712120412033132 01/31/24-18:04:17.975768TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971212041192.168.2.618.197.239.109
                                                                                192.168.2.63.68.171.11949714120412825564 01/31/24-18:05:51.313700TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4971412041192.168.2.63.68.171.119
                                                                                192.168.2.63.68.171.11949715120412825564 01/31/24-18:05:55.916285TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4971512041192.168.2.63.68.171.119
                                                                                192.168.2.63.69.115.17849707120412825563 01/31/24-18:02:40.497750TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)4970712041192.168.2.63.69.115.178
                                                                                192.168.2.63.69.115.17849710120412825564 01/31/24-18:03:36.423392TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4971012041192.168.2.63.69.115.178
                                                                                192.168.2.618.197.239.10949712120412814856 01/31/24-18:04:18.182874TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971212041192.168.2.618.197.239.109
                                                                                192.168.2.63.69.115.17849699120412814860 01/31/24-18:02:13.547863TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4969912041192.168.2.63.69.115.178
                                                                                192.168.2.63.69.115.17849707120412825564 01/31/24-18:03:10.096095TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4970712041192.168.2.63.69.115.178
                                                                                192.168.2.618.197.239.10949713120412033132 01/31/24-18:04:50.445338TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971312041192.168.2.618.197.239.109
                                                                                192.168.2.63.69.115.17849711120412825563 01/31/24-18:03:45.587236TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)4971112041192.168.2.63.69.115.178
                                                                                192.168.2.63.69.115.17849707120412814856 01/31/24-18:02:40.497750TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4970712041192.168.2.63.69.115.178
                                                                                192.168.2.63.69.115.17849710120412033132 01/31/24-18:03:12.896650TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971012041192.168.2.63.69.115.178
                                                                                192.168.2.63.68.171.11949714120412814856 01/31/24-18:05:23.258517TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971412041192.168.2.63.68.171.119
                                                                                192.168.2.63.68.171.11949715120412814856 01/31/24-18:05:55.717331TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971512041192.168.2.63.68.171.119
                                                                                192.168.2.63.69.115.17849710120412814860 01/31/24-18:03:43.043933TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4971012041192.168.2.63.69.115.178
                                                                                192.168.2.63.69.115.17849711120412814860 01/31/24-18:03:57.860489TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4971112041192.168.2.63.69.115.178
                                                                                192.168.2.63.69.115.17849711120412033132 01/31/24-18:03:45.382419TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971112041192.168.2.63.69.115.178
                                                                                192.168.2.63.69.115.17849710120412814856 01/31/24-18:03:13.103025TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971012041192.168.2.63.69.115.178
                                                                                192.168.2.618.197.239.10949712120412814860 01/31/24-18:04:48.199794TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4971212041192.168.2.618.197.239.109
                                                                                192.168.2.63.69.115.17849699120412825564 01/31/24-18:02:13.547863TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4969912041192.168.2.63.69.115.178
                                                                                192.168.2.63.69.115.17849711120412814856 01/31/24-18:03:45.587236TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971112041192.168.2.63.69.115.178
                                                                                192.168.2.63.69.115.17849699120412825563 01/31/24-18:02:08.215265TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)4969912041192.168.2.63.69.115.178
                                                                                192.168.2.63.69.115.17849699120412033132 01/31/24-18:02:07.907549TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4969912041192.168.2.63.69.115.178
                                                                                192.168.2.618.197.239.10949713120412814860 01/31/24-18:05:18.691447TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4971312041192.168.2.618.197.239.109
                                                                                192.168.2.63.69.115.17849699120412814856 01/31/24-18:02:08.215265TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4969912041192.168.2.63.69.115.178
                                                                                192.168.2.618.197.239.10949712120412825563 01/31/24-18:04:18.182874TCP2825563ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)4971212041192.168.2.618.197.239.109
                                                                                192.168.2.63.69.115.17849707120412814860 01/31/24-18:03:10.096095TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4970712041192.168.2.63.69.115.178
                                                                                192.168.2.618.197.239.10949712120412825564 01/31/24-18:04:47.577535TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4971212041192.168.2.618.197.239.109
                                                                                192.168.2.63.68.171.11949714120412033132 01/31/24-18:05:23.054371TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971412041192.168.2.63.68.171.119
                                                                                192.168.2.63.68.171.11949715120412814860 01/31/24-18:05:55.916285TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4971512041192.168.2.63.68.171.119
                                                                                192.168.2.63.68.171.11949714120412814860 01/31/24-18:05:51.313700TCP2814860ETPRO TROJAN njRAT/Bladabindi CnC Callback (act)4971412041192.168.2.63.68.171.119
                                                                                192.168.2.618.197.239.10949713120412825564 01/31/24-18:05:18.691447TCP2825564ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)4971312041192.168.2.618.197.239.109
                                                                                192.168.2.63.68.171.11949715120412033132 01/31/24-18:05:55.518415TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971512041192.168.2.63.68.171.119

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jan 31, 2024 18:02:07.601418018 CET4969912041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:07.805454016 CET12041496993.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:02:07.805577040 CET4969912041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:07.907548904 CET4969912041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:08.215066910 CET12041496993.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:02:08.215265036 CET4969912041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:08.419259071 CET12041496993.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:02:13.547863007 CET4969912041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:13.752088070 CET12041496993.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:02:28.900213003 CET12041496993.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:02:28.900429010 CET4969912041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:38.062952995 CET12041496993.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:02:38.063191891 CET4969912041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:40.079741001 CET4969912041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:40.081720114 CET4970712041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:40.283947945 CET12041496993.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:02:40.285665989 CET12041497073.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:02:40.285768032 CET4970712041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:40.293746948 CET4970712041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:40.497543097 CET12041497073.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:02:40.497750044 CET4970712041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:40.704612017 CET12041497073.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:02:45.985716105 CET4970712041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:02:46.189863920 CET12041497073.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:01.408046961 CET12041497073.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:01.408262968 CET4970712041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:04.016621113 CET4970712041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:04.220837116 CET12041497073.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:05.422851086 CET4970712041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:05.627454996 CET12041497073.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:09.891772985 CET4970712041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:10.095874071 CET12041497073.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:10.096095085 CET4970712041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:10.300097942 CET12041497073.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:10.553540945 CET12041497073.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:10.553673983 CET4970712041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:12.563251972 CET4970712041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:12.686687946 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:12.767330885 CET12041497073.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:12.893023014 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:12.893107891 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:12.896650076 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:13.102838993 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:13.103024960 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:13.309340000 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:13.309528112 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:13.515840054 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:13.515919924 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:13.722246885 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:13.724965096 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:13.931380033 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:13.933017015 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:14.139467001 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:14.140997887 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:14.347431898 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:14.347940922 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:14.554300070 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:14.554886103 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:14.761329889 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:14.761437893 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:14.967714071 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:14.967852116 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:15.174918890 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:15.175065994 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:15.381402969 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:15.381515980 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:15.587723017 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:15.587874889 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:15.794327021 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:15.794482946 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:16.000735044 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:16.000849009 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:16.207130909 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:16.316586018 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:16.522900105 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:16.523035049 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:16.730045080 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:16.730274916 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:16.936695099 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:18.462435007 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:18.668821096 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:18.668972015 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:18.875329018 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:18.875544071 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:19.082005978 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:19.082247972 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:19.288566113 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:19.288774014 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:19.495158911 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:19.495253086 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:19.701575994 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:19.701700926 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:19.907911062 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:19.908051968 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:20.114242077 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:20.114315987 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:20.320647001 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:20.320739031 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:20.527123928 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:20.527244091 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:20.733539104 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:20.733762980 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:20.939939022 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:20.940077066 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:21.146306038 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:21.146503925 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:21.352988958 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:21.353179932 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:21.559432983 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:21.559568882 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:21.766057968 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:21.766273975 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:21.972605944 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:21.972764969 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:22.179260969 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:22.179394960 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:22.385607958 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:22.385739088 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:22.592129946 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:22.592344999 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:22.798768044 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:22.798854113 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:23.005201101 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:23.005403996 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:23.212618113 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:23.212690115 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:23.419682980 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:23.419892073 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:23.629147053 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:23.629268885 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:23.837130070 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:23.837222099 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:24.043637037 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:24.043847084 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:24.250507116 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:24.250653982 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:24.457289934 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:24.457396984 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:24.663806915 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:24.663904905 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:24.870610952 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:24.870702982 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:25.077100039 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:25.077184916 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:25.283478022 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:25.283571005 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:25.492559910 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:25.492657900 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:25.700622082 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:25.700737953 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:25.907181978 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:25.907291889 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:26.115231037 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:26.115314960 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:26.321651936 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:26.321763992 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:26.528301001 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:26.528404951 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:26.734882116 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:26.735022068 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:26.944813013 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:26.944966078 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:27.151447058 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:27.151541948 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:27.357853889 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:27.357934952 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:27.564412117 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:27.564667940 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:27.771356106 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:27.771533966 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:27.981117010 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:27.981219053 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:28.187783003 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:28.187941074 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:28.394503117 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:28.394599915 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:28.601280928 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:28.601389885 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:28.807903051 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:28.807991028 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:29.014520884 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:29.014626980 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:29.220937014 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:29.221079111 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:29.427647114 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:29.428050995 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:29.634608030 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:29.634783030 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:29.841295958 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:29.841414928 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:30.047949076 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:30.048135042 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:30.254626036 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:30.254765987 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:30.461827993 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:30.461968899 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:30.668775082 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:30.668912888 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:30.876468897 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:30.876558065 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:31.083039999 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:31.083163023 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:31.289518118 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:31.289648056 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:31.496117115 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:31.496198893 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:31.702677011 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:31.702816010 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:31.909219980 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:31.909388065 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:32.115822077 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:32.115915060 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:32.322360039 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:32.322534084 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:32.528887033 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:32.528995991 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:32.735898018 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:32.735979080 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:32.942154884 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:32.942230940 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:33.152281046 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:33.152393103 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:33.369033098 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:33.369131088 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:33.576632023 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:33.576771021 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:33.783014059 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:33.783226013 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:33.989511967 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:34.033833981 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:34.240119934 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:34.240199089 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:34.446418047 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:34.576956034 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:34.783373117 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:34.783528090 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:34.989964008 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:36.423392057 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:36.629802942 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:36.629914045 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:36.836122036 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:36.836333036 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:37.042574883 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:37.042635918 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:37.248862028 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:37.248934031 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:37.455301046 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:37.455403090 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:37.661576986 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:37.661690950 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:37.867861032 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:37.867933035 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:38.074071884 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:38.076492071 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:38.282614946 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:38.284929991 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:38.491097927 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:38.491163969 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:38.697371960 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:38.697443008 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:38.903558016 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:38.903683901 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:39.109802008 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:39.109880924 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:39.316071987 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:39.316173077 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:39.522322893 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:39.522440910 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:39.728607893 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:39.728708982 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:39.934999943 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:39.935103893 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:40.141377926 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:40.141499996 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:40.347789049 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:40.347893000 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:40.557548046 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:40.557820082 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:40.768435001 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:40.768515110 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:40.974749088 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:40.974951982 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:41.181274891 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:41.181428909 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:41.389956951 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:41.390049934 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:41.597595930 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:41.597753048 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:41.804147005 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:41.804239035 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:42.010566950 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:42.010660887 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:42.217143059 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:42.217540026 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:42.423923016 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:42.423993111 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:42.630192995 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:42.630274057 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:42.836669922 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:42.836797953 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:43.043826103 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:43.043932915 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:43.161653042 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:43.161719084 CET4971012041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:43.250216961 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:43.367850065 CET12041497103.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:45.174611092 CET4971112041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:45.379576921 CET12041497113.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:45.379733086 CET4971112041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:45.382419109 CET4971112041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:45.587100983 CET12041497113.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:45.587235928 CET4971112041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:45.791943073 CET12041497113.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:49.704380035 CET4971112041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:49.909182072 CET12041497113.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:03:57.860488892 CET4971112041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:03:58.068228006 CET12041497113.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:04:13.088044882 CET12041497113.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:04:13.088115931 CET4971112041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:04:15.635255098 CET12041497113.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:04:15.635339022 CET4971112041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:04:17.641540051 CET4971112041192.168.2.63.69.115.178
                                                                                Jan 31, 2024 18:04:17.763516903 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:17.846463919 CET12041497113.69.115.178192.168.2.6
                                                                                Jan 31, 2024 18:04:17.970702887 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:17.970813990 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:17.975768089 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:18.182794094 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:18.182873964 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:18.390026093 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:21.548099041 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:21.755295038 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:36.963793993 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:36.964099884 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:39.454431057 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:39.661676884 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:41.110712051 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:41.317789078 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:45.610511065 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:45.817495108 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:45.876240969 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:46.083256960 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:46.844952106 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:47.052134991 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:47.052253962 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:47.259253025 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:47.577534914 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:47.784687996 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:47.784951925 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:47.992389917 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:47.992615938 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:48.199696064 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:48.199794054 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:48.230387926 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:48.230470896 CET4971212041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:48.407084942 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:48.437495947 CET120414971218.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:50.238300085 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:50.442935944 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:50.443037033 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:50.445338011 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:50.646011114 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:50.646104097 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:50.846951008 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:50.847023010 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:51.047754049 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:51.047847986 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:51.248553038 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:51.248641014 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:51.449410915 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:51.449518919 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:51.650374889 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:51.650475979 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:51.851134062 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:51.851334095 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:52.052052975 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:52.052244902 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:52.252867937 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:52.253115892 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:52.453947067 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:52.454019070 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:52.654653072 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:52.654793978 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:52.855489016 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:52.855592966 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:53.056530952 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:53.056776047 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:53.257496119 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:04:53.257585049 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:04:53.458517075 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:05:08.706800938 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:05:08.706971884 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:05:10.563657999 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:05:10.764460087 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:05:18.691447020 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:05:18.892263889 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:05:20.706190109 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:05:20.706271887 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:05:22.719924927 CET4971312041192.168.2.618.197.239.109
                                                                                Jan 31, 2024 18:05:22.847780943 CET4971412041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:22.920859098 CET120414971318.197.239.109192.168.2.6
                                                                                Jan 31, 2024 18:05:23.051953077 CET12041497143.68.171.119192.168.2.6
                                                                                Jan 31, 2024 18:05:23.052150965 CET4971412041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:23.054371119 CET4971412041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:23.258429050 CET12041497143.68.171.119192.168.2.6
                                                                                Jan 31, 2024 18:05:23.258517027 CET4971412041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:23.462826014 CET12041497143.68.171.119192.168.2.6
                                                                                Jan 31, 2024 18:05:26.767024994 CET4971412041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:26.971398115 CET12041497143.68.171.119192.168.2.6
                                                                                Jan 31, 2024 18:05:42.022066116 CET12041497143.68.171.119192.168.2.6
                                                                                Jan 31, 2024 18:05:42.022135973 CET4971412041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:49.891871929 CET4971412041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:50.096159935 CET12041497143.68.171.119192.168.2.6
                                                                                Jan 31, 2024 18:05:51.313699961 CET4971412041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:51.517978907 CET12041497143.68.171.119192.168.2.6
                                                                                Jan 31, 2024 18:05:53.311817884 CET12041497143.68.171.119192.168.2.6
                                                                                Jan 31, 2024 18:05:53.311953068 CET4971412041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:55.313688993 CET4971412041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:55.316647053 CET4971512041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:55.515499115 CET12041497153.68.171.119192.168.2.6
                                                                                Jan 31, 2024 18:05:55.515594959 CET4971512041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:55.517741919 CET12041497143.68.171.119192.168.2.6
                                                                                Jan 31, 2024 18:05:55.518414974 CET4971512041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:55.717165947 CET12041497153.68.171.119192.168.2.6
                                                                                Jan 31, 2024 18:05:55.717330933 CET4971512041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:55.916188002 CET12041497153.68.171.119192.168.2.6
                                                                                Jan 31, 2024 18:05:55.916285038 CET4971512041192.168.2.63.68.171.119
                                                                                Jan 31, 2024 18:05:56.115215063 CET12041497153.68.171.119192.168.2.6

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jan 31, 2024 18:02:07.478013039 CET5487153192.168.2.61.1.1.1
                                                                                Jan 31, 2024 18:02:07.598102093 CET53548711.1.1.1192.168.2.6
                                                                                Jan 31, 2024 18:03:12.565818071 CET4994253192.168.2.61.1.1.1
                                                                                Jan 31, 2024 18:03:12.685225010 CET53499421.1.1.1192.168.2.6
                                                                                Jan 31, 2024 18:04:17.642935991 CET5178253192.168.2.61.1.1.1
                                                                                Jan 31, 2024 18:04:17.762331009 CET53517821.1.1.1192.168.2.6
                                                                                Jan 31, 2024 18:05:22.726516962 CET6237653192.168.2.61.1.1.1
                                                                                Jan 31, 2024 18:05:22.845422983 CET53623761.1.1.1192.168.2.6

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Jan 31, 2024 18:02:07.478013039 CET192.168.2.61.1.1.10x8d76Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                Jan 31, 2024 18:03:12.565818071 CET192.168.2.61.1.1.10x62a2Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                Jan 31, 2024 18:04:17.642935991 CET192.168.2.61.1.1.10x37c3Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                Jan 31, 2024 18:05:22.726516962 CET192.168.2.61.1.1.10x7694Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Jan 31, 2024 18:02:07.598102093 CET1.1.1.1192.168.2.60x8d76No error (0)6.tcp.eu.ngrok.io3.69.115.178A (IP address)IN (0x0001)false
                                                                                Jan 31, 2024 18:03:12.685225010 CET1.1.1.1192.168.2.60x62a2No error (0)6.tcp.eu.ngrok.io3.69.115.178A (IP address)IN (0x0001)false
                                                                                Jan 31, 2024 18:04:17.762331009 CET1.1.1.1192.168.2.60x37c3No error (0)6.tcp.eu.ngrok.io18.197.239.109A (IP address)IN (0x0001)false
                                                                                Jan 31, 2024 18:05:22.845422983 CET1.1.1.1192.168.2.60x7694No error (0)6.tcp.eu.ngrok.io3.68.171.119A (IP address)IN (0x0001)false

                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:18:01:50
                                                                                Start date:31/01/2024
                                                                                Path:C:\Users\user\Desktop\zyx3qItgQK.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\Desktop\zyx3qItgQK.exe
                                                                                Imagebase:0x850000
                                                                                File size:37'888 bytes
                                                                                MD5 hash:1D641A341DF0631BF135F5767440DF01
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.2051599274.0000000000852000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:18:01:56
                                                                                Start date:31/01/2024
                                                                                Path:C:\Users\user\AppData\Roaming\ESET Service.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\ESET Service.exe"
                                                                                Imagebase:0x490000
                                                                                File size:37'888 bytes
                                                                                MD5 hash:1D641A341DF0631BF135F5767440DF01
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000002.00000002.4507767686.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: unknown
                                                                                • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: Brian Wallace @botnet_hunter
                                                                                • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\ESET Service.exe, Author: ditekSHen
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Avira
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 97%, ReversingLabs
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:3
                                                                                Start time:18:02:03
                                                                                Start date:31/01/2024
                                                                                Path:C:\Windows\SysWOW64\netsh.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLE
                                                                                Imagebase:0xa60000
                                                                                File size:82'432 bytes
                                                                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:4
                                                                                Start time:18:02:03
                                                                                Start date:31/01/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:5
                                                                                Start time:18:02:03
                                                                                Start date:31/01/2024
                                                                                Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:taskkill /F /IM taskmgr.exe
                                                                                Imagebase:0xfe0000
                                                                                File size:74'240 bytes
                                                                                MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:6
                                                                                Start time:18:02:03
                                                                                Start date:31/01/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:10
                                                                                Start time:18:02:15
                                                                                Start date:31/01/2024
                                                                                Path:C:\Users\user\AppData\Roaming\ESET Service.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\ESET Service.exe" ..
                                                                                Imagebase:0xb60000
                                                                                File size:37'888 bytes
                                                                                MD5 hash:1D641A341DF0631BF135F5767440DF01
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:11
                                                                                Start time:18:02:24
                                                                                Start date:31/01/2024
                                                                                Path:C:\Users\user\AppData\Roaming\ESET Service.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\ESET Service.exe" ..
                                                                                Imagebase:0xa60000
                                                                                File size:37'888 bytes
                                                                                MD5 hash:1D641A341DF0631BF135F5767440DF01
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:13
                                                                                Start time:18:02:32
                                                                                Start date:31/01/2024
                                                                                Path:C:\Users\user\AppData\Roaming\ESET Service.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\ESET Service.exe" ..
                                                                                Imagebase:0x30000
                                                                                File size:37'888 bytes
                                                                                MD5 hash:1D641A341DF0631BF135F5767440DF01
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:11%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:37
                                                                                  Total number of Limit Nodes:1
                                                                                  execution_graph 1685 e2a462 1688 e2a486 RegSetValueExW 1685->1688 1687 e2a507 1688->1687 1689 e2a361 1691 e2a392 RegQueryValueExW 1689->1691 1692 e2a41b 1691->1692 1661 e2a646 1662 e2a67e CreateMutexW 1661->1662 1664 e2a6c1 1662->1664 1665 e2ac46 1666 e2ac6c ShellExecuteExW 1665->1666 1668 e2ac88 1666->1668 1669 e2a8c6 1670 e2a8ef SetFileAttributesW 1669->1670 1672 e2a90b 1670->1672 1705 e2aa07 1707 e2aa3e CopyFileW 1705->1707 1708 e2aa8e 1707->1708 1697 e2a8a4 1698 e2a8c6 SetFileAttributesW 1697->1698 1700 e2a90b 1698->1700 1701 e2ac24 1703 e2ac46 ShellExecuteExW 1701->1703 1704 e2ac88 1703->1704 1693 e2a2d2 1694 e2a2d6 SetErrorMode 1693->1694 1696 e2a33f 1694->1696 1709 e2a612 1710 e2a646 CreateMutexW 1709->1710 1712 e2a6c1 1710->1712 1677 e2a2fe 1678 e2a353 1677->1678 1679 e2a32a SetErrorMode 1677->1679 1678->1679 1680 e2a33f 1679->1680 1681 e2aa3e 1683 e2aa67 CopyFileW 1681->1683 1684 e2aa8e 1683->1684

                                                                                  Callgraph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  • Opacity -> Relevance
                                                                                  • Disassembly available
                                                                                  callgraph 0 Function_05010301 42 Function_01310606 0->42 56 Function_013105E0 0->56 62 Function_05010958 0->62 1 Function_00E2A462 2 Function_05010080 3 Function_05010B03 4 Function_00E2A361 5 Function_00E2AAE1 6 Function_05010F05 7 Function_01310734 8 Function_05010007 8->0 15 Function_05010310 8->15 8->42 45 Function_050103BD 8->45 8->56 9 Function_00E22364 10 Function_00E22264 11 Function_0501088A 11->42 11->56 12 Function_05010C8D 13 Function_00E2A56E 14 Function_00E2A172 15->42 15->56 15->62 16 Function_00E221F0 17 Function_00E2A1F4 18 Function_00E2AB74 19 Function_00E223F4 20 Function_00E22675 21 Function_00E2ACFA 22 Function_05010D98 23 Function_00E2A078 24 Function_00E2A2FE 25 Function_00E2A97E 26 Function_01310710 27 Function_00E2A540 28 Function_05010C22 29 Function_00E2A646 30 Function_00E2A8C6 31 Function_00E2AC46 32 Function_00E2A7C7 33 Function_00E2ACC7 34 Function_00E22044 35 Function_05010BA8 36 Function_00E2A74E 37 Function_00E2AACF 38 Function_00E2A2D2 39 Function_00E2A952 40 Function_01310001 41 Function_00E220D0 43 Function_05010938 44 Function_00E22458 45->42 45->56 45->62 46 Function_00E2A25E 47 Function_0131000C 48 Function_00E2A45C 49 Function_05010D40 50 Function_00E2A120 51 Function_01310074 52 Function_00E2A8A4 53 Function_00E2AC24 54 Function_00E2A02E 55 Function_0131067F 57 Function_00E22430 58 Function_00E22531 59 Function_05010E55 60 Function_00E222B4 61 Function_05010759 62->42 62->56 63 Function_05010F58 64 Function_0131066A 65 Function_00E2AA3E 66 Function_0131026D 67 Function_00E2A23C 68 Function_00E223BC 69 Function_00E2213C 70 Function_013105D0 71 Function_00E2A486 72 Function_00E2AB06 73 Function_00E2AA07 74 Function_00E2A005 75 Function_00E22005 76 Function_00E2A392 77 Function_00E2A612 78 Function_013105C0 79 Function_00E2A710 80 Function_00E22310 81 Function_00E2AC11 82 Function_00E22194 83 Function_00E2A09A 84 Function_01310648 84->64 85 Function_00E22098 86 Function_00E2AB9E 87 Function_00E2A81E

                                                                                  Executed Functions

                                                                                  Function 05010310 Relevance: 3.9, Strings: 3, Instructions: 188COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 5010310-5010334 2 5010336-5010338 0->2 3 501033e-5010346 0->3 2->3 4 5010348-501034d 3->4 5 501034e-5010391 3->5 9 5010393-50103ce 5->9 10 50103d8-5010418 5->10 9->10 17 501041a 10->17 18 501041f 10->18 17->18 54 501041f call 13105e0 18->54 55 501041f call 1310606 18->55 56 501041f call 5010958 18->56 19 5010425-5010434 20 5010436-5010460 19->20 21 501046b-5010523 19->21 20->21 40 5010570-5010587 21->40 41 5010525-5010569 21->41 42 5010880 40->42 43 501058d-50105bf 40->43 41->40 43->42 54->19 55->19 56->19
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2120172149.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5010000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 2Ll$2Ll$2Ll
                                                                                  • API String ID: 0-342096312
                                                                                  • Opcode ID: 43c6981086172339c0397e41b268bca7595bacf640a11e00b61e039c1a9aa3cd
                                                                                  • Instruction ID: 9be133dbbcdc3bde511298849d1ea49b7e20ea04469a8f32e41287aa69cfa1c8
                                                                                  • Opcode Fuzzy Hash: 43c6981086172339c0397e41b268bca7595bacf640a11e00b61e039c1a9aa3cd
                                                                                  • Instruction Fuzzy Hash: 915124307002049FC708EB76A425EBE7BE6ABC5204B45402DE542EB7A5DF35CC4ACBA6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 050103BD Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 57 50103bd-5010418 65 501041a 57->65 66 501041f 57->66 65->66 102 501041f call 13105e0 66->102 103 501041f call 1310606 66->103 104 501041f call 5010958 66->104 67 5010425-5010434 68 5010436-5010460 67->68 69 501046b-5010523 67->69 68->69 88 5010570-5010587 69->88 89 5010525-5010569 69->89 90 5010880 88->90 91 501058d-50105bf 88->91 89->88 91->90 102->67 103->67 104->67
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2120172149.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5010000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 2Ll$2Ll$2Ll
                                                                                  • API String ID: 0-342096312
                                                                                  • Opcode ID: 8f1cd91406061ac59235b32d5b6e746cb7b3a366034215073635f3d365346ea1
                                                                                  • Instruction ID: 9099d3293e6f5d0a2a2e1ff1ca30f3caafca4f13eb84436610246357fac24446
                                                                                  • Opcode Fuzzy Hash: 8f1cd91406061ac59235b32d5b6e746cb7b3a366034215073635f3d365346ea1
                                                                                  • Instruction Fuzzy Hash: 3741E5307001154BC708EB7AA429EBE76D76FC5208B45403DE502EB7E4DF25CD4A8BE6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05010958 Relevance: 3.0, Strings: 2, Instructions: 483COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 105 5010958-5010993 108 5010999-5010a22 105->108 109 5010a2e-5010a30 105->109 259 5010a24 call 13105e0 108->259 260 5010a24 call 1310606 108->260 110 5010a37-5010a3c 109->110 111 5010a42-5010a7a 110->111 112 5010b1e-5010bc2 110->112 129 5010aa1-5010afc 111->129 130 5010a7c-5010a9a 111->130 149 5010bc8-5010c8b 112->149 150 5010c9e-5010ca7 112->150 167 5010b01 129->167 130->129 149->150 152 5010d51-5010d5a 150->152 153 5010cad-5010d3e 150->153 151 5010a2a-5010a2c 151->109 154 5010a32 151->154 156 5010d7a-5010d83 152->156 157 5010d5c-5010d73 152->157 153->152 154->110 159 5010d85-5010d96 156->159 160 5010da9-5010db2 156->160 157->156 159->160 165 5010f33-5010f3a 160->165 166 5010db8-5010e06 160->166 186 5010f1c-5010f2d 166->186 167->112 186->165 188 5010e0b-5010e14 186->188 189 5010f40-5010fd1 188->189 190 5010e1a-5010f1a 188->190 222 5010fd7-5010fe8 189->222 223 50110ca 189->223 190->186 240 5010f3b 190->240 230 5010fea-501100b 222->230 224 50110cc-50110d3 223->224 238 5011012-5011048 230->238 239 501100d 230->239 246 501104a 238->246 247 501104f-5011077 238->247 239->238 240->189 246->247 251 5011079-501107b 247->251 252 501107d-50110a1 247->252 251->224 255 50110a3-50110a8 252->255 256 50110aa-50110b4 252->256 255->224 257 50110b6-50110b8 256->257 258 50110ba-50110c4 256->258 257->224 258->223 258->230 259->151 260->151
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2120172149.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5010000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l$\OLl
                                                                                  • API String ID: 0-1085053772
                                                                                  • Opcode ID: 4a3b8e789dda486ae3ef04604fbdd34a9c0bee6f1fee1553ac0ceb4a58868089
                                                                                  • Instruction ID: 9fe3fe71357ee4446bb82a4caf17b6a80421fec8cb5ca281bbe3d940229d4605
                                                                                  • Opcode Fuzzy Hash: 4a3b8e789dda486ae3ef04604fbdd34a9c0bee6f1fee1553ac0ceb4a58868089
                                                                                  • Instruction Fuzzy Hash: 0E0259307002189FDB18EB74E464BAE77E2AF88208F114478D946DB7A9DF35DC46CB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 261 e2a612-e2a695 265 e2a697 261->265 266 e2a69a-e2a6a3 261->266 265->266 267 e2a6a5 266->267 268 e2a6a8-e2a6b1 266->268 267->268 269 e2a702-e2a707 268->269 270 e2a6b3-e2a6d7 CreateMutexW 268->270 269->270 273 e2a709-e2a70e 270->273 274 e2a6d9-e2a6ff 270->274 273->274
                                                                                  APIs
                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 00E2A6B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: 293a53b24845d59b4e7b01a635341825ce53b8f2901ab34d50fc426d48d48533
                                                                                  • Instruction ID: e4109a7ac15dce06fbc6b7d5a6a95602872a6be707b3cec06043698c8c8bf4c7
                                                                                  • Opcode Fuzzy Hash: 293a53b24845d59b4e7b01a635341825ce53b8f2901ab34d50fc426d48d48533
                                                                                  • Instruction Fuzzy Hash: B331A1715093806FE711CB25DC85B96FFF8EF06314F0984AAE9848F293D365A909C762
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 277 e2a361-e2a3cf 280 e2a3d1 277->280 281 e2a3d4-e2a3dd 277->281 280->281 282 e2a3e2-e2a3e8 281->282 283 e2a3df 281->283 284 e2a3ea 282->284 285 e2a3ed-e2a404 282->285 283->282 284->285 287 e2a406-e2a419 RegQueryValueExW 285->287 288 e2a43b-e2a440 285->288 289 e2a442-e2a447 287->289 290 e2a41b-e2a438 287->290 288->287 289->290
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,4271185A,00000000,00000000,00000000,00000000), ref: 00E2A40C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: b6f9093aa25e6618c1537a9b0918f4b1d3f1874fe4ea6b7807d025841395fdc3
                                                                                  • Instruction ID: bca926ccdbb736cccfca0bc0a5bb40fcb4ce4670b3af6d386c2f1e9d2c81c150
                                                                                  • Opcode Fuzzy Hash: b6f9093aa25e6618c1537a9b0918f4b1d3f1874fe4ea6b7807d025841395fdc3
                                                                                  • Instruction Fuzzy Hash: D331BF75109780AFE722CF11DC84F96FBF8EF06314F08849AE9459B692D324E809CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 294 e2a462-e2a4c3 297 e2a4c5 294->297 298 e2a4c8-e2a4d4 294->298 297->298 299 e2a4d6 298->299 300 e2a4d9-e2a4f0 298->300 299->300 302 e2a4f2-e2a505 RegSetValueExW 300->302 303 e2a527-e2a52c 300->303 304 e2a507-e2a524 302->304 305 e2a52e-e2a533 302->305 303->302 305->304
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,4271185A,00000000,00000000,00000000,00000000), ref: 00E2A4F8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: de30b375e37b608ed1a177aa9e5dd847c81c8b843766673fc3b1f92cb8d60112
                                                                                  • Instruction ID: 3ebde8edc96e5ef14076e17b4beca52e72d72d512087c3fca44b4b5b73c71afb
                                                                                  • Opcode Fuzzy Hash: de30b375e37b608ed1a177aa9e5dd847c81c8b843766673fc3b1f92cb8d60112
                                                                                  • Instruction Fuzzy Hash: 8C21B0721053806FE7228F11DC44FA7BFB8EF46324F08849AE985DB652C364E808CB72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 309 e2a646-e2a695 312 e2a697 309->312 313 e2a69a-e2a6a3 309->313 312->313 314 e2a6a5 313->314 315 e2a6a8-e2a6b1 313->315 314->315 316 e2a702-e2a707 315->316 317 e2a6b3-e2a6bb CreateMutexW 315->317 316->317 318 e2a6c1-e2a6d7 317->318 320 e2a709-e2a70e 318->320 321 e2a6d9-e2a6ff 318->321 320->321
                                                                                  APIs
                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 00E2A6B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: 80646d5e60a3356ff8543b53f776110f15edaac7b078a615d2559dda6fe9df00
                                                                                  • Instruction ID: 12a79bdfd4933b48facc3f334ddfe562a60fec377a48c9b7e4c6b8c115500915
                                                                                  • Opcode Fuzzy Hash: 80646d5e60a3356ff8543b53f776110f15edaac7b078a615d2559dda6fe9df00
                                                                                  • Instruction Fuzzy Hash: A7218071601240AFE720CF25DD85BA6FBE8EF14324F18846AE9459F742D771E809CB72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2AA07 Relevance: 1.6, APIs: 1, Instructions: 72fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 324 e2aa07-e2aa65 326 e2aa67 324->326 327 e2aa6a-e2aa70 324->327 326->327 328 e2aa72 327->328 329 e2aa75-e2aa7e 327->329 328->329 330 e2aa80-e2aaa0 CopyFileW 329->330 331 e2aac1-e2aac6 329->331 334 e2aaa2-e2aabe 330->334 335 e2aac8-e2aacd 330->335 331->330 335->334
                                                                                  APIs
                                                                                  • CopyFileW.KERNELBASE(?,?,?), ref: 00E2AA86
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: CopyFile
                                                                                  • String ID:
                                                                                  • API String ID: 1304948518-0
                                                                                  • Opcode ID: 8b5016e8ba3899e813959a0ecbf0248578d9bf49acc4a35a36ebf6fd2931839e
                                                                                  • Instruction ID: 7a0f7e3219a3c0ec6d8bcdb616d38d9fcb8d6a47f34cb8b93a99e6741a8615fd
                                                                                  • Opcode Fuzzy Hash: 8b5016e8ba3899e813959a0ecbf0248578d9bf49acc4a35a36ebf6fd2931839e
                                                                                  • Instruction Fuzzy Hash: B32190B15083809FD751CB25DD45B52BFF8EF16314F0D84AAE885DF262D2249909CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 337 e2a392-e2a3cf 339 e2a3d1 337->339 340 e2a3d4-e2a3dd 337->340 339->340 341 e2a3e2-e2a3e8 340->341 342 e2a3df 340->342 343 e2a3ea 341->343 344 e2a3ed-e2a404 341->344 342->341 343->344 346 e2a406-e2a419 RegQueryValueExW 344->346 347 e2a43b-e2a440 344->347 348 e2a442-e2a447 346->348 349 e2a41b-e2a438 346->349 347->346 348->349
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,4271185A,00000000,00000000,00000000,00000000), ref: 00E2A40C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: c33cbbae3a8a3c576e08f3dc2c401f9140679037fc75a61c52ffd54786f81580
                                                                                  • Instruction ID: c58c251f32dc572e128f20bd78e6135cfa49c3c1d0b741815e54fdb5134cff4f
                                                                                  • Opcode Fuzzy Hash: c33cbbae3a8a3c576e08f3dc2c401f9140679037fc75a61c52ffd54786f81580
                                                                                  • Instruction Fuzzy Hash: 3121AFB5600704AFE720DF15DC84FA6F7ECEF04724F18846AE946DB652D7A4E809CA72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 353 e2a486-e2a4c3 355 e2a4c5 353->355 356 e2a4c8-e2a4d4 353->356 355->356 357 e2a4d6 356->357 358 e2a4d9-e2a4f0 356->358 357->358 360 e2a4f2-e2a505 RegSetValueExW 358->360 361 e2a527-e2a52c 358->361 362 e2a507-e2a524 360->362 363 e2a52e-e2a533 360->363 361->360 363->362
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,4271185A,00000000,00000000,00000000,00000000), ref: 00E2A4F8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: 94005f0c7b886f2e02b2e1d4f9712626bee84f63237665ae1b22c702aaaef0ce
                                                                                  • Instruction ID: d33da12dad9bb5f592d9c1d9daad4470255678fbf74deeb2b44d58dba75ad7d3
                                                                                  • Opcode Fuzzy Hash: 94005f0c7b886f2e02b2e1d4f9712626bee84f63237665ae1b22c702aaaef0ce
                                                                                  • Instruction Fuzzy Hash: 6611D675600600AFE7208F11DC45FA7FBECEF04714F18846AED459BB52D360E808CA72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2A2D2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 367 e2a2d2-e2a2d4 368 e2a2d6-e2a2dd 367->368 369 e2a2de-e2a328 367->369 368->369 371 e2a353-e2a358 369->371 372 e2a32a-e2a33d SetErrorMode 369->372 371->372 373 e2a35a-e2a35f 372->373 374 e2a33f-e2a352 372->374 373->374
                                                                                  APIs
                                                                                  • SetErrorMode.KERNELBASE(?), ref: 00E2A330
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: f1631fc9a6a37db0688a6f1c57729ecd1fded1e23d157376eb3ae401575bf831
                                                                                  • Instruction ID: bb377094f4d9ecb37db5939fdd7152a89cb0c67875d5f5afd0424d2abd69cc24
                                                                                  • Opcode Fuzzy Hash: f1631fc9a6a37db0688a6f1c57729ecd1fded1e23d157376eb3ae401575bf831
                                                                                  • Instruction Fuzzy Hash: 23212C7540D3C09FD7138B259C55A56BFB49F47224F0D80DBDD858F2A3C2696808DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2AC24 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 377 e2ac24-e2ac6a 379 e2ac6f-e2ac78 377->379 380 e2ac6c 377->380 381 e2ac7a-e2ac9a ShellExecuteExW 379->381 382 e2acb9-e2acbe 379->382 380->379 385 e2acc0-e2acc5 381->385 386 e2ac9c-e2acb8 381->386 382->381 385->386
                                                                                  APIs
                                                                                  • ShellExecuteExW.SHELL32(?), ref: 00E2AC80
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExecuteShell
                                                                                  • String ID:
                                                                                  • API String ID: 587946157-0
                                                                                  • Opcode ID: 7e3f1adfc30885bf856f66d7bd4fee98ccd22312f9407c9138750e04fca1e4ec
                                                                                  • Instruction ID: 3774a899aa0ae121d07937555a328835f04f9a072f79a2824c7f586648739d29
                                                                                  • Opcode Fuzzy Hash: 7e3f1adfc30885bf856f66d7bd4fee98ccd22312f9407c9138750e04fca1e4ec
                                                                                  • Instruction Fuzzy Hash: DF1190715093809FD712CB25DC95B52FFB8DF46220F0984EBED49CF252D265A808CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2A8A4 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 388 e2a8a4-e2a8ed 390 e2a8f2-e2a8fb 388->390 391 e2a8ef 388->391 392 e2a93c-e2a941 390->392 393 e2a8fd-e2a91d SetFileAttributesW 390->393 391->390 392->393 396 e2a943-e2a948 393->396 397 e2a91f-e2a93b 393->397 396->397
                                                                                  APIs
                                                                                  • SetFileAttributesW.KERNELBASE(?,?), ref: 00E2A903
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: 7960e2e8453c189cbd9a958b3046ace24a1cd2456827fc59cd662e4c17efb061
                                                                                  • Instruction ID: 81bf0a7deea73e4bcad41c4d627acc541d19fc94d45f8cbe6b6003b070942edd
                                                                                  • Opcode Fuzzy Hash: 7960e2e8453c189cbd9a958b3046ace24a1cd2456827fc59cd662e4c17efb061
                                                                                  • Instruction Fuzzy Hash: 3C1190715083809FDB11CF25DC85B56BFE8EF46220F0984AEED85DF262D224A849CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2AA3E Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 399 e2aa3e-e2aa65 400 e2aa67 399->400 401 e2aa6a-e2aa70 399->401 400->401 402 e2aa72 401->402 403 e2aa75-e2aa7e 401->403 402->403 404 e2aa80-e2aa88 CopyFileW 403->404 405 e2aac1-e2aac6 403->405 406 e2aa8e-e2aaa0 404->406 405->404 408 e2aaa2-e2aabe 406->408 409 e2aac8-e2aacd 406->409 409->408
                                                                                  APIs
                                                                                  • CopyFileW.KERNELBASE(?,?,?), ref: 00E2AA86
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: CopyFile
                                                                                  • String ID:
                                                                                  • API String ID: 1304948518-0
                                                                                  • Opcode ID: 51236a8c49a81fbc02604da1ca6bf070cf796abb808b6c78ebfbcf28e6784da5
                                                                                  • Instruction ID: 2f2b4749493d46a41e74546e216c3d704196746bfd5afb2df9dec3bb633ef187
                                                                                  • Opcode Fuzzy Hash: 51236a8c49a81fbc02604da1ca6bf070cf796abb808b6c78ebfbcf28e6784da5
                                                                                  • Instruction Fuzzy Hash: 08118EB16002409FEB50CF25E985B66FBE8EF14324F0C84BADD49DB752D234E808CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2A8C6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 411 e2a8c6-e2a8ed 412 e2a8f2-e2a8fb 411->412 413 e2a8ef 411->413 414 e2a93c-e2a941 412->414 415 e2a8fd-e2a905 SetFileAttributesW 412->415 413->412 414->415 416 e2a90b-e2a91d 415->416 418 e2a943-e2a948 416->418 419 e2a91f-e2a93b 416->419 418->419
                                                                                  APIs
                                                                                  • SetFileAttributesW.KERNELBASE(?,?), ref: 00E2A903
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: aee0093f61ab5ddba8e61c09bb70540196aa47291f7dce61b0f7db27702aebb7
                                                                                  • Instruction ID: 497245d022b9056b5f2fa771ecd206771a45148158772920b8aba027ff129ee7
                                                                                  • Opcode Fuzzy Hash: aee0093f61ab5ddba8e61c09bb70540196aa47291f7dce61b0f7db27702aebb7
                                                                                  • Instruction Fuzzy Hash: D40180715002409FDB50CF26E885766FBE8EF44324F0C84AADD49DF752E675D849CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2AC46 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShellExecuteExW.SHELL32(?), ref: 00E2AC80
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExecuteShell
                                                                                  • String ID:
                                                                                  • API String ID: 587946157-0
                                                                                  • Opcode ID: b8034b251f6b8c08a8f08bacec996a89f2bce44a27105045af10c2191ae932f5
                                                                                  • Instruction ID: 233b383bd44809592190ad844217a550e6ed1e881b71f74b22a5120fc12b3011
                                                                                  • Opcode Fuzzy Hash: b8034b251f6b8c08a8f08bacec996a89f2bce44a27105045af10c2191ae932f5
                                                                                  • Instruction Fuzzy Hash: 2B016D715042409FDB50CF15E9867A6FBE8EF04324F08C4AADD499F652D275E8088A62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E2A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNELBASE(?), ref: 00E2A330
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119699353.0000000000E2A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e2a000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: 37619cf7b1bb4e6829691f4e6e5d3517318965862906fdddcaca1817427973bc
                                                                                  • Instruction ID: b2d7b5974261b405e56742428778e0564acc4a71351b1664d3a045419f61c883
                                                                                  • Opcode Fuzzy Hash: 37619cf7b1bb4e6829691f4e6e5d3517318965862906fdddcaca1817427973bc
                                                                                  • Instruction Fuzzy Hash: 9EF08C75904240DFEB10CF09E885769FBA4EF04724F0CC0AADD495F752D379A808CAA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0501088A Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2120172149.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5010000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: j
                                                                                  • API String ID: 0-1273469241
                                                                                  • Opcode ID: a463829b485b89673d9afcf4a90396badbd6c5c03b1efde816badf458a39a4dc
                                                                                  • Instruction ID: d5077daeac608f94533b5fdcb254ee58a29969d505211ba9bc3b696a198ab569
                                                                                  • Opcode Fuzzy Hash: a463829b485b89673d9afcf4a90396badbd6c5c03b1efde816badf458a39a4dc
                                                                                  • Instruction Fuzzy Hash: CB015E30604246AFC704BB75E46D59DBFF1EFC4308F05C82CE6959B3A5DA359809EB42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05010080 Relevance: .1, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2120172149.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5010000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1da785409eacde5e866f99c7f1b86498f4d32c0af4797316bb9979c19c11a0aa
                                                                                  • Instruction ID: 65305bbbf7de3958268eab317edebc9bb92d388a80a4e1fd7dce2430cf7b87a6
                                                                                  • Opcode Fuzzy Hash: 1da785409eacde5e866f99c7f1b86498f4d32c0af4797316bb9979c19c11a0aa
                                                                                  • Instruction Fuzzy Hash: 51510E3021128A9FD704FB75F4A498A77F2BF9420C7428929D1148B7BEDB34994ACFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05010007 Relevance: .0, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2120172149.0000000005010000.00000040.00000800.00020000.00000000.sdmp, Offset: 05010000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5010000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: eb2075c6999b1624d1d30a577b50b1c6066ca844e5ec4badcfb05275997007bd
                                                                                  • Instruction ID: 6c41685aa2d268c373c7b1927488b750f14fec5afc55dcad9e2f863051815b58
                                                                                  • Opcode Fuzzy Hash: eb2075c6999b1624d1d30a577b50b1c6066ca844e5ec4badcfb05275997007bd
                                                                                  • Instruction Fuzzy Hash: A801406140E3C48FC7838775A8682943FB1AB07220B0A41EBC0C1CB0B3E66C498ACB26
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 013105E0 Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2120034546.0000000001310000.00000040.00000020.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1310000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 848471519419f6797f06f1798bc7b2fa46257a0b6a7fdbf487dec53ed3b68490
                                                                                  • Instruction ID: adcb5bcd08a36bce71a41946427f0aee37f20bee167e0d4686d3028a012b95d0
                                                                                  • Opcode Fuzzy Hash: 848471519419f6797f06f1798bc7b2fa46257a0b6a7fdbf487dec53ed3b68490
                                                                                  • Instruction Fuzzy Hash: 6001D67550D3C06FD7128B15AC51862FFB8EF86230709C4EFE8498BA53C225A808CB72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01310606 Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2120034546.0000000001310000.00000040.00000020.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1310000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 62d30699928489b017ad6726de6b5a29132129e2a88435a8d012c99d2aaed644
                                                                                  • Instruction ID: 06148e00dcb6fd1fea6b7daa9a02e972d6512cb165dcbe5c8144a5ddffef56ba
                                                                                  • Opcode Fuzzy Hash: 62d30699928489b017ad6726de6b5a29132129e2a88435a8d012c99d2aaed644
                                                                                  • Instruction Fuzzy Hash: B4E092B66046404B9750CF0AEC82462F7E8EB88630718C07FDC0D8BB01D239B508CAA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E223F4 Relevance: .0, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119688435.0000000000E22000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E22000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e22000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 631c468a1f0a005322aed76386eaec12b5b2f269a4efbf209ae111fcee7ecbf9
                                                                                  • Instruction ID: 87f70e71c6bd3c89a632cfd4455196a2178feee9bcf35f76501d16aaf9c8066a
                                                                                  • Opcode Fuzzy Hash: 631c468a1f0a005322aed76386eaec12b5b2f269a4efbf209ae111fcee7ecbf9
                                                                                  • Instruction Fuzzy Hash: ADD05E792056D15FD316AA1CD1A4B9637E4AB51718F4A44FEAC00CB7A3C76CD981E610
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E223BC Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2119688435.0000000000E22000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E22000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e22000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a63decdca83d8c6ecf08f6ef9119ed4a20af9a856b6fb490f78ed4b5a555b841
                                                                                  • Instruction ID: d6c295d56727558c25835ed88eb9695b3f547e442e217a4273f16c29f77da84e
                                                                                  • Opcode Fuzzy Hash: a63decdca83d8c6ecf08f6ef9119ed4a20af9a856b6fb490f78ed4b5a555b841
                                                                                  • Instruction Fuzzy Hash: 50D05E342002824BC719DA0CD6E4F5937E4AF40718F1644ECAC108B762C7A8D8C0DA00
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Function 0131000C Relevance: .0, Instructions: 37COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2120034546.0000000001310000.00000040.00000020.00020000.00000000.sdmp, Offset: 01310000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1310000_zyx3qItgQK.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b710b86b2176545976f33a66418e1f1feed267ed17a62c450823159ef7ca25b7
                                                                                  • Instruction ID: 10bbc95a9ce591c7665b890cdcc2dd20de48a29356ac30104f44f94ec17055bf
                                                                                  • Opcode Fuzzy Hash: b710b86b2176545976f33a66418e1f1feed267ed17a62c450823159ef7ca25b7
                                                                                  • Instruction Fuzzy Hash: 6FF0436140F3D09FC3475B3049666A13FB19E1721931E44EBE481CF0B3E55E5D8ADBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Execution Graph

                                                                                  Execution Coverage:20.2%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:5.4%
                                                                                  Total number of Nodes:260
                                                                                  Total number of Limit Nodes:11
                                                                                  execution_graph 6997 10605c5 6998 10605e4 6997->6998 6999 106065e 6998->6999 7000 1062bb0 2 API calls 6998->7000 7000->6999 6900 a8b4ae 6901 a8b4da FindClose 6900->6901 6903 a8b50c 6900->6903 6902 a8b4ef 6901->6902 6903->6901 6904 a8aaae 6905 a8aada OleInitialize 6904->6905 6906 a8ab10 6904->6906 6907 a8aae8 6905->6907 6906->6905 6908 a8bda2 6910 a8bdd1 AdjustTokenPrivileges 6908->6910 6911 a8bdf3 6910->6911 6912 a8bc22 6915 a8bc4b LookupPrivilegeValueW 6912->6915 6914 a8bc72 6915->6914 7001 4c90282 7002 4c902ae K32EnumProcesses 7001->7002 7004 4c902ca 7002->7004 7005 4c91682 7007 4c916b7 shutdown 7005->7007 7008 4c916e0 7007->7008 7009 4c90e02 7010 4c90e3a WSASocketW 7009->7010 7012 4c90e76 7010->7012 6920 4c92e46 6921 4c92e6f select 6920->6921 6923 4c92ea4 6921->6923 6924 4c90346 6925 4c9037b NtQuerySystemInformation 6924->6925 6926 4c903a6 6924->6926 6927 4c90390 6925->6927 6926->6925 7013 4c93206 7015 4c9323b SetProcessWorkingSetSize 7013->7015 7016 4c93267 7015->7016 7017 4c92b9a 7018 4c92bd2 RegCreateKeyExW 7017->7018 7020 4c92c44 7018->7020 7021 a8a2fe 7022 a8a32a SetErrorMode 7021->7022 7023 a8a353 7021->7023 7024 a8a33f 7022->7024 7023->7022 7025 10615d0 7026 106121a 7025->7026 7031 10616a7 7026->7031 7046 1061689 7026->7046 7061 1061618 7026->7061 7076 10616ba 7026->7076 7032 10616ae 7031->7032 7091 1060310 7032->7091 7034 1061775 7035 1060310 2 API calls 7034->7035 7036 10617de 7035->7036 7037 1061804 7036->7037 7095 1062577 7036->7095 7099 10626cd 7036->7099 7103 10623e0 7036->7103 7109 10627e8 7036->7109 7113 10625eb 7036->7113 7117 10624e5 7036->7117 7121 1062535 7036->7121 7125 1061f47 7036->7125 7047 1061690 7046->7047 7048 1060310 2 API calls 7047->7048 7049 1061775 7048->7049 7050 1060310 2 API calls 7049->7050 7051 10617de 7050->7051 7052 1061804 7051->7052 7053 1062577 2 API calls 7051->7053 7054 1061f47 4 API calls 7051->7054 7055 1062535 2 API calls 7051->7055 7056 10624e5 2 API calls 7051->7056 7057 10623e0 4 API calls 7051->7057 7058 10626cd 2 API calls 7051->7058 7059 10625eb 2 API calls 7051->7059 7060 10627e8 2 API calls 7051->7060 7053->7052 7054->7052 7055->7052 7056->7052 7057->7052 7058->7052 7059->7052 7060->7052 7062 1061653 7061->7062 7063 1060310 2 API calls 7062->7063 7064 1061775 7063->7064 7065 1060310 2 API calls 7064->7065 7066 10617de 7065->7066 7067 1061804 7066->7067 7068 1062577 2 API calls 7066->7068 7069 1061f47 4 API calls 7066->7069 7070 1062535 2 API calls 7066->7070 7071 10624e5 2 API calls 7066->7071 7072 10623e0 4 API calls 7066->7072 7073 10626cd 2 API calls 7066->7073 7074 10625eb 2 API calls 7066->7074 7075 10627e8 2 API calls 7066->7075 7068->7067 7069->7067 7070->7067 7071->7067 7072->7067 7073->7067 7074->7067 7075->7067 7077 10616c1 7076->7077 7078 1060310 2 API calls 7077->7078 7079 1061775 7078->7079 7080 1060310 2 API calls 7079->7080 7081 10617de 7080->7081 7082 1061804 7081->7082 7083 1062577 2 API calls 7081->7083 7084 1061f47 4 API calls 7081->7084 7085 1062535 2 API calls 7081->7085 7086 10624e5 2 API calls 7081->7086 7087 10623e0 4 API calls 7081->7087 7088 10626cd 2 API calls 7081->7088 7089 10625eb 2 API calls 7081->7089 7090 10627e8 2 API calls 7081->7090 7083->7082 7084->7082 7085->7082 7086->7082 7087->7082 7088->7082 7089->7082 7090->7082 7092 1060322 7091->7092 7093 1060348 7092->7093 7094 1061eb8 2 API calls 7092->7094 7093->7034 7094->7093 7096 106257e 7095->7096 7098 1062bb0 2 API calls 7096->7098 7097 10628af 7097->7037 7098->7097 7100 10626d4 7099->7100 7102 1062bb0 2 API calls 7100->7102 7101 10628af 7101->7037 7102->7101 7104 106240b 7103->7104 7105 1062453 7104->7105 7134 10629f9 7104->7134 7108 1062bb0 2 API calls 7105->7108 7106 10628af 7106->7037 7108->7106 7110 10627ef 7109->7110 7112 1062bb0 2 API calls 7110->7112 7111 10628af 7111->7037 7112->7111 7114 10625f2 7113->7114 7116 1062bb0 2 API calls 7114->7116 7115 10628af 7115->7037 7116->7115 7118 10624ec 7117->7118 7120 1062bb0 2 API calls 7118->7120 7119 10628af 7119->7037 7120->7119 7122 106253c 7121->7122 7124 1062bb0 2 API calls 7122->7124 7123 10628af 7123->7037 7124->7123 7127 1061f4d 7125->7127 7126 10623c3 7128 1062453 7126->7128 7130 10629f9 2 API calls 7126->7130 7127->7126 7132 a8b51a GetLogicalDrives 7127->7132 7133 a8b572 GetLogicalDrives 7127->7133 7131 1062bb0 2 API calls 7128->7131 7129 10628af 7129->7037 7130->7128 7131->7129 7132->7127 7133->7127 7135 1062a2d 7134->7135 7139 4c91c1a 7135->7139 7142 4c91baa 7135->7142 7136 1062a68 7136->7105 7140 4c91c6a GetVolumeInformationA 7139->7140 7141 4c91c72 7140->7141 7141->7136 7143 4c91c1a GetVolumeInformationA 7142->7143 7145 4c91c72 7143->7145 7145->7136 6928 4c913de 6930 4c91416 MapViewOfFile 6928->6930 6931 4c91465 6930->6931 7146 4c91b1e 7149 4c91b53 WSAConnect 7146->7149 7148 4c91b72 7149->7148 7150 a8b0f2 7152 a8b127 ReadFile 7150->7152 7153 a8b159 7152->7153 7158 a8ad72 7160 a8ada7 GetFileType 7158->7160 7161 a8add4 7160->7161 6932 4c91852 6933 4c91887 GetProcessTimes 6932->6933 6935 4c918b9 6933->6935 6936 4c92d6a 6937 4c92d9f ioctlsocket 6936->6937 6939 4c92dcb 6937->6939 7162 a8a74e 7163 a8a7b9 7162->7163 7164 a8a77a FindCloseChangeNotification 7162->7164 7163->7164 7165 a8a788 7164->7165 6940 4c903ee 6941 4c9042c DuplicateHandle 6940->6941 6942 4c90464 6940->6942 6943 4c9043a 6941->6943 6942->6941 7166 4c9122e 7167 4c91266 ConvertStringSecurityDescriptorToSecurityDescriptorW 7166->7167 7169 4c912a7 7167->7169 7170 4c93122 7172 4c93157 GetProcessWorkingSetSize 7170->7172 7173 4c93183 7172->7173 6944 a8a486 6947 a8a4bb RegSetValueExW 6944->6947 6946 a8a507 6947->6946 6948 a8aa06 6949 a8aa6b 6948->6949 6950 a8aa35 WaitForInputIdle 6948->6950 6949->6950 6951 a8aa43 6950->6951 7174 a8a646 7175 a8a67e CreateMutexW 7174->7175 7177 a8a6c1 7175->7177 7178 4c91ea6 7179 4c91ee1 LoadLibraryA 7178->7179 7181 4c91f1e 7179->7181 6955 1060634 6956 106063b 6955->6956 6957 106065e 6956->6957 6959 1062bb0 6956->6959 6960 1062bb5 6959->6960 6964 a8b51a 6960->6964 6968 a8b572 6960->6968 6961 1062bdf 6961->6957 6965 a8b572 GetLogicalDrives 6964->6965 6967 a8b5a9 6965->6967 6967->6961 6969 a8b59b GetLogicalDrives 6968->6969 6970 a8b5d1 6968->6970 6971 a8b5a9 6969->6971 6970->6969 6971->6961 6972 a8a09a 6973 a8a0cf send 6972->6973 6974 a8a107 6972->6974 6975 a8a0dd 6973->6975 6974->6973 7182 a8ac5a 7183 a8ac92 CreateFileW 7182->7183 7185 a8ace1 7183->7185 7186 1061bf0 7187 1061c1d 7186->7187 7188 1061d3d 7187->7188 7190 1062e49 7187->7190 7191 1062e88 7190->7191 7192 1062edf 7191->7192 7195 1063108 7191->7195 7200 1063118 7191->7200 7192->7187 7196 1063143 7195->7196 7197 1063187 7196->7197 7198 a8b51a GetLogicalDrives 7196->7198 7199 a8b572 GetLogicalDrives 7196->7199 7197->7192 7198->7197 7199->7197 7201 1063143 7200->7201 7202 1063187 7201->7202 7203 a8b51a GetLogicalDrives 7201->7203 7204 a8b572 GetLogicalDrives 7201->7204 7202->7192 7203->7202 7204->7202 7205 4c9193e 7207 4c91979 getaddrinfo 7205->7207 7208 4c919eb 7207->7208 6976 a8a392 6977 a8a3c7 RegQueryValueExW 6976->6977 6979 a8a41b 6977->6979 7209 a8ab52 7210 a8ab8a RegOpenKeyExW 7209->7210 7212 a8abe0 7210->7212 7213 a8b352 7215 a8b37b CopyFileW 7213->7215 7216 a8b3a2 7215->7216 6980 10603bd 6982 10603c4 6980->6982 6981 10605bf 6982->6981 6984 1061eb8 6982->6984 6985 1061eec 6984->6985 6986 1061f09 6985->6986 6989 4c900ec 6985->6989 6993 4c9010e 6985->6993 6986->6981 6992 4c9010e NtSetInformationProcess 6989->6992 6991 4c90158 6991->6986 6992->6991 6994 4c90143 NtSetInformationProcess 6993->6994 6996 4c9016e 6993->6996 6995 4c90158 6994->6995 6995->6986 6996->6994 7217 4c90032 7218 4c90067 GetExitCodeProcess 7217->7218 7220 4c90090 7218->7220 7221 a8b1d6 7223 a8b1ff SetFileAttributesW 7221->7223 7224 a8b21b 7223->7224

                                                                                  Executed Functions

                                                                                  Function 00A8BD6B Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00A8BDEB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdjustPrivilegesToken
                                                                                  • String ID:
                                                                                  • API String ID: 2874748243-0
                                                                                  • Opcode ID: ae9c400cbdce49a58772beac15d4f1a505c9358e15f95e6f3c7ce01c87b993f2
                                                                                  • Instruction ID: 589a82124c61e2a0dbbcfe34b532a79d818ff792c222e02e72128c254eaff464
                                                                                  • Opcode Fuzzy Hash: ae9c400cbdce49a58772beac15d4f1a505c9358e15f95e6f3c7ce01c87b993f2
                                                                                  • Instruction Fuzzy Hash: C1219C75509780AFDB228F25DC44B92BFB8EF16310F0985DAE9858F163D371A908DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C9030B Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtQuerySystemInformation.NTDLL ref: 04C90381
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationQuerySystem
                                                                                  • String ID:
                                                                                  • API String ID: 3562636166-0
                                                                                  • Opcode ID: 7f7b91c815f4ebe36422f6469e7841dc45928196902c69fabbe75fde50f4b46d
                                                                                  • Instruction ID: fdb884505328eb7e180f0b2559b4b5217a0f0d4c119dc07407a9f293bbb3163f
                                                                                  • Opcode Fuzzy Hash: 7f7b91c815f4ebe36422f6469e7841dc45928196902c69fabbe75fde50f4b46d
                                                                                  • Instruction Fuzzy Hash: 9721ACB54097C0AFDB238F21DC45A52FFB4EF16314F0980DBE9848B1A3D265A909CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8BDA2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00A8BDEB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdjustPrivilegesToken
                                                                                  • String ID:
                                                                                  • API String ID: 2874748243-0
                                                                                  • Opcode ID: 5b3288eb6359d6daaf9c98314b54ff0cccf5af43f721ea4d0e93bc52c784d426
                                                                                  • Instruction ID: b3cce7489d83a0871e0bfef8bef0b8580084ac508ab1af9ee79308e182d67e47
                                                                                  • Opcode Fuzzy Hash: 5b3288eb6359d6daaf9c98314b54ff0cccf5af43f721ea4d0e93bc52c784d426
                                                                                  • Instruction Fuzzy Hash: 30115E755002009FDB209F55D984BA6FBE8EF04320F08C5AAEE858B662D371E418DB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C900EC Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtSetInformationProcess.NTDLL ref: 04C90149
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationProcess
                                                                                  • String ID:
                                                                                  • API String ID: 1801817001-0
                                                                                  • Opcode ID: 14007736c8d0f5ceb869e88d93e9d77fbee30ad731c7a0d9a1cc8f38a2e669a5
                                                                                  • Instruction ID: b72a9b4ff022946fcde2b8fb1669dfdc2d46a226a0ca6d68324a9fc6402550cd
                                                                                  • Opcode Fuzzy Hash: 14007736c8d0f5ceb869e88d93e9d77fbee30ad731c7a0d9a1cc8f38a2e669a5
                                                                                  • Instruction Fuzzy Hash: C111CE75409380AFDB228F11DC45E62FFF4EF06220F09C49EEE844B662C275A918CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C90346 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtQuerySystemInformation.NTDLL ref: 04C90381
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationQuerySystem
                                                                                  • String ID:
                                                                                  • API String ID: 3562636166-0
                                                                                  • Opcode ID: 17d94fb67b14673f5aa19ac4e635343948652042f9890e9b1f8bca1d54410c05
                                                                                  • Instruction ID: 9557d1f8dd5c74b480dec49e8a05d1ef5a981ec59ba83273238a413a03137547
                                                                                  • Opcode Fuzzy Hash: 17d94fb67b14673f5aa19ac4e635343948652042f9890e9b1f8bca1d54410c05
                                                                                  • Instruction Fuzzy Hash: 4D018F75500640EFDB208F06D989B66FBE5FF04720F08C09ADD890B661D375E919DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C9010E Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • NtSetInformationProcess.NTDLL ref: 04C90149
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationProcess
                                                                                  • String ID:
                                                                                  • API String ID: 1801817001-0
                                                                                  • Opcode ID: 17d94fb67b14673f5aa19ac4e635343948652042f9890e9b1f8bca1d54410c05
                                                                                  • Instruction ID: 73886e04ea6e11ac40070b6c6a3f52ced3fea853feeb700e9de451b9fc4eef7a
                                                                                  • Opcode Fuzzy Hash: 17d94fb67b14673f5aa19ac4e635343948652042f9890e9b1f8bca1d54410c05
                                                                                  • Instruction Fuzzy Hash: BF01DF75500200EFDB208F06D888B22FBE0FF04620F08C09ADD490B621D371E908DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060310 Relevance: 7.7, Strings: 6, Instructions: 187COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 1060310-1060334 2 1060336-1060338 0->2 3 106033e-1060346 0->3 2->3 4 106034e-1060391 3->4 5 1060348-106034d 3->5 8 1060393-10603ce 4->8 9 10603d8-1060418 4->9 8->9 16 106041f 9->16 17 106041a 9->17 58 106041f call 1070606 16->58 59 106041f call 1060f05 16->59 60 106041f call 1060e55 16->60 61 106041f call 1060c22 16->61 62 106041f call 1060b03 16->62 63 106041f call 1060d40 16->63 64 106041f call 10705df 16->64 65 106041f call 1060c8d 16->65 66 106041f call 1060958 16->66 67 106041f call 1060d98 16->67 68 106041f call 1060ba8 16->68 17->16 18 1060425-1060434 19 1060436-1060460 18->19 20 106046b-1060523 18->20 19->20 39 1060525-1060531 20->39 40 1060570-1060587 20->40 53 1060533 call 1070606 39->53 54 1060533 call 10705df 39->54 41 1060880 40->41 42 106058d-10605b4 40->42 55 10605b9 call 1070606 42->55 56 10605b9 call 10705df 42->56 57 10605b9 call 1061eb8 42->57 45 1060539-1060569 45->40 50 10605bf 50->41 53->45 54->45 55->50 56->50 57->50 58->18 59->18 60->18 61->18 62->18 63->18 64->18 65->18 66->18 67->18 68->18
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: [$l^$-[$l^$2Ll$2Ll$2Ll$=[$l^
                                                                                  • API String ID: 0-1787646139
                                                                                  • Opcode ID: 6123d8ae78a2787df103350d8849ef2aeceb0155cbb47708b8f63ec147b7db55
                                                                                  • Instruction ID: b7687d450cbe44bb47ab9c68199763319806a73726488f882280a85621e5b000
                                                                                  • Opcode Fuzzy Hash: 6123d8ae78a2787df103350d8849ef2aeceb0155cbb47708b8f63ec147b7db55
                                                                                  • Instruction Fuzzy Hash: 3C51E4307042018FD715EB798511BBEB7EAAF86208B054479E041DB7EADF39CD06CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010603BD Relevance: 7.6, Strings: 6, Instructions: 135COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 69 10603bd-1060418 77 106041f 69->77 78 106041a 69->78 114 106041f call 1070606 77->114 115 106041f call 1060f05 77->115 116 106041f call 1060e55 77->116 117 106041f call 1060c22 77->117 118 106041f call 1060b03 77->118 119 106041f call 1060d40 77->119 120 106041f call 10705df 77->120 121 106041f call 1060c8d 77->121 122 106041f call 1060958 77->122 123 106041f call 1060d98 77->123 124 106041f call 1060ba8 77->124 78->77 79 1060425-1060434 80 1060436-1060460 79->80 81 106046b-1060523 79->81 80->81 100 1060525-1060531 81->100 101 1060570-1060587 81->101 125 1060533 call 1070606 100->125 126 1060533 call 10705df 100->126 102 1060880 101->102 103 106058d-10605b4 101->103 127 10605b9 call 1070606 103->127 128 10605b9 call 10705df 103->128 129 10605b9 call 1061eb8 103->129 106 1060539-1060569 106->101 111 10605bf 111->102 114->79 115->79 116->79 117->79 118->79 119->79 120->79 121->79 122->79 123->79 124->79 125->106 126->106 127->111 128->111 129->111
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: [$l^$-[$l^$2Ll$2Ll$2Ll$=[$l^
                                                                                  • API String ID: 0-1787646139
                                                                                  • Opcode ID: 3da1841c83e7fe938d3edff0f9912affab49eaf681c356dcb4ba0d8ed7b90da9
                                                                                  • Instruction ID: 16599a7015399fc695be2b38c1d9a6a319fca2057014a6efdd9bbd68bc2686a1
                                                                                  • Opcode Fuzzy Hash: 3da1841c83e7fe938d3edff0f9912affab49eaf681c356dcb4ba0d8ed7b90da9
                                                                                  • Instruction Fuzzy Hash: D741C430B001114B9B18EB7D8511BBDB6DB6FC6208708407DE042DBBE9DF69CD0A97E6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01061618 Relevance: 4.1, Strings: 3, Instructions: 335COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 130 1061618-1061670 133 1061672-1061678 130->133 134 106169a-10617f7 call 1060310 * 2 130->134 135 106167f-1061687 133->135 240 10617fe call 1070606 134->240 241 10617fe call 1062577 134->241 242 10617fe call 1061f47 134->242 243 10617fe call 1062535 134->243 244 10617fe call 10624e5 134->244 245 10617fe call 10623e0 134->245 246 10617fe call 10705df 134->246 247 10617fe call 10626cd 134->247 248 10617fe call 10625eb 134->248 249 10617fe call 10627e8 134->249 135->134 164 1061804-1061812 call 1062c59 251 1061818 call 1061d70 164->251 252 1061818 call 1061d61 164->252 166 106181e-1061836 169 106185b-1061899 166->169 170 1061838-1061859 166->170 175 106189c-1061974 169->175 170->175 192 1061976-106197b 175->192 193 106197d 175->193 194 1061982-10619aa 192->194 193->194 197 10619b3 194->197 198 10619ac-10619b1 194->198 199 10619b8-10619e0 197->199 198->199 202 10619e2-10619e7 199->202 203 10619e9 199->203 204 10619ee-1061a16 202->204 203->204 207 1061a1f 204->207 208 1061a18-1061a1d 204->208 209 1061a24-1061a4c 207->209 208->209 212 1061a55 209->212 213 1061a4e-1061a53 209->213 214 1061a5a-1061a82 212->214 213->214 217 1061a84-1061a89 214->217 218 1061a8b 214->218 219 1061a90-1061ab8 217->219 218->219 222 1061ac1 219->222 223 1061aba-1061abf 219->223 224 1061ac6-1061aee 222->224 223->224 227 1061af7 224->227 228 1061af0-1061af5 224->228 229 1061afc-1061b34 call 1062c59 227->229 228->229 234 1061b3a-1061b84 229->234 238 1061b85 234->238 238->238 240->164 241->164 242->164 243->164 244->164 245->164 246->164 247->164 248->164 249->164 251->166 252->166
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l$:@%l$\OLl
                                                                                  • API String ID: 0-798552604
                                                                                  • Opcode ID: f37b7002abb6598cc65634cd260ff57ed4c2ac8e85d6ee5c66e2e8172414dda8
                                                                                  • Instruction ID: 3cded1a29aded963c5715acdb25c350837a2ee8c5c67f856eea83b50f5af3131
                                                                                  • Opcode Fuzzy Hash: f37b7002abb6598cc65634cd260ff57ed4c2ac8e85d6ee5c66e2e8172414dda8
                                                                                  • Instruction Fuzzy Hash: 22C170347000418BEB14AB79D5517BE77EBABC820CF11842AD4469BBE6CF798D06CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01061689 Relevance: 4.0, Strings: 3, Instructions: 280COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 253 1061689-10617f7 call 1060310 * 2 361 10617fe call 1070606 253->361 362 10617fe call 1062577 253->362 363 10617fe call 1061f47 253->363 364 10617fe call 1062535 253->364 365 10617fe call 10624e5 253->365 366 10617fe call 10623e0 253->366 367 10617fe call 10705df 253->367 368 10617fe call 10626cd 253->368 369 10617fe call 10625eb 253->369 370 10617fe call 10627e8 253->370 285 1061804-1061812 call 1062c59 372 1061818 call 1061d70 285->372 373 1061818 call 1061d61 285->373 287 106181e-1061836 290 106185b-1061899 287->290 291 1061838-1061859 287->291 296 106189c-1061974 290->296 291->296 313 1061976-106197b 296->313 314 106197d 296->314 315 1061982-10619aa 313->315 314->315 318 10619b3 315->318 319 10619ac-10619b1 315->319 320 10619b8-10619e0 318->320 319->320 323 10619e2-10619e7 320->323 324 10619e9 320->324 325 10619ee-1061a16 323->325 324->325 328 1061a1f 325->328 329 1061a18-1061a1d 325->329 330 1061a24-1061a4c 328->330 329->330 333 1061a55 330->333 334 1061a4e-1061a53 330->334 335 1061a5a-1061a82 333->335 334->335 338 1061a84-1061a89 335->338 339 1061a8b 335->339 340 1061a90-1061ab8 338->340 339->340 343 1061ac1 340->343 344 1061aba-1061abf 340->344 345 1061ac6-1061aee 343->345 344->345 348 1061af7 345->348 349 1061af0-1061af5 345->349 350 1061afc-1061b34 call 1062c59 348->350 349->350 355 1061b3a-1061b84 350->355 359 1061b85 355->359 359->359 361->285 362->285 363->285 364->285 365->285 366->285 367->285 368->285 369->285 370->285 372->287 373->287
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l$:@%l$\OLl
                                                                                  • API String ID: 0-798552604
                                                                                  • Opcode ID: 58197f9b645979ddba9cf8773767665789516af279407ef640d34534f38ed4ff
                                                                                  • Instruction ID: 5b4b172ba8aeaf2a5c8131387e592f7c72b105d0d206c402cfbac5589b7e0ff5
                                                                                  • Opcode Fuzzy Hash: 58197f9b645979ddba9cf8773767665789516af279407ef640d34534f38ed4ff
                                                                                  • Instruction Fuzzy Hash: 29A15E347001418BEB14BB78D5127BE76EBABC860CF11842AD4469BBE6CF798D06DB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010616A7 Relevance: 4.0, Strings: 3, Instructions: 277COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 374 10616a7-10617f7 call 1060310 * 2 483 10617fe call 1070606 374->483 484 10617fe call 1062577 374->484 485 10617fe call 1061f47 374->485 486 10617fe call 1062535 374->486 487 10617fe call 10624e5 374->487 488 10617fe call 10623e0 374->488 489 10617fe call 10705df 374->489 490 10617fe call 10626cd 374->490 491 10617fe call 10625eb 374->491 492 10617fe call 10627e8 374->492 405 1061804-1061812 call 1062c59 480 1061818 call 1061d70 405->480 481 1061818 call 1061d61 405->481 407 106181e-1061836 410 106185b-1061899 407->410 411 1061838-1061859 407->411 416 106189c-1061974 410->416 411->416 433 1061976-106197b 416->433 434 106197d 416->434 435 1061982-10619aa 433->435 434->435 438 10619b3 435->438 439 10619ac-10619b1 435->439 440 10619b8-10619e0 438->440 439->440 443 10619e2-10619e7 440->443 444 10619e9 440->444 445 10619ee-1061a16 443->445 444->445 448 1061a1f 445->448 449 1061a18-1061a1d 445->449 450 1061a24-1061a4c 448->450 449->450 453 1061a55 450->453 454 1061a4e-1061a53 450->454 455 1061a5a-1061a82 453->455 454->455 458 1061a84-1061a89 455->458 459 1061a8b 455->459 460 1061a90-1061ab8 458->460 459->460 463 1061ac1 460->463 464 1061aba-1061abf 460->464 465 1061ac6-1061aee 463->465 464->465 468 1061af7 465->468 469 1061af0-1061af5 465->469 470 1061afc-1061b34 call 1062c59 468->470 469->470 475 1061b3a-1061b84 470->475 479 1061b85 475->479 479->479 480->407 481->407 483->405 484->405 485->405 486->405 487->405 488->405 489->405 490->405 491->405 492->405
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l$:@%l$\OLl
                                                                                  • API String ID: 0-798552604
                                                                                  • Opcode ID: 8275772624bf6233ca8f4a354fb731fd924618fb077314ce1053b8daa48417c6
                                                                                  • Instruction ID: 7e79f09025c8ea1e52acb7ff466cc8a08c729a2544013c1ed74910850cfe574e
                                                                                  • Opcode Fuzzy Hash: 8275772624bf6233ca8f4a354fb731fd924618fb077314ce1053b8daa48417c6
                                                                                  • Instruction Fuzzy Hash: FEA16F347001418BEB14BB78D5127BE76EBABC860CF11842AD4469BBE6CF798D06DB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010616BA Relevance: 4.0, Strings: 3, Instructions: 276COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 494 10616ba-10617f7 call 1060310 * 2 600 10617fe call 1070606 494->600 601 10617fe call 1062577 494->601 602 10617fe call 1061f47 494->602 603 10617fe call 1062535 494->603 604 10617fe call 10624e5 494->604 605 10617fe call 10623e0 494->605 606 10617fe call 10705df 494->606 607 10617fe call 10626cd 494->607 608 10617fe call 10625eb 494->608 609 10617fe call 10627e8 494->609 524 1061804-1061812 call 1062c59 611 1061818 call 1061d70 524->611 612 1061818 call 1061d61 524->612 526 106181e-1061836 529 106185b-1061899 526->529 530 1061838-1061859 526->530 535 106189c-1061974 529->535 530->535 552 1061976-106197b 535->552 553 106197d 535->553 554 1061982-10619aa 552->554 553->554 557 10619b3 554->557 558 10619ac-10619b1 554->558 559 10619b8-10619e0 557->559 558->559 562 10619e2-10619e7 559->562 563 10619e9 559->563 564 10619ee-1061a16 562->564 563->564 567 1061a1f 564->567 568 1061a18-1061a1d 564->568 569 1061a24-1061a4c 567->569 568->569 572 1061a55 569->572 573 1061a4e-1061a53 569->573 574 1061a5a-1061a82 572->574 573->574 577 1061a84-1061a89 574->577 578 1061a8b 574->578 579 1061a90-1061ab8 577->579 578->579 582 1061ac1 579->582 583 1061aba-1061abf 579->583 584 1061ac6-1061aee 582->584 583->584 587 1061af7 584->587 588 1061af0-1061af5 584->588 589 1061afc-1061b34 call 1062c59 587->589 588->589 594 1061b3a-1061b84 589->594 598 1061b85 594->598 598->598 600->524 601->524 602->524 603->524 604->524 605->524 606->524 607->524 608->524 609->524 611->526 612->526
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l$:@%l$\OLl
                                                                                  • API String ID: 0-798552604
                                                                                  • Opcode ID: 14e991eaa2a860c201a813a02a7e7b656bbd79b0c98b90c15fa23567b89d0328
                                                                                  • Instruction ID: c405c1c60bd5646a2e399473ee2d9b408cea08584e19a5b5aaec124c8467f936
                                                                                  • Opcode Fuzzy Hash: 14e991eaa2a860c201a813a02a7e7b656bbd79b0c98b90c15fa23567b89d0328
                                                                                  • Instruction Fuzzy Hash: D8A16F347001418BEB14BB78D5127BE76EBABC860CF11842AD4469BBE6CF798D06DB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01061F47 Relevance: 3.1, Strings: 2, Instructions: 613COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 613 1061f47-1061f52 615 1061f54-1061f5e 613->615 829 1061f5e call a8b51a 615->829 830 1061f5e call a8b572 615->830 617 1061f63-1061f6f 618 1061f75-1061f90 617->618 619 10623be 617->619 618->619 621 1061f96-1061fa9 618->621 619->615 623 1061fb3-1061fc2 621->623 624 1061fab-1061fb1 621->624 628 10623c3 623->628 629 1061fc8-1061fd2 623->629 625 1062014-1062021 624->625 632 1062028-1062042 625->632 634 10623c8-1062437 call 1061d70 628->634 630 1061fd4-1061fd6 629->630 631 1061fd8 629->631 633 1061fdb-1062001 630->633 631->633 642 1062044 632->642 643 1062049-1062097 632->643 644 1062003-1062009 633->644 645 106200b-1062012 633->645 653 1062481-10624e3 call 1061d70 634->653 654 1062439 634->654 642->643 665 106209e-10620ef 643->665 666 1062099 643->666 644->625 645->625 673 106251b-1062639 653->673 827 106243f call 1070606 654->827 828 106243f call 10705df 654->828 658 1062445-106244d call 10629f9 661 1062453-106247c 658->661 661->673 686 10620f6-106213c 665->686 687 10620f1 665->687 666->665 825 106263b call 1070606 673->825 826 106263b call 10705df 673->826 698 1062143-1062173 686->698 699 106213e 686->699 687->686 698->619 708 1062179-10621a9 698->708 699->698 707 1062640-106272d 745 1062740-1062746 707->745 746 106272f-106273d 707->746 715 1062338-1062346 708->715 717 10621ae-10621b4 715->717 718 106234c-106236e 715->718 717->634 720 10621ba-10621e9 717->720 718->619 719 1062370-1062374 718->719 721 1062376 719->721 722 106237b-1062382 719->722 720->628 732 10621ef-1062218 720->732 721->722 722->634 724 1062384-1062392 722->724 730 1062394 724->730 731 1062399-10623a0 724->731 730->731 731->634 734 10623a2-10623b4 731->734 740 106221f-106224a 732->740 741 106221a 732->741 734->619 755 1062282-106229d 740->755 756 106224c-1062255 740->756 741->740 748 106275e 745->748 749 1062748-106274b 745->749 746->745 751 1062763-1062785 748->751 749->751 752 106274d-106275c 749->752 758 106278a-10627b4 751->758 752->758 768 10622a4-10622eb 755->768 769 106229f 755->769 759 1062257-106225b 756->759 760 1062263-1062272 756->760 771 10627b6-10627cd 758->771 772 10627cf-10627e6 758->772 759->760 760->634 761 1062278-106227f 760->761 761->755 787 10622f2-1062323 768->787 788 10622ed 768->788 769->768 776 106280a-1062812 call 1062b08 771->776 772->776 780 1062814-106282b 776->780 781 106282d-1062841 776->781 785 1062844-10628a9 call 1062bb0 780->785 781->785 800 10628af-1062921 785->800 796 1062325-1062329 787->796 797 106232f-1062332 787->797 788->787 796->628 796->797 797->628 797->715 808 1062950-106295b 800->808 809 1062923-1062926 808->809 810 106295d 808->810 811 1062964-1062975 809->811 812 1062928-1062938 809->812 813 106297a-106298c 810->813 811->813 814 106293a-1062948 812->814 815 106294b-106294e 812->815 814->815 815->808 817 106295f 815->817 817->811 825->707 826->707 827->658 828->658 829->617 830->617
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l$L.Ll
                                                                                  • API String ID: 0-1503686084
                                                                                  • Opcode ID: 38b2ef52a8f5d4915d8d659deb9d7626571b685e3580488e80ce4f318a408e7c
                                                                                  • Instruction ID: fb9c406691c25e4f8e9e6ba312dc0babdc3c2225331aae28b3d6c671426146e5
                                                                                  • Opcode Fuzzy Hash: 38b2ef52a8f5d4915d8d659deb9d7626571b685e3580488e80ce4f318a408e7c
                                                                                  • Instruction Fuzzy Hash: E5329C30B012058FDB19EB74D550BAE77E6AF88348F108478D5469BBE6DF38D846CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060958 Relevance: 3.0, Strings: 2, Instructions: 481COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 831 1060958-1060993 833 1060a2e-1060a30 831->833 834 1060999-1060a22 831->834 835 1060a37-1060a3c 833->835 985 1060a24 call 1070606 834->985 986 1060a24 call 10705df 834->986 837 1060a42-1060a7a 835->837 838 1060b1e-1060bc2 835->838 854 1060aa1-1060b01 837->854 855 1060a7c-1060a9a 837->855 874 1060c9e-1060ca7 838->874 875 1060bc8-1060c50 838->875 854->838 855->854 879 1060d51-1060d5a 874->879 880 1060cad-1060d2c 874->880 910 1060c57-1060c8b 875->910 876 1060a2a-1060a2c 876->833 877 1060a32 876->877 877->835 881 1060d5c-1060d73 879->881 882 1060d7a-1060d83 879->882 922 1060d33-1060d3e 880->922 881->882 885 1060d85-1060d8c 882->885 886 1060da9-1060db2 882->886 898 1060d96 885->898 888 1060f33-1060f3a 886->888 889 1060db8-1060dd6 886->889 983 1060dd8 call 1070606 889->983 984 1060dd8 call 10705df 889->984 895 1060dde-1060e06 912 1060f1c-1060f2d 895->912 898->886 910->874 912->888 913 1060e0b-1060e14 912->913 915 1060f40-1060fd1 913->915 916 1060e1a-1060efb 913->916 945 1060fd7-1060fe8 915->945 946 10610ca 915->946 962 1060f03-1060f1a 916->962 922->879 953 1060fea-106100b 945->953 948 10610cc-10610d3 946->948 960 1061012-1061048 953->960 961 106100d 953->961 970 106104f-1061077 960->970 971 106104a 960->971 961->960 962->912 965 1060f3b 962->965 965->915 975 106107d-10610a1 970->975 976 1061079-106107b 970->976 971->970 979 10610a3-10610a8 975->979 980 10610aa-10610b4 975->980 976->948 979->948 981 10610b6-10610b8 980->981 982 10610ba-10610c4 980->982 981->948 982->946 982->953 983->895 984->895 985->876 986->876
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l$\OLl
                                                                                  • API String ID: 0-1085053772
                                                                                  • Opcode ID: 44e819926da0b9b9b669809b0af6c6ead74b025e75294e29be1f1810cb510ee8
                                                                                  • Instruction ID: ac18e8a1ecc08ff98784b827dc3358f6cc57f71642a0f43edf55537e15c3f8c1
                                                                                  • Opcode Fuzzy Hash: 44e819926da0b9b9b669809b0af6c6ead74b025e75294e29be1f1810cb510ee8
                                                                                  • Instruction Fuzzy Hash: 46024C307002148FDB18EB78D550BAE77E6AF88208B114479E446DBBEADF39DC46CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060509 Relevance: 2.6, Strings: 2, Instructions: 50COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 987 1060509-1060523 991 1060525 987->991 992 1060570-1060587 987->992 995 106052f-1060531 991->995 993 1060880 992->993 994 106058d-10605a6 992->994 998 10605ad-10605b4 994->998 1005 1060533 call 1070606 995->1005 1006 1060533 call 10705df 995->1006 997 1060539-1060562 1004 1060569 997->1004 1007 10605b9 call 1070606 998->1007 1008 10605b9 call 10705df 998->1008 1009 10605b9 call 1061eb8 998->1009 1002 10605bf 1002->993 1004->992 1005->997 1006->997 1007->1002 1008->1002 1009->1002
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: [$l^$2Ll
                                                                                  • API String ID: 0-4141418618
                                                                                  • Opcode ID: 7fcff63b142b5be9b9b360a5098fff37a5f71e77fe969de7fd367641b5c5a771
                                                                                  • Instruction ID: 51389ee382f24861f7b333784bf1b3b6f5ba98847c830501fe4c72b439f471ef
                                                                                  • Opcode Fuzzy Hash: 7fcff63b142b5be9b9b360a5098fff37a5f71e77fe969de7fd367641b5c5a771
                                                                                  • Instruction Fuzzy Hash: 82018420F441104B8B49F77E0422B7EB6D75FDA604709446EE046DB798DF28CC059BE6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C92B6E Relevance: 1.6, APIs: 1, Instructions: 99registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1010 4c92b6e-4c92bf2 1014 4c92bf4 1010->1014 1015 4c92bf7-4c92c03 1010->1015 1014->1015 1016 4c92c08-4c92c11 1015->1016 1017 4c92c05 1015->1017 1018 4c92c13 1016->1018 1019 4c92c16-4c92c2d 1016->1019 1017->1016 1018->1019 1021 4c92c6f-4c92c74 1019->1021 1022 4c92c2f-4c92c42 RegCreateKeyExW 1019->1022 1021->1022 1023 4c92c44-4c92c6c 1022->1023 1024 4c92c76-4c92c7b 1022->1024 1024->1023
                                                                                  APIs
                                                                                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04C92C35
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: 0546a508570dbab23f5f3ccd7e316629ef261cd59b357c455f566df8dddcc1de
                                                                                  • Instruction ID: 9dc2aa0eb8b4d76ab905faedcc7c8e491bf5a6ea371fd26a9afd81f43c5eed66
                                                                                  • Opcode Fuzzy Hash: 0546a508570dbab23f5f3ccd7e316629ef261cd59b357c455f566df8dddcc1de
                                                                                  • Instruction Fuzzy Hash: 1F317076504344AFEB218F65CC44FA7BBFCEF05710F18899AE9858B652D324E908CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C90CEF Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1029 4c90cef-4c90d0f 1030 4c90d31-4c90d63 1029->1030 1031 4c90d11-4c90d30 1029->1031 1035 4c90d66-4c90dbe RegQueryValueExW 1030->1035 1031->1030 1037 4c90dc4-4c90dda 1035->1037
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 04C90DB6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: b8717ee6252c540f738f22c163905f64e91608545b77c769db810c76a5f58a5f
                                                                                  • Instruction ID: 71ccc26d51b5d01de80585db230d3ad398a63a2ae2c1d1c30d777a80286f2173
                                                                                  • Opcode Fuzzy Hash: b8717ee6252c540f738f22c163905f64e91608545b77c769db810c76a5f58a5f
                                                                                  • Instruction Fuzzy Hash: F2318B7510E3C06FD3138B218C65A61BFB4EF47614B0E85CBD8848B6A3D2696919C7B2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8AC19 Relevance: 1.6, APIs: 1, Instructions: 96fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1038 a8ac19-a8acb2 1042 a8acb4 1038->1042 1043 a8acb7-a8acc3 1038->1043 1042->1043 1044 a8acc8-a8acd1 1043->1044 1045 a8acc5 1043->1045 1046 a8ad22-a8ad27 1044->1046 1047 a8acd3-a8acf7 CreateFileW 1044->1047 1045->1044 1046->1047 1050 a8ad29-a8ad2e 1047->1050 1051 a8acf9-a8ad1f 1047->1051 1050->1051
                                                                                  APIs
                                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00A8ACD9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: b87ef6af0edd5f651b3e439aa276e6d8f03e62247410beb20c60d20414adc4de
                                                                                  • Instruction ID: d0f2acdfd230012f08787203a3c8b389eb335b9ebbbf3f013133747cfe7ef83f
                                                                                  • Opcode Fuzzy Hash: b87ef6af0edd5f651b3e439aa276e6d8f03e62247410beb20c60d20414adc4de
                                                                                  • Instruction Fuzzy Hash: B8318175505384AFE722CF61CC45F52BFF8EF06314F08849EE9858B652D365E809CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C9191C Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1054 4c9191c-4c919db 1060 4c91a2d-4c91a32 1054->1060 1061 4c919dd-4c919e5 getaddrinfo 1054->1061 1060->1061 1062 4c919eb-4c919fd 1061->1062 1064 4c919ff-4c91a2a 1062->1064 1065 4c91a34-4c91a39 1062->1065 1065->1064
                                                                                  APIs
                                                                                  • getaddrinfo.WS2_32(?,00000E24), ref: 04C919E3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: getaddrinfo
                                                                                  • String ID:
                                                                                  • API String ID: 300660673-0
                                                                                  • Opcode ID: 6774155063735076fb87232253831e39b047abe6564f2e667a03b665d0012d18
                                                                                  • Instruction ID: 04d2b671e6c646b1afab11240f72b4b5144a29d40350e03b2ed0e99ec74d6da6
                                                                                  • Opcode Fuzzy Hash: 6774155063735076fb87232253831e39b047abe6564f2e667a03b665d0012d18
                                                                                  • Instruction Fuzzy Hash: 2D31AFB1100344BFEB21CB51CC85FA6FBBCEB04314F14499AFA489B592D774A909CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91BAA Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1069 4c91baa-4c91c6c GetVolumeInformationA 1072 4c91c72-4c91c9b 1069->1072
                                                                                  APIs
                                                                                  • GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 04C91C6A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationVolume
                                                                                  • String ID:
                                                                                  • API String ID: 2039140958-0
                                                                                  • Opcode ID: bb037198fd2093be5dc3044f093ca628f42079afbf1b6063f0fa03c1fcb8acf6
                                                                                  • Instruction ID: e435aefc565ba30d35c952b5d370e1831e0c6c0c1fb2bc718ae8ecbeb7332a72
                                                                                  • Opcode Fuzzy Hash: bb037198fd2093be5dc3044f093ca628f42079afbf1b6063f0fa03c1fcb8acf6
                                                                                  • Instruction Fuzzy Hash: 3E316E7150E3C06FD3138B258C61BA2BFB8AF47210F1E81DBD8C49F5A3D2256959C7A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91814 Relevance: 1.6, APIs: 1, Instructions: 91timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessTimes.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C918B1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessTimes
                                                                                  • String ID:
                                                                                  • API String ID: 1995159646-0
                                                                                  • Opcode ID: 3fbb9a288a1cb049308d41505ff8497758d294850def08a1854a6731377f281a
                                                                                  • Instruction ID: 7f2fead6c175274b8750d7851302ed1f29c6a337a1ed5e81552e5e8cacf42a14
                                                                                  • Opcode Fuzzy Hash: 3fbb9a288a1cb049308d41505ff8497758d294850def08a1854a6731377f281a
                                                                                  • Instruction Fuzzy Hash: 153139711093806FEB128F61DC45B96BFB8EF06320F1984DFE9848F553D225A909C7B1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8AB1E Relevance: 1.6, APIs: 1, Instructions: 91registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1074 a8ab1e-a8ab84 1076 a8ab8a-a8ab9b 1074->1076 1077 a8aba1-a8abad 1076->1077 1078 a8abaf 1077->1078 1079 a8abb2-a8abc9 1077->1079 1078->1079 1081 a8ac0b-a8ac10 1079->1081 1082 a8abcb-a8abde RegOpenKeyExW 1079->1082 1081->1082 1083 a8abe0-a8ac08 1082->1083 1084 a8ac12-a8ac17 1082->1084 1084->1083
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00A8ABD1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: 3f72ece83d69f934f52567420ff0caff83c516c1b5f34234bc42be5b97b8f319
                                                                                  • Instruction ID: 62f922a0b62fa329b3cc0aadddcf1d3c668e6c91d62ead3249f401c6d4ed0557
                                                                                  • Opcode Fuzzy Hash: 3f72ece83d69f934f52567420ff0caff83c516c1b5f34234bc42be5b97b8f319
                                                                                  • Instruction Fuzzy Hash: 6F31C4725093846FE7228B51CC84FA7BFBCEF06314F09849BE9848B553D324A909CB72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91208 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04C9129F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: DescriptorSecurity$ConvertString
                                                                                  • String ID:
                                                                                  • API String ID: 3907675253-0
                                                                                  • Opcode ID: 5315e4bd7e942a0f446cd4436872065b46a1cc0b701c1e8d88e676c05d1658c8
                                                                                  • Instruction ID: 3719900cb9460800fc159a57a912163b3908e80b952c07dc0e75bfa9a108feee
                                                                                  • Opcode Fuzzy Hash: 5315e4bd7e942a0f446cd4436872065b46a1cc0b701c1e8d88e676c05d1658c8
                                                                                  • Instruction Fuzzy Hash: 7C31DF72504384AFEB218F65DC45FA7BBF8EF01210F0884AAE944DB652D324A909CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 00A8A6B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: 9ecb3336193dc0a7aae7a807e8836ebc9e9deed7e5663df7787a96c356fd3994
                                                                                  • Instruction ID: 017d1a576f52e2c87f78cf40b53986c524a5e2d24aac82b17fe0a49e01c8b722
                                                                                  • Opcode Fuzzy Hash: 9ecb3336193dc0a7aae7a807e8836ebc9e9deed7e5663df7787a96c356fd3994
                                                                                  • Instruction Fuzzy Hash: DF31AFB15093806FE712CB25CC85B96BFF8EF16314F09849AE984CB292D365A909C762
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C92B9A Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 04C92C35
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: 36cfd60fef30ee91739a64aafae12cd956d44bf17ed23421f27589f472096538
                                                                                  • Instruction ID: 5c8561db1f752f05558244644fd26bb3ec11b71561cced39aa64135d27ffd3d1
                                                                                  • Opcode Fuzzy Hash: 36cfd60fef30ee91739a64aafae12cd956d44bf17ed23421f27589f472096538
                                                                                  • Instruction Fuzzy Hash: 5B2171B6600204BFEB219F15CC85FA7B7ECEF04714F14899AE985D7651D720F909CA71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 00A8A40C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 6a454cdcaaa8df1cc2d412c2abe48d1444376ef9f93337822d04f9d5eb001fa2
                                                                                  • Instruction ID: 8bc75fcb0908ff7a8ee597751884259776806b17f6245cbc1b35eaa94b9136aa
                                                                                  • Opcode Fuzzy Hash: 6a454cdcaaa8df1cc2d412c2abe48d1444376ef9f93337822d04f9d5eb001fa2
                                                                                  • Instruction Fuzzy Hash: C6318F75505780AFE722CF11CC84F96BBF8EF16710F08849AE9458B692D364E909CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C9193E Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • getaddrinfo.WS2_32(?,00000E24), ref: 04C919E3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: getaddrinfo
                                                                                  • String ID:
                                                                                  • API String ID: 300660673-0
                                                                                  • Opcode ID: e72636f3394a295c82d838e4c04d2049ca2d89404c1ca4d45ddf60c182554c7b
                                                                                  • Instruction ID: a3f93e0e1f51efd9632b8fb9763b1b24d221f9735a077c15fe92c62b2d713e9e
                                                                                  • Opcode Fuzzy Hash: e72636f3394a295c82d838e4c04d2049ca2d89404c1ca4d45ddf60c182554c7b
                                                                                  • Instruction Fuzzy Hash: EF21BFB2100204BEFB219B51CC85FAAF7ECEB04314F14895AFA489B691D774A90ACB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C92E0D Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: select
                                                                                  • String ID:
                                                                                  • API String ID: 1274211008-0
                                                                                  • Opcode ID: d3c68f9c31980d29e8fd2b6d280227510c6238037631837901cf58f56e75a5e4
                                                                                  • Instruction ID: 2e5c4c655f0c926c60efb560d456d2846991e4225398ddc41ac6325e7f658c39
                                                                                  • Opcode Fuzzy Hash: d3c68f9c31980d29e8fd2b6d280227510c6238037631837901cf58f56e75a5e4
                                                                                  • Instruction Fuzzy Hash: E3217C75509384AFDB22CF25DC84B52BFF8EF06310F0988DAE984CB162D275A909CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8AD30 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileType.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 00A8ADC5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileType
                                                                                  • String ID:
                                                                                  • API String ID: 3081899298-0
                                                                                  • Opcode ID: 0dc09eda4314c7824596976fde2bdecde32f2580a92812a464dbbb2fb621bffa
                                                                                  • Instruction ID: b5093095fa7713e864fef4be037a5c41a6a57b9db7fe3a2a7f542ba7efaa40e4
                                                                                  • Opcode Fuzzy Hash: 0dc09eda4314c7824596976fde2bdecde32f2580a92812a464dbbb2fb621bffa
                                                                                  • Instruction Fuzzy Hash: 88213AB54493806FE7128B21DC41BA7BFBCEF07720F1980DAE9808B693D264A909C771
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8B51A Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLogicalDrives.KERNELBASE ref: 00A8B5A1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: DrivesLogical
                                                                                  • String ID:
                                                                                  • API String ID: 999431828-0
                                                                                  • Opcode ID: 78f523acb6a7c71be35579bcd4f9d65148e0bf6ab5995f7fe4aeb097fec5d391
                                                                                  • Instruction ID: 520ad63e83723c6f059dc6a28ff563b4e1b316221e9046d66ea7a069865bab61
                                                                                  • Opcode Fuzzy Hash: 78f523acb6a7c71be35579bcd4f9d65148e0bf6ab5995f7fe4aeb097fec5d391
                                                                                  • Instruction Fuzzy Hash: 4D215C7144E3C05FD7038B219C65A62BFB4EF43220F0A85DBE985CF1A3C2695909C772
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C90DE2 Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 04C90E6E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Socket
                                                                                  • String ID:
                                                                                  • API String ID: 38366605-0
                                                                                  • Opcode ID: f562eb1bdd024c3c4dbab308fee1f4aad1463cfacbd26c84eac571dcb1661a3c
                                                                                  • Instruction ID: 0cedb4c32b01d4de6c280703e69d51ee9acb0fda007e3312b67aa424c1f99789
                                                                                  • Opcode Fuzzy Hash: f562eb1bdd024c3c4dbab308fee1f4aad1463cfacbd26c84eac571dcb1661a3c
                                                                                  • Instruction Fuzzy Hash: 3F218071505380AFE721CF52DC45F96FFF8EF05214F08889EE9858B692D375A509CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C913BE Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileView
                                                                                  • String ID:
                                                                                  • API String ID: 3314676101-0
                                                                                  • Opcode ID: 1897cb9c25c286d5cca46f56f5b1d7e844a2b6ce13cb9f26edc3538bc2597a17
                                                                                  • Instruction ID: cd2b3191d50c4014a20dd1e0abb7c324ad1d4630b9588987da14be6d4cbb4b22
                                                                                  • Opcode Fuzzy Hash: 1897cb9c25c286d5cca46f56f5b1d7e844a2b6ce13cb9f26edc3538bc2597a17
                                                                                  • Instruction Fuzzy Hash: 3721D171505380AFE722CF56CC49F96FFF8EF09224F18849EE9858B652D375A908CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C90006 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetExitCodeProcess.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C90088
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CodeExitProcess
                                                                                  • String ID:
                                                                                  • API String ID: 3861947596-0
                                                                                  • Opcode ID: 79ff76d5456ac759d19fd21d548c7313bf87c9a9c69ef366e4000714598aea14
                                                                                  • Instruction ID: 1fd7d356087ad26bf6023713cd7ce893c73e61487aa1e6d20933182e65be2ee5
                                                                                  • Opcode Fuzzy Hash: 79ff76d5456ac759d19fd21d548c7313bf87c9a9c69ef366e4000714598aea14
                                                                                  • Instruction Fuzzy Hash: 8221C27150A3806FE712CB21DC89B96BFB8EF02214F1884DBE944DF593D268A909C762
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 00A8A4F8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: a019e96e8c4eab916151584ca779abb8e31d7dc02c9de31861a6f094212e7dd7
                                                                                  • Instruction ID: 59a7733b8ca0aa8d2c7402ce1718017f9d710954f97d75ecac66ff35bbd154a2
                                                                                  • Opcode Fuzzy Hash: a019e96e8c4eab916151584ca779abb8e31d7dc02c9de31861a6f094212e7dd7
                                                                                  • Instruction Fuzzy Hash: 7B21A1721053806FE7228B11CC44F67BFB8EF15610F08849AE9458B652D264E948C772
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010623E0 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l
                                                                                  • API String ID: 0-1656731533
                                                                                  • Opcode ID: 35d6ae4ac7885daaed3f2f2439c77f6cb0a04b76addf705fe31ab2feb551f682
                                                                                  • Instruction ID: f762a926f73a8a790b4ee104dd367467f2f646ade6ac9905421605f3245b0f77
                                                                                  • Opcode Fuzzy Hash: 35d6ae4ac7885daaed3f2f2439c77f6cb0a04b76addf705fe31ab2feb551f682
                                                                                  • Instruction Fuzzy Hash: 6FD14D30B04205DFDB09EF74E55199DB7B6BF89248B118439E8069BBEADF399805CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91116 Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C911B4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: cf02fbba9eb9c6490f865c78552d921fda87de3bbaf61508eb6df400048a5ba7
                                                                                  • Instruction ID: 5f34de3119df7c6a810a029fc726f170b250bf3a00da46209142f4d1b395dccf
                                                                                  • Opcode Fuzzy Hash: cf02fbba9eb9c6490f865c78552d921fda87de3bbaf61508eb6df400048a5ba7
                                                                                  • Instruction Fuzzy Hash: E221AE76505380AFE722CF51DC49FA7BFF8EF45310F08849AE9459B692D364E908CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C9122E Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 04C9129F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: DescriptorSecurity$ConvertString
                                                                                  • String ID:
                                                                                  • API String ID: 3907675253-0
                                                                                  • Opcode ID: 5894c0d4625d6bfca4ca53b05a64eca6b4938f97a459f3f92112083c11f11a58
                                                                                  • Instruction ID: b1f1c6da4b232a2853d4280c2827b8bc1171a683919bbd9a560a46beafacfe28
                                                                                  • Opcode Fuzzy Hash: 5894c0d4625d6bfca4ca53b05a64eca6b4938f97a459f3f92112083c11f11a58
                                                                                  • Instruction Fuzzy Hash: 7021F2B2600205AFEB209F25CC85BAABBECEF00214F08846AED04DB651D724E909CA71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C9023C Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • K32EnumProcesses.KERNEL32(?,?,?,251316B8,00000000,?,?,?,?,?,?,?,?,6CDF3C58), ref: 04C902C2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnumProcesses
                                                                                  • String ID:
                                                                                  • API String ID: 84517404-0
                                                                                  • Opcode ID: 8ce3d650f1d9e0e929a83b3e1fccf51c8c1822a7960b4702b43a9a2013bbad18
                                                                                  • Instruction ID: d986f831b436af8f29a378ea4ef76a45cd95d76a140f3b185310e9eef78bb0ff
                                                                                  • Opcode Fuzzy Hash: 8ce3d650f1d9e0e929a83b3e1fccf51c8c1822a7960b4702b43a9a2013bbad18
                                                                                  • Instruction Fuzzy Hash: C9216D715097C0AFDB128B65DC55A92BFB8AF07210F0E84DBD984CF163D224A919CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8AC5A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00A8ACD9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateFile
                                                                                  • String ID:
                                                                                  • API String ID: 823142352-0
                                                                                  • Opcode ID: e446e3ad0c169905881740255a36a9d4a27bdec70da044f14b52dd69acfe0f60
                                                                                  • Instruction ID: 3708ccba1aff9ebc1d6055cc7f834f24e915b7439f62db2d3bea2e65d5f6ffe5
                                                                                  • Opcode Fuzzy Hash: e446e3ad0c169905881740255a36a9d4a27bdec70da044f14b52dd69acfe0f60
                                                                                  • Instruction Fuzzy Hash: 63219FB1500600AFEB20DF66CC85F66FBE8EF14314F14845EE9458BA51D371E809CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8AB52 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00A8ABD1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Open
                                                                                  • String ID:
                                                                                  • API String ID: 71445658-0
                                                                                  • Opcode ID: 9570175817d39343e7b76ace65fa03ff5baf17c1a6bf5712465b1a2674875cf7
                                                                                  • Instruction ID: 2b2bc6a9e9753524faee1525dd31c2104c229e2309f08b5ec3e1f058c79be680
                                                                                  • Opcode Fuzzy Hash: 9570175817d39343e7b76ace65fa03ff5baf17c1a6bf5712465b1a2674875cf7
                                                                                  • Instruction Fuzzy Hash: 8F219FB2500204AEE7209F55CC85FABFBBCEF14314F14855AE9458BA52D764E909CBB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C931E3 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetProcessWorkingSetSize.KERNEL32(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C9325F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessSizeWorking
                                                                                  • String ID:
                                                                                  • API String ID: 3584180929-0
                                                                                  • Opcode ID: 7b951939a43ac26beee910292154860828132910bdfab170f5cd04c28327f415
                                                                                  • Instruction ID: f2c17c636b32c9aae9cfa0df464766771a77f0b9b2a1e77dbf5550acaff3505b
                                                                                  • Opcode Fuzzy Hash: 7b951939a43ac26beee910292154860828132910bdfab170f5cd04c28327f415
                                                                                  • Instruction Fuzzy Hash: DD21D4715053806FDB21CF51CC49FABFFB8EF45210F0884AEE944DB692D364A908CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C930FF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C9317B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessSizeWorking
                                                                                  • String ID:
                                                                                  • API String ID: 3584180929-0
                                                                                  • Opcode ID: 7b951939a43ac26beee910292154860828132910bdfab170f5cd04c28327f415
                                                                                  • Instruction ID: d57bcb2c50b708039e14c6894f3e29fd5057ccff90beefbd6f3e77fce59f91c7
                                                                                  • Opcode Fuzzy Hash: 7b951939a43ac26beee910292154860828132910bdfab170f5cd04c28327f415
                                                                                  • Instruction Fuzzy Hash: 5B21D4755053806FDB21CF11CC49F9BBFB8EF45210F0884AEE944DB562D374A908CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8B0D2 Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ReadFile.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 00A8B151
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileRead
                                                                                  • String ID:
                                                                                  • API String ID: 2738559852-0
                                                                                  • Opcode ID: f64ad5ef3ed454ac0baa43c25b344496c22e790c1cbef9bcc0f06e307267167a
                                                                                  • Instruction ID: 83311259e2e059868c158237d279900ad139bc6f086045e4e6282bdddd163dfd
                                                                                  • Opcode Fuzzy Hash: f64ad5ef3ed454ac0baa43c25b344496c22e790c1cbef9bcc0f06e307267167a
                                                                                  • Instruction Fuzzy Hash: 7B21DEB2405340BFEB228F51DC44FA7BFBCEF45724F08859AF9449B652C265A908CBB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91655 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • shutdown.WS2_32(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C916D8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: shutdown
                                                                                  • String ID:
                                                                                  • API String ID: 2510479042-0
                                                                                  • Opcode ID: 8cb2ef8be939a0bfb98e3acbd9c79587e4107411c03a0a8acd42329a8deb6dfe
                                                                                  • Instruction ID: 5fb09187ea9e88076c29bb1d6bf51b923520ea83cff8e75de36145cbebb594bc
                                                                                  • Opcode Fuzzy Hash: 8cb2ef8be939a0bfb98e3acbd9c79587e4107411c03a0a8acd42329a8deb6dfe
                                                                                  • Instruction Fuzzy Hash: 9721D7B14093806FD712CF11CC45B56FFB8EF02224F1884DBE9849F153C368A508CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 00A8A6B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: c5b58f1f8a62e03d2faf73316057c5727a534f9e3209fb2b9f8c304e2ba40d9e
                                                                                  • Instruction ID: e34464c1b5b33fc187098ea9a28a2abad90261a42d4743181539187c27093c6f
                                                                                  • Opcode Fuzzy Hash: c5b58f1f8a62e03d2faf73316057c5727a534f9e3209fb2b9f8c304e2ba40d9e
                                                                                  • Instruction Fuzzy Hash: B321B0B1601200AFF710DB26CC85BA6FBE8EF14314F18846AE9458B641E371E809CB72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8BBF3 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00A8BC6A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: LookupPrivilegeValue
                                                                                  • String ID:
                                                                                  • API String ID: 3899507212-0
                                                                                  • Opcode ID: 70efb5ee5a97b3de1fc153d466a0f2ad6d4cd5297b510183e98b18852e4cdc65
                                                                                  • Instruction ID: 7bb37f0e9d96d8493fd2e4defa0087b0772ae842f21a7017b1bd76ce4a1e1914
                                                                                  • Opcode Fuzzy Hash: 70efb5ee5a97b3de1fc153d466a0f2ad6d4cd5297b510183e98b18852e4cdc65
                                                                                  • Instruction Fuzzy Hash: DB2181B15093805FDB61CF25CC55B52BFF8EF46210F0984DAED85DB252D665E808CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C92D47 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ioctlsocket.WS2_32(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C92DC3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ioctlsocket
                                                                                  • String ID:
                                                                                  • API String ID: 3577187118-0
                                                                                  • Opcode ID: 58d909435aea3b3c48817135a433b9ffa495a09a0b62a9f968a124d6a40cbd96
                                                                                  • Instruction ID: 2f8559fbc9366054783fdee5b5bd505ec99ac102f8bb3deb48a0b04a1f377021
                                                                                  • Opcode Fuzzy Hash: 58d909435aea3b3c48817135a433b9ffa495a09a0b62a9f968a124d6a40cbd96
                                                                                  • Instruction Fuzzy Hash: FA21A171409384AFDB22CF51CC88F96FFB8EF45214F08849AE9849B592C264A508CBA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 00A8A40C
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: e15f68081870c4b99636d89fe1b582c84ff39dbb2d6c0794abdcd4bd47bf8ab2
                                                                                  • Instruction ID: 7367dee14479118a736ef069369617fcba6c2e2e93f09cbb0a41412d77d4a054
                                                                                  • Opcode Fuzzy Hash: e15f68081870c4b99636d89fe1b582c84ff39dbb2d6c0794abdcd4bd47bf8ab2
                                                                                  • Instruction Fuzzy Hash: 042190B5600204AFEB20DF15CC84FA6F7ECEF14710F18845AE9458B651D360E909CB72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8BE38 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00A8BEA4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: 970be0b476faece803bec2f968955bd066499b988247740476861b60ceb88302
                                                                                  • Instruction ID: 2a1718aa975231ae91e5a09f499a39624166ac2dde513a223a00f6900931ae0a
                                                                                  • Opcode Fuzzy Hash: 970be0b476faece803bec2f968955bd066499b988247740476861b60ceb88302
                                                                                  • Instruction Fuzzy Hash: 7E21A1715093C05FDB028B25DC95792BFB4AF17324F0D84DAED858F663D265A908CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A710 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00A8A780
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: 0cf6c2fb32c85f011b694c4773eea6a9a3570ee496b2e09ec90a03364e521c41
                                                                                  • Instruction ID: 5f585e8a8dad20c0240dec4e117afdd885e7de575650cc20add754344a6cce52
                                                                                  • Opcode Fuzzy Hash: 0cf6c2fb32c85f011b694c4773eea6a9a3570ee496b2e09ec90a03364e521c41
                                                                                  • Instruction Fuzzy Hash: E921D5B54047809FD7118F15DD85752BFB8EF12320F0984EBDD848B253D2359909DB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C913DE Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileView
                                                                                  • String ID:
                                                                                  • API String ID: 3314676101-0
                                                                                  • Opcode ID: e45489b8d748576cb5c8e8af894e84d5903e5e64d7fe0b9fdb3976fb698c5651
                                                                                  • Instruction ID: 2af2c6e689533ce9dbbe6a14100e87175450914f15bb327a690e78984de93d58
                                                                                  • Opcode Fuzzy Hash: e45489b8d748576cb5c8e8af894e84d5903e5e64d7fe0b9fdb3976fb698c5651
                                                                                  • Instruction Fuzzy Hash: FD21A171501200AFEB21CF56CC89F96FBE8EF08224F18845EE9458BA51D775F509CBB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91AEE Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04C91B6A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Connect
                                                                                  • String ID:
                                                                                  • API String ID: 3144859779-0
                                                                                  • Opcode ID: 6f119c05f5564b43dfe8b5e97166165db3686cdf66598753ca1bdbae226680bd
                                                                                  • Instruction ID: 37763eabd1f74ab864bfe35f0245020764a2f68cbc786f2456c0e2249a59718d
                                                                                  • Opcode Fuzzy Hash: 6f119c05f5564b43dfe8b5e97166165db3686cdf66598753ca1bdbae226680bd
                                                                                  • Instruction Fuzzy Hash: FB219F75408380AFDB228F51DC44B62BFF9EF06310F0D85DAED858B162D375A919DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C90E02 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 04C90E6E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Socket
                                                                                  • String ID:
                                                                                  • API String ID: 38366605-0
                                                                                  • Opcode ID: 104ad46477f1b398be6e197ee49003bd1df9aeee329a62eb67d8a3e77a731c45
                                                                                  • Instruction ID: 0c0ec29194240e7302c098f22651d5610a3c4fe2b6e990e18b4b9f09073ca213
                                                                                  • Opcode Fuzzy Hash: 104ad46477f1b398be6e197ee49003bd1df9aeee329a62eb67d8a3e77a731c45
                                                                                  • Instruction Fuzzy Hash: 6E21C271500200AFEB21CF56DD85B56FBE8EF04314F04885EE9854B651D371B509CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91E86 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNELBASE(?,00000E24), ref: 04C91F0F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 2572439430474190b28239defe74c29f040170c298d5ae552c50f16ad63b5de4
                                                                                  • Instruction ID: d96a4920c714065df877985039885259b15711b4f2040edf925a4609f0d06af6
                                                                                  • Opcode Fuzzy Hash: 2572439430474190b28239defe74c29f040170c298d5ae552c50f16ad63b5de4
                                                                                  • Instruction Fuzzy Hash: E51103711053846FE721CF11DC89FA6FFB8EF05720F18809AF9448B692D3A4B948CB66
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8B19B Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFileAttributesW.KERNELBASE(?,?), ref: 00A8B213
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: 2ef689929ae30e4c3f7460014d93a006167b40014f136d65335eb773a4a633f2
                                                                                  • Instruction ID: b4b67032e55997283b556356dba8fc4b1eeb11478815df80ec0486684f6521fe
                                                                                  • Opcode Fuzzy Hash: 2ef689929ae30e4c3f7460014d93a006167b40014f136d65335eb773a4a633f2
                                                                                  • Instruction Fuzzy Hash: 9621F3B15083C05FDB12CB25DC95B96BFE8EF02314F0E80EAD8848F163D2259909CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91142 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C911B4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 5f24aafd26138cd19ae71da72e0e93cc990ae671e2dcd3c736556a0877ce5a46
                                                                                  • Instruction ID: 00c472f446392e84c7dd312c0869ee2aaf748479ad7c4d5386a2d359739622d9
                                                                                  • Opcode Fuzzy Hash: 5f24aafd26138cd19ae71da72e0e93cc990ae671e2dcd3c736556a0877ce5a46
                                                                                  • Instruction Fuzzy Hash: D9117F76600200BFEB21CF56DC89FA6BBE8EF04710F18855AE9459B652D764F908CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 00A8A4F8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: 67f58eb92cae440007a14ca0d0cf50c9b533d2b6c0750d0c6fd2085176b8971c
                                                                                  • Instruction ID: 234d1deffdab8248cf8781f878cbd3ab98b2a9140748c8efbed0fd906ea343b8
                                                                                  • Opcode Fuzzy Hash: 67f58eb92cae440007a14ca0d0cf50c9b533d2b6c0750d0c6fd2085176b8971c
                                                                                  • Instruction Fuzzy Hash: 3F11B1B6600600AFEB209F11DC85FA7BBECEF14710F14845AED458BA52D360E948CB72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91852 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessTimes.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C918B1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessTimes
                                                                                  • String ID:
                                                                                  • API String ID: 1995159646-0
                                                                                  • Opcode ID: 410d14aff5aba486e9cd3bff368d8630f2d0d1ae7c8fb2c0520ecf437da6518a
                                                                                  • Instruction ID: 62f259c54801e3df785c2858418ee48b5f1adb0cb8539a79da804b4f7431f62c
                                                                                  • Opcode Fuzzy Hash: 410d14aff5aba486e9cd3bff368d8630f2d0d1ae7c8fb2c0520ecf437da6518a
                                                                                  • Instruction Fuzzy Hash: 8F11E671600300AFEB218F55DC85FAAFBE8EF04320F18856AED458B651D770E909DBB5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8B330 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CopyFileW.KERNELBASE(?,?,?), ref: 00A8B39A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CopyFile
                                                                                  • String ID:
                                                                                  • API String ID: 1304948518-0
                                                                                  • Opcode ID: dc1726083e522558a3ddddef48ff67493777cca739c7de7cacf5a10bd5147d08
                                                                                  • Instruction ID: fe097a59b685d4e5d9318d8e30d29ff4f51fb3a40ae2818e385f0ac6ec7da7cc
                                                                                  • Opcode Fuzzy Hash: dc1726083e522558a3ddddef48ff67493777cca739c7de7cacf5a10bd5147d08
                                                                                  • Instruction Fuzzy Hash: EA116D71505380AFD721CF65DC85B56BFE8EF16220F0984AAE949CF662D264E808CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C93206 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetProcessWorkingSetSize.KERNEL32(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C9325F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessSizeWorking
                                                                                  • String ID:
                                                                                  • API String ID: 3584180929-0
                                                                                  • Opcode ID: 69611013fb254568d5955f9172f21237216a47f5452d9c51a44f080ef41ea2a0
                                                                                  • Instruction ID: 89dac992def238caeb03eda3246002ff3dea2e8df5e852bc73a57ac20809eddf
                                                                                  • Opcode Fuzzy Hash: 69611013fb254568d5955f9172f21237216a47f5452d9c51a44f080ef41ea2a0
                                                                                  • Instruction Fuzzy Hash: 5F11C471600640AFEB20CF55DC89BAAF7E8EF44324F18846AED05CB652D774E909CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C93122 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C9317B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ProcessSizeWorking
                                                                                  • String ID:
                                                                                  • API String ID: 3584180929-0
                                                                                  • Opcode ID: 69611013fb254568d5955f9172f21237216a47f5452d9c51a44f080ef41ea2a0
                                                                                  • Instruction ID: 28358dde1c088dcd135525d9ae29d6ecc9c5aa00da240433be05b62d075d69fc
                                                                                  • Opcode Fuzzy Hash: 69611013fb254568d5955f9172f21237216a47f5452d9c51a44f080ef41ea2a0
                                                                                  • Instruction Fuzzy Hash: 43110475600240AFEB20CF15DC89BAAB7ECEF04320F18846AED059B661D370E908CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C903C0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04C90432
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 4281dfba287fb8c3cddef65d3a3872b39115f5e1d792f767cb90743e5edf5c24
                                                                                  • Instruction ID: 06956dbdf5b51639024ce814d5ca6696c45986d328f021ae387887462cbc0879
                                                                                  • Opcode Fuzzy Hash: 4281dfba287fb8c3cddef65d3a3872b39115f5e1d792f767cb90743e5edf5c24
                                                                                  • Instruction Fuzzy Hash: CA21C371449380AFCB228F51DC44A52FFF4EF06220F0988DAE9858B162C275A819CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C90032 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetExitCodeProcess.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C90088
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CodeExitProcess
                                                                                  • String ID:
                                                                                  • API String ID: 3861947596-0
                                                                                  • Opcode ID: 139dded285be93a6fdd85d30fbb9f9d01bf78578e5dfa49ef3d1d0836a3e4c9e
                                                                                  • Instruction ID: 1d7ac7d215ebb2433e84ba5ce097deee7a8abf6ab4b71827b6b4906f30a64cd5
                                                                                  • Opcode Fuzzy Hash: 139dded285be93a6fdd85d30fbb9f9d01bf78578e5dfa49ef3d1d0836a3e4c9e
                                                                                  • Instruction Fuzzy Hash: CA11E771601200BFEB10CF16DC89BAAB7ECEF04324F18846AED05DB651D774A909CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8B0F2 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ReadFile.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 00A8B151
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileRead
                                                                                  • String ID:
                                                                                  • API String ID: 2738559852-0
                                                                                  • Opcode ID: de9c185b1bc93370b1752fd9a97035799895af91b66b2029f3667dc08cc87f62
                                                                                  • Instruction ID: 60ea0dd7bc3a1929a8331c1a20a0beaa1d5d06b53b3ea091a7a04cf3f6fd1695
                                                                                  • Opcode Fuzzy Hash: de9c185b1bc93370b1752fd9a97035799895af91b66b2029f3667dc08cc87f62
                                                                                  • Instruction Fuzzy Hash: 8A11BF72500200AFEB219F51DC89FAAFBA8EF04324F14855AEA459FA51C375A509CBB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C92D6A Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ioctlsocket.WS2_32(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C92DC3
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ioctlsocket
                                                                                  • String ID:
                                                                                  • API String ID: 3577187118-0
                                                                                  • Opcode ID: f6177065a3b7f8723d3f24c98e4327ac18f6948bc76b0b3f2fbe37b99f053e48
                                                                                  • Instruction ID: 4f2da794f00bff234cb01205dd14fed10e93b960d75b5b02f1e5e2f8d181b0b6
                                                                                  • Opcode Fuzzy Hash: f6177065a3b7f8723d3f24c98e4327ac18f6948bc76b0b3f2fbe37b99f053e48
                                                                                  • Instruction Fuzzy Hash: D211A772540200BFEB21CF55DC85BA6F7E8EF04314F18849AED459B651D374A509CAB5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91682 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • shutdown.WS2_32(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 04C916D8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: shutdown
                                                                                  • String ID:
                                                                                  • API String ID: 2510479042-0
                                                                                  • Opcode ID: 45b3b776a25f4b2365ea9617521689c151d4557c8a504f1f20c61d8ff146779c
                                                                                  • Instruction ID: 6edf4189fca7fd4342100943f0ad643943bcf516942aa5c71ac523dae6b5d8fa
                                                                                  • Opcode Fuzzy Hash: 45b3b776a25f4b2365ea9617521689c151d4557c8a504f1f20c61d8ff146779c
                                                                                  • Instruction Fuzzy Hash: CF11E975500200BFEB11CF16DC89BAAF7ECEF04324F18845AED449F651D774A909CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8AA81 Relevance: 1.6, APIs: 1, Instructions: 57comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Initialize
                                                                                  • String ID:
                                                                                  • API String ID: 2538663250-0
                                                                                  • Opcode ID: ec3374ee17ac2f5707db85d7810b20261da0edec9964cfe17267da529b8db71e
                                                                                  • Instruction ID: b6795adaa14d11d557a8c148bca16e7de33083e66ac26bd30c52ef57bd347f0b
                                                                                  • Opcode Fuzzy Hash: ec3374ee17ac2f5707db85d7810b20261da0edec9964cfe17267da529b8db71e
                                                                                  • Instruction Fuzzy Hash: 331182714493C06FDB128B25DC55B92BFB4EF07220F0984DBDD848F163C275A948CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91EA6 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNELBASE(?,00000E24), ref: 04C91F0F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: bf710b003e8612073223543ff4d09711d909deeb43027002bc2a639164dd8914
                                                                                  • Instruction ID: e4c7f4c59c9aacffb2d45aacae2b54e2e18cb669e4577e9e3ad0a0a8226e0b20
                                                                                  • Opcode Fuzzy Hash: bf710b003e8612073223543ff4d09711d909deeb43027002bc2a639164dd8914
                                                                                  • Instruction Fuzzy Hash: 8511E971600204BEFB208F16DC85BA6F7E8DF04724F18809AED044B781D7B4B909CA75
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A2D2 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNELBASE(?), ref: 00A8A330
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: a6682503e972564e9bf62df71c9d59125134a7583221db5050b68eca9ce892e2
                                                                                  • Instruction ID: 6fe7bcbcba4bacb4f35eafd7d31017598c771e1b72e3e863c488bc2e14e0e3b9
                                                                                  • Opcode Fuzzy Hash: a6682503e972564e9bf62df71c9d59125134a7583221db5050b68eca9ce892e2
                                                                                  • Instruction Fuzzy Hash: 4B118F754093C06FEB228B15DC54A62BFB8DF57220F0D80DBED848F263D2656908D772
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C92E46 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: select
                                                                                  • String ID:
                                                                                  • API String ID: 1274211008-0
                                                                                  • Opcode ID: 9fe7c84c4d5205fef43ff4160f3fec1d71645be1ab2748b5a274a55cd8f9684b
                                                                                  • Instruction ID: b1516b47955d98fa419349b250c7186a4bd6acf4a329bdff915c812081454123
                                                                                  • Opcode Fuzzy Hash: 9fe7c84c4d5205fef43ff4160f3fec1d71645be1ab2748b5a274a55cd8f9684b
                                                                                  • Instruction Fuzzy Hash: B6112B75600205AFDB20CF55D888B56F7E8EF04611F0888AADD898B661D371E949CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A078 Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: send
                                                                                  • String ID:
                                                                                  • API String ID: 2809346765-0
                                                                                  • Opcode ID: a958a68c4fc57be30f6613edde2ede9ad720468515a3fb39a5b39147c5ecd476
                                                                                  • Instruction ID: e832730d2c1cf361c54e07eab5d32910f072ddd87f58d39469ef8b0c8b8c02f3
                                                                                  • Opcode Fuzzy Hash: a958a68c4fc57be30f6613edde2ede9ad720468515a3fb39a5b39147c5ecd476
                                                                                  • Instruction Fuzzy Hash: 2E11BF71449380AFDB22CF11DC44B52FFB4EF16220F09849AED848B562C275A808CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8BC22 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00A8BC6A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: LookupPrivilegeValue
                                                                                  • String ID:
                                                                                  • API String ID: 3899507212-0
                                                                                  • Opcode ID: 5edc22847cbcbd302e17cb2c8df32442c7f9aec91530cc619aa48ec83c688487
                                                                                  • Instruction ID: 9c0f56b1d3fc0ac50c74dfe83f4cde4c559ab2e7ce871249c832cc5221708c15
                                                                                  • Opcode Fuzzy Hash: 5edc22847cbcbd302e17cb2c8df32442c7f9aec91530cc619aa48ec83c688487
                                                                                  • Instruction Fuzzy Hash: 8B113CF5A102019FDB60DF25D885B56BBE8EB18320F0884AADD49CB651DB75E808CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8B352 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CopyFileW.KERNELBASE(?,?,?), ref: 00A8B39A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CopyFile
                                                                                  • String ID:
                                                                                  • API String ID: 1304948518-0
                                                                                  • Opcode ID: 5edc22847cbcbd302e17cb2c8df32442c7f9aec91530cc619aa48ec83c688487
                                                                                  • Instruction ID: 31ba98ecbb9670c1ecd9a6394d6e290e71f48a01fe1a5de5bbebcd9213ef3a76
                                                                                  • Opcode Fuzzy Hash: 5edc22847cbcbd302e17cb2c8df32442c7f9aec91530cc619aa48ec83c688487
                                                                                  • Instruction Fuzzy Hash: 4B115BB66102409FDB60DF29D885B56FBE8EF14320F0884AADD49CFA52D775E808CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8B48C Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFind
                                                                                  • String ID:
                                                                                  • API String ID: 1863332320-0
                                                                                  • Opcode ID: c6309bd31467c01a4e6ba3d31b6503ef0cbd3b326ccc068f09cf3c27d8add8d7
                                                                                  • Instruction ID: e7f9dbafecbf0cde3795aaf673362241987ae89cd2538a31643947f696cba7e9
                                                                                  • Opcode Fuzzy Hash: c6309bd31467c01a4e6ba3d31b6503ef0cbd3b326ccc068f09cf3c27d8add8d7
                                                                                  • Instruction Fuzzy Hash: 4C11E575509380AFDB128F15DC94B52FFB4DF06220F0880DAED858B262D265A908CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8AD72 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileType.KERNELBASE(?,00000E24,251316B8,00000000,00000000,00000000,00000000), ref: 00A8ADC5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileType
                                                                                  • String ID:
                                                                                  • API String ID: 3081899298-0
                                                                                  • Opcode ID: bdfbb07a5260ad15c224d1114ead9bd753cbcc67bfef2e967739a61a2019a40f
                                                                                  • Instruction ID: 849eddba695a6a9ba8d67ca51477cce148fd8a29ea5728f940c5453df2feb735
                                                                                  • Opcode Fuzzy Hash: bdfbb07a5260ad15c224d1114ead9bd753cbcc67bfef2e967739a61a2019a40f
                                                                                  • Instruction Fuzzy Hash: 5901D675540200AFE720DB16DC85BA6F7ACEF14725F14C09AED048BB52D374E949CBB6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A9E4 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForInputIdle.USER32(?,?), ref: 00A8AA3B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: IdleInputWait
                                                                                  • String ID:
                                                                                  • API String ID: 2200289081-0
                                                                                  • Opcode ID: 99567102bafd062d1537913c4735ff6dada664e76d1052296a28b1897c53051c
                                                                                  • Instruction ID: 2e6eb9a787fef90430f48dc7740d3479a915f8f35322e6cc38f290b324530d86
                                                                                  • Opcode Fuzzy Hash: 99567102bafd062d1537913c4735ff6dada664e76d1052296a28b1897c53051c
                                                                                  • Instruction Fuzzy Hash: 8C11E371408380AFDB118F11CC84B52FFE4EF06320F0984DADD858F262D275A809CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C90282 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • K32EnumProcesses.KERNEL32(?,?,?,251316B8,00000000,?,?,?,?,?,?,?,?,6CDF3C58), ref: 04C902C2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnumProcesses
                                                                                  • String ID:
                                                                                  • API String ID: 84517404-0
                                                                                  • Opcode ID: 2add0b70a29b37fa4f4e440ce3a94877bfd6cb18bac37815cff8fa5ae5dd7a05
                                                                                  • Instruction ID: 11a962a64fcae7471a3ac2dac77e529a35736b44c245465d84b3af72e739531d
                                                                                  • Opcode Fuzzy Hash: 2add0b70a29b37fa4f4e440ce3a94877bfd6cb18bac37815cff8fa5ae5dd7a05
                                                                                  • Instruction Fuzzy Hash: EA11AD71600600AFDB10CF66D888B66FBE8EF04220F08C4AADD49CB651D371E908CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91B1E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 04C91B6A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Connect
                                                                                  • String ID:
                                                                                  • API String ID: 3144859779-0
                                                                                  • Opcode ID: 1b56b27a5dbc39703fa3a8e970ca9a197af01fab72571dbf66bcbdd4d0d3933f
                                                                                  • Instruction ID: fd982467bcd9f3dcccd23026b5cf0dd62b9ec14299d76e0515d309c556a4f62e
                                                                                  • Opcode Fuzzy Hash: 1b56b27a5dbc39703fa3a8e970ca9a197af01fab72571dbf66bcbdd4d0d3933f
                                                                                  • Instruction Fuzzy Hash: 6D1170B5500600AFEB20CF55D885B62FBE5FF04320F0C85AADD458B621E771E919DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8B1D6 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFileAttributesW.KERNELBASE(?,?), ref: 00A8B213
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: af1d0dd67e99dd19ad38b0be34889a9caa8a4d17e71684e19c2d30047489fcbb
                                                                                  • Instruction ID: 662ca91dd4554ee958479e84f0e00f4133ee51d2105a088de9e8c79919a0db0b
                                                                                  • Opcode Fuzzy Hash: af1d0dd67e99dd19ad38b0be34889a9caa8a4d17e71684e19c2d30047489fcbb
                                                                                  • Instruction Fuzzy Hash: E10180719002009FDB50DF15D8857AAFBE8EF14320F08C4AADD49CB655E775E809CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C91C1A Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVolumeInformationA.KERNELBASE(?,00000E24,?,?), ref: 04C91C6A
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: InformationVolume
                                                                                  • String ID:
                                                                                  • API String ID: 2039140958-0
                                                                                  • Opcode ID: a691b688c996825a45b98dbad353775c4ca8885481ed82390b9d2af132351282
                                                                                  • Instruction ID: 8450629cbc05a06507a162d34f4b1b5e3bc8b7e3475b840a5e115b1cc3aba8e4
                                                                                  • Opcode Fuzzy Hash: a691b688c996825a45b98dbad353775c4ca8885481ed82390b9d2af132351282
                                                                                  • Instruction Fuzzy Hash: 8901B171540200AFD310DF16CC86B66FBE8FB88A20F14812AED089BB41D731B915CBE1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C903EE Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04C90432
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 075b40c4dc78d9557f8e88e75991d641787ee72f265328d9b6a366db95fb1fc5
                                                                                  • Instruction ID: 21fad092e8648ae55e2f3b11906ee8c0d20656dadbfeff50437ebba638b0e09a
                                                                                  • Opcode Fuzzy Hash: 075b40c4dc78d9557f8e88e75991d641787ee72f265328d9b6a366db95fb1fc5
                                                                                  • Instruction Fuzzy Hash: 50018E71500640EFDF208F56D884B52FBE5EF08210F08C59AED494A662D375E419DB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04C90D66 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 04C90DB6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510203934.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_4c90000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: f354b8a4588890a845555c59a3b4aa6a7a3df38811db28beabc4ae42359ed547
                                                                                  • Instruction ID: f4c03a23b3e5c61060fa24829dcb66c9f4c43706f6f4c492b91607e41f7b734b
                                                                                  • Opcode Fuzzy Hash: f354b8a4588890a845555c59a3b4aa6a7a3df38811db28beabc4ae42359ed547
                                                                                  • Instruction Fuzzy Hash: 7701A271540600ABD310DF16CC86B66FBF8FB88A20F14811AED089BB41D771F915CBE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8BE72 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00A8BEA4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: 810949b5d7c6df788e729f795e5513dd234482681ee7a2ec038015ce02023561
                                                                                  • Instruction ID: 41b0a6e7d5e3a67f99e96eb81420c4d1c8e39e86b64edf46d97425508a3a554f
                                                                                  • Opcode Fuzzy Hash: 810949b5d7c6df788e729f795e5513dd234482681ee7a2ec038015ce02023561
                                                                                  • Instruction Fuzzy Hash: 3B01DF755042009FDB10DF19D885796FBE4EF00320F08C0AADE498F652C375E808CBB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00A8A780
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: 51aa162401b270bd37b7b76ccb85ca999146054fd4d541a559e29c4af8907bf9
                                                                                  • Instruction ID: 8797aa60a63627307757490ada61715550aef8e24983a67478e18f8a30803021
                                                                                  • Opcode Fuzzy Hash: 51aa162401b270bd37b7b76ccb85ca999146054fd4d541a559e29c4af8907bf9
                                                                                  • Instruction Fuzzy Hash: D2018FB55002409FEB109F15D985766FBE4EF14320F08C4ABDD49CF752D279E809DBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: send
                                                                                  • String ID:
                                                                                  • API String ID: 2809346765-0
                                                                                  • Opcode ID: 9320233f8c7f3f389b9d3a6321cea624ec9609372d4acf3ac63dfbfb04623d58
                                                                                  • Instruction ID: 137d0f2eda632ead33b55bfa576159b6af8c964306e94201d7eff00df63848df
                                                                                  • Opcode Fuzzy Hash: 9320233f8c7f3f389b9d3a6321cea624ec9609372d4acf3ac63dfbfb04623d58
                                                                                  • Instruction Fuzzy Hash: 85019A719002409FEB20DF55D884B66FBE4EF24320F08C5AADE498B662D375E408DBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8AA06 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForInputIdle.USER32(?,?), ref: 00A8AA3B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: IdleInputWait
                                                                                  • String ID:
                                                                                  • API String ID: 2200289081-0
                                                                                  • Opcode ID: 88a3572b3f2d5c1071b82db0d34598019b5ec6a7f6f4c62546668a8a795f316a
                                                                                  • Instruction ID: e54b745bad8ee761128e22e76181f871b27e91271be339603c3794f99a13528a
                                                                                  • Opcode Fuzzy Hash: 88a3572b3f2d5c1071b82db0d34598019b5ec6a7f6f4c62546668a8a795f316a
                                                                                  • Instruction Fuzzy Hash: ED018BB18002409FEB10DF55D985B66FBE4EF14320F08C8AADD498F652D275E909CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8B4AE Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseFind
                                                                                  • String ID:
                                                                                  • API String ID: 1863332320-0
                                                                                  • Opcode ID: 91053c3edeb87bb96dc4aeca1445965b40d024112b7815e5be7e9d9a3d3faeaf
                                                                                  • Instruction ID: ac88e1732fb1bd3b6de8bc53f3fc1fc40b970a3e3bd4605ff2ecdf860a212a2d
                                                                                  • Opcode Fuzzy Hash: 91053c3edeb87bb96dc4aeca1445965b40d024112b7815e5be7e9d9a3d3faeaf
                                                                                  • Instruction Fuzzy Hash: 6001A4755002409FDB209F15D985766FBE4EF05320F08C0AADD4A8B762D375E849CFB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8AAAE Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Initialize
                                                                                  • String ID:
                                                                                  • API String ID: 2538663250-0
                                                                                  • Opcode ID: 56b2ee4598584f2a52926116e146f4c8ec9c5c49622d40b24a59d790e402e2e6
                                                                                  • Instruction ID: fe53054c428bd9deb4b5eb8d2f87977f5e350d1161f025ecc7be85a7e92added
                                                                                  • Opcode Fuzzy Hash: 56b2ee4598584f2a52926116e146f4c8ec9c5c49622d40b24a59d790e402e2e6
                                                                                  • Instruction Fuzzy Hash: FC01AD719002409FEB10DF15D989766FBE4EF14320F08C4ABDD488F652D379A848CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8B572 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLogicalDrives.KERNELBASE ref: 00A8B5A1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: DrivesLogical
                                                                                  • String ID:
                                                                                  • API String ID: 999431828-0
                                                                                  • Opcode ID: 0943ea890ebf760138ab549552a67b2fad27cdf1e94243817ee695c9846082a1
                                                                                  • Instruction ID: 172c30ac4a4239fc00f838d5f037396b37ce857d36d1f2a783e3fc266bea5302
                                                                                  • Opcode Fuzzy Hash: 0943ea890ebf760138ab549552a67b2fad27cdf1e94243817ee695c9846082a1
                                                                                  • Instruction Fuzzy Hash: 2001A9B18042409FDB10DF16D885766BBA4EF04320F08C4AADD0A8F256D3B9E808CBB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A8A2FE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNELBASE(?), ref: 00A8A330
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507131461.0000000000A8A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a8a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode
                                                                                  • String ID:
                                                                                  • API String ID: 2340568224-0
                                                                                  • Opcode ID: 2b4d065476a5a7790fd4b63de16a659c154da53fc55afb989664c029a3b4f471
                                                                                  • Instruction ID: f8ade8824422783ffa1d78f91807625424da2a3575952da67ca7a2c8d6147163
                                                                                  • Opcode Fuzzy Hash: 2b4d065476a5a7790fd4b63de16a659c154da53fc55afb989664c029a3b4f471
                                                                                  • Instruction Fuzzy Hash: 09F0AF79904640DFEB109F09D889765FBE4EF14321F08C09ADD494F752D3B5E808CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01061200 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 2Ll
                                                                                  • API String ID: 0-343416306
                                                                                  • Opcode ID: 1261e6b0d3f4eb99e31f1f78ebc1e5f6984fbd046b54094ac6a0ba02de55d21e
                                                                                  • Instruction ID: ef56e9711d7d31abf1249b8db1bb68f12f529e0a9435c80f1882cff4492d4865
                                                                                  • Opcode Fuzzy Hash: 1261e6b0d3f4eb99e31f1f78ebc1e5f6984fbd046b54094ac6a0ba02de55d21e
                                                                                  • Instruction Fuzzy Hash: D2A1FE30701201CBD724EB39C9457AD76EABBC4318F188668E952DB7E6DF78D805CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010624E5 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l
                                                                                  • API String ID: 0-1656731533
                                                                                  • Opcode ID: d7b1fc0f225a27664aa435fdeb47bbc7485b26e8e0f293f809178fb3615b1dd0
                                                                                  • Instruction ID: 2620e95a26d04de37a6f7e8ffb1bd35ec20a15100b022f2435ed4f5d2f66e048
                                                                                  • Opcode Fuzzy Hash: d7b1fc0f225a27664aa435fdeb47bbc7485b26e8e0f293f809178fb3615b1dd0
                                                                                  • Instruction Fuzzy Hash: 7C914E34B05204DFDB09EF74E550A9D77B6BF88208B118439E4569BBE9DF399805CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01062535 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l
                                                                                  • API String ID: 0-1656731533
                                                                                  • Opcode ID: 160873b0f56297608e22a6a70085237990b25afd0784df4461557c06d56e7fe6
                                                                                  • Instruction ID: 787f10083c8b49f3fb51fae15f17433f1798f1d63961c690c0d15ec67da14a2f
                                                                                  • Opcode Fuzzy Hash: 160873b0f56297608e22a6a70085237990b25afd0784df4461557c06d56e7fe6
                                                                                  • Instruction Fuzzy Hash: 8C814D34B05204DFDB09EF74E550A9D77B6BF88208B118439E8559BBEADF399805CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01062577 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l
                                                                                  • API String ID: 0-1656731533
                                                                                  • Opcode ID: 3f95d6173a7faa8486876a97d6550d32ff447a7db970eee42f4bf315ab14987c
                                                                                  • Instruction ID: a3bb67598aad878db9c5fc83b6fd024050df35e44b0097825e1e0b70c62b4043
                                                                                  • Opcode Fuzzy Hash: 3f95d6173a7faa8486876a97d6550d32ff447a7db970eee42f4bf315ab14987c
                                                                                  • Instruction Fuzzy Hash: 97814B34B05204DFDB09EF74E550AAD77B6BB88208B118439E8559BBEADF399805CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060B03 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l
                                                                                  • API String ID: 0-1656731533
                                                                                  • Opcode ID: 25275eaee03ad87f0af4fbfd417eaa58c0277d6b52344d604dc959536e780735
                                                                                  • Instruction ID: 4978d0e4207f7cb0a4160b436a5f7dac12784f30de974fce8dfcf5f1aa5612b5
                                                                                  • Opcode Fuzzy Hash: 25275eaee03ad87f0af4fbfd417eaa58c0277d6b52344d604dc959536e780735
                                                                                  • Instruction Fuzzy Hash: CE719C347002008FEB19EB78D550BAD77A7BB8920CB114169E446DBBEADF39EC45CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010625EB Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l
                                                                                  • API String ID: 0-1656731533
                                                                                  • Opcode ID: b64c5e57c4e2b55fed222099955a982d38476fec68e99c7eccda3b2c40cc001a
                                                                                  • Instruction ID: a08a4f0c00430fe56ba5182634faac85d9c281f80e02287d4429807e118edbbb
                                                                                  • Opcode Fuzzy Hash: b64c5e57c4e2b55fed222099955a982d38476fec68e99c7eccda3b2c40cc001a
                                                                                  • Instruction Fuzzy Hash: 45713B34B05204DFDB09EF74E551AAD77A6BB88208B118439E8559BBEACF39D805CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010626CD Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l
                                                                                  • API String ID: 0-1656731533
                                                                                  • Opcode ID: 393f1b07a193b14de7879fe961e44438706d693e9a30a6f1e46778be53baaf59
                                                                                  • Instruction ID: 4ebd0ee780e65c0317fb1e5d724e3d412e03243696c9dbc949f1c9fe4961f7f6
                                                                                  • Opcode Fuzzy Hash: 393f1b07a193b14de7879fe961e44438706d693e9a30a6f1e46778be53baaf59
                                                                                  • Instruction Fuzzy Hash: 0B517134B042049FDB09EF74E551AAD73A6BF88348F118439E85197BE9CF38D805CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010627E8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: :@%l
                                                                                  • API String ID: 0-1656731533
                                                                                  • Opcode ID: 3346b7652c88cfc15e9c890384792dd052f95f70920388169dcccc8fc69a17dd
                                                                                  • Instruction ID: 291d050a50a3bfbc020bfe6c19cd6d7f47982b00db45933044388c4a8fd7a66f
                                                                                  • Opcode Fuzzy Hash: 3346b7652c88cfc15e9c890384792dd052f95f70920388169dcccc8fc69a17dd
                                                                                  • Instruction Fuzzy Hash: 96317234B001159FDB05BF74E4116ADB7A6FB8824CF11803AD40597BE9CF399D06CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01063118 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: L.Ll
                                                                                  • API String ID: 0-3667754505
                                                                                  • Opcode ID: f193fa2788a957db80d5ef7e264b1a8441f65c1ebd279d58ecc03810005f2e13
                                                                                  • Instruction ID: 8fafd5333ef65df52b1dc9ef99de75b86953782b0b993c422030cb08f40b8eeb
                                                                                  • Opcode Fuzzy Hash: f193fa2788a957db80d5ef7e264b1a8441f65c1ebd279d58ecc03810005f2e13
                                                                                  • Instruction Fuzzy Hash: 18116331B041049BDB14EB79C951BFEBBF6AB89310F108469E505AB381EE349C0087A5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060E55 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: \OLl
                                                                                  • API String ID: 0-3281094785
                                                                                  • Opcode ID: 7a3150d403b89fe8ea660e658de0276342a1c4258e0c9f14b27b6f229ce4e218
                                                                                  • Instruction ID: 279077f2fac3cbac47cf021001b730cfd133113c2503a997f9c23ef51256c8c4
                                                                                  • Opcode Fuzzy Hash: 7a3150d403b89fe8ea660e658de0276342a1c4258e0c9f14b27b6f229ce4e218
                                                                                  • Instruction Fuzzy Hash: 45211D35B110149FDB04EBB8D594DEDB3F2BF88258B108179E406AB7A9DF71AC05CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01062E49 Relevance: .2, Instructions: 219COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e119c1d19f66e3b57ccc2281218a83cd0d66475a7e3a5ed4b893782e4956cddd
                                                                                  • Instruction ID: ec8949c7b8b9519d197a61c96bd43edfb3f1bd1489b322dcb8db3e51a2ceaabc
                                                                                  • Opcode Fuzzy Hash: e119c1d19f66e3b57ccc2281218a83cd0d66475a7e3a5ed4b893782e4956cddd
                                                                                  • Instruction Fuzzy Hash: E661D332E001108BEB79673CC4683EDB6E9AB49344F1904B9DD95AB6E0DB398CC5C7D2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060014 Relevance: .2, Instructions: 177COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ea524b62aa2ca1acd7a40e5a0fe221daaa2035d6f4db0bd791e0ab7fb698e502
                                                                                  • Instruction ID: 62145b4727120d5794742c2508c120b21f9eb4d55e02f00babc70e02a2f3b2e3
                                                                                  • Opcode Fuzzy Hash: ea524b62aa2ca1acd7a40e5a0fe221daaa2035d6f4db0bd791e0ab7fb698e502
                                                                                  • Instruction Fuzzy Hash: 547156301197828FD705EB39E9559897BF2BF9220C705856AD0448FAFBDB3C5D0ACBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010605C5 Relevance: .2, Instructions: 177COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d26866a261000bebdbb92ad9bbe747dd95f7fd99eb92ae99d74c4eefb4224ab0
                                                                                  • Instruction ID: 02413a833a53106c87090b51bc2a1b88dd42a05fc92e8ac8c4f2c856ceec0583
                                                                                  • Opcode Fuzzy Hash: d26866a261000bebdbb92ad9bbe747dd95f7fd99eb92ae99d74c4eefb4224ab0
                                                                                  • Instruction Fuzzy Hash: B2617935B00201CFDB05EB38D550A6D77E6BB8920CB2544A9E841DBBEADF39EC46DB50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010611D0 Relevance: .2, Instructions: 157COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 08f873ca54013743a397c3a72d86c8099f1ae120a24dc29ff1e2db095f0b0031
                                                                                  • Instruction ID: 28360da8dda264d0f9f9c938f7306d0802770c51e5d02901ba8440f8d4abb719
                                                                                  • Opcode Fuzzy Hash: 08f873ca54013743a397c3a72d86c8099f1ae120a24dc29ff1e2db095f0b0031
                                                                                  • Instruction Fuzzy Hash: 0D512430604242CFEB11DF3AD9417AA7BEAAF85318F1841A9D482DB2E2DF39C945C721
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060BA8 Relevance: .2, Instructions: 153COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 38c27f88f0d933e031e186ac13b073a66c2ac42f4cbcfccac61c634f9157278c
                                                                                  • Instruction ID: 76472cc9953cb2f448681fcb97c88cacf275b70f3b3159962427aa19eb71cb25
                                                                                  • Opcode Fuzzy Hash: 38c27f88f0d933e031e186ac13b073a66c2ac42f4cbcfccac61c634f9157278c
                                                                                  • Instruction Fuzzy Hash: CF519C35700200CFDB15EB78E550B6D77A6BB8920CB104078E446DBBEADF3AE845CB51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060634 Relevance: .1, Instructions: 145COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5542a0789c8c760996dfbcd9a48b726048ee1a9e465a98e1ed2ab44a4cf44f57
                                                                                  • Instruction ID: eb17f1997aa3d4dc7bf7f324e0592984a50d7c71e13318d313a9561e0a168d9d
                                                                                  • Opcode Fuzzy Hash: 5542a0789c8c760996dfbcd9a48b726048ee1a9e465a98e1ed2ab44a4cf44f57
                                                                                  • Instruction Fuzzy Hash: 56510935B00201CFDB15EB38E550A6D77A7BB8920C7154469E801DBBEADF39EC46DB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010615D0 Relevance: .1, Instructions: 133COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 011f37d9778b0169d9e254f825c5dac95eeeeceaf365540ba8c63d1e629d2eaf
                                                                                  • Instruction ID: 9650993e22e93ac703d8e910c8ded1a2c7ecf7f3f7ff0ef1a0c494b8eb8b82e1
                                                                                  • Opcode Fuzzy Hash: 011f37d9778b0169d9e254f825c5dac95eeeeceaf365540ba8c63d1e629d2eaf
                                                                                  • Instruction Fuzzy Hash: 1041D430604212CBEB15DF3AD9413AD76EABFC5318F1882A8D452DB6E2DF39C945CB20
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060C22 Relevance: .1, Instructions: 125COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5aaf171833f146179ebaf1741fa38d8def3509fe8eceb86c408f4db3fd00d8f4
                                                                                  • Instruction ID: 22175ea78d4ced231fc7958c201f27762de7941e22da4de1385734a2465ea132
                                                                                  • Opcode Fuzzy Hash: 5aaf171833f146179ebaf1741fa38d8def3509fe8eceb86c408f4db3fd00d8f4
                                                                                  • Instruction Fuzzy Hash: 7541B0357002008FEB14EB78E551BAD77E6AB8920CB104078E445DBBEADF39E845CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01061BF0 Relevance: .1, Instructions: 115COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 44cb00d58f709997f21cc709d5ef97794d6802296e1da680115be08badbe5f67
                                                                                  • Instruction ID: c2febf75f06ecf168855d428f23a10a597198017fbb4bca0330aed88dea1f66a
                                                                                  • Opcode Fuzzy Hash: 44cb00d58f709997f21cc709d5ef97794d6802296e1da680115be08badbe5f67
                                                                                  • Instruction Fuzzy Hash: 2F41B531B002058FDB04EF79D8956ADB7E6BF88218B148479D945CB39ADF38CD46CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01061BE0 Relevance: .1, Instructions: 111COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 13ec705dd0a972a7b2a505367c6c5b8c35d6e95f9f670095b374cd82ecb40094
                                                                                  • Instruction ID: dfef6a62d357fc86887c50bb47f36e755a6ae2e001925f3d2877b070bb463f91
                                                                                  • Opcode Fuzzy Hash: 13ec705dd0a972a7b2a505367c6c5b8c35d6e95f9f670095b374cd82ecb40094
                                                                                  • Instruction Fuzzy Hash: 6B4186317011118FDB04EF78C8956AE77E6BF88208B588479D945DB39AEF34DD46CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01062C98 Relevance: .1, Instructions: 107COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dd6c9a57579bac6f257c3a93663b6311ad89feaa3629e180cf5eab3bba363621
                                                                                  • Instruction ID: badea562dbfb6f8b029fa9552dcd1b9030cda0a0963204795354fa8e73d43c46
                                                                                  • Opcode Fuzzy Hash: dd6c9a57579bac6f257c3a93663b6311ad89feaa3629e180cf5eab3bba363621
                                                                                  • Instruction Fuzzy Hash: D331CE30B002059FDB14DB79D854BEEBBFAAF88214F244079E505EB3A1CF709805CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060C8D Relevance: .1, Instructions: 100COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 10aa673ee249c2b96d928098380e1cdbfc2fd05c5b9cb222603838ae4f8dc2da
                                                                                  • Instruction ID: f3ea73a7061993e1c59b0e81c5135e68e225cd7654150677fd493bb5d21b2f3a
                                                                                  • Opcode Fuzzy Hash: 10aa673ee249c2b96d928098380e1cdbfc2fd05c5b9cb222603838ae4f8dc2da
                                                                                  • Instruction Fuzzy Hash: D031E130B001108FEB14EB78E951BAD37E6AB8920CF104178E059DBBEADF39D805DB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01070DD3 Relevance: .1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507749059.0000000001070000.00000040.00000020.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1070000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 14298cde52035795b5d2f4433aa202e9c9e13967c0d8768bc357381a3cc959f0
                                                                                  • Instruction ID: 697d7ef304f1560de1361767a95adc88577fb36dadc458c7970bae4300302951
                                                                                  • Opcode Fuzzy Hash: 14298cde52035795b5d2f4433aa202e9c9e13967c0d8768bc357381a3cc959f0
                                                                                  • Instruction Fuzzy Hash: 54219D755093C09FD713CB14C850B51BFB1AF47718F198ADEE4888B6A3C33A9846CB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060D40 Relevance: .1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: aa0e062211ab9b1fa9bf27734131ea8a895dc0deafbb15000c7985dd9b6cd54a
                                                                                  • Instruction ID: b87642567811af1413287707c6d6b96b06e5543d65e32ecc9c9056f476417749
                                                                                  • Opcode Fuzzy Hash: aa0e062211ab9b1fa9bf27734131ea8a895dc0deafbb15000c7985dd9b6cd54a
                                                                                  • Instruction Fuzzy Hash: 2511BE30B002108FEB14EB79E4516ADBBF6AB8921CB248579E055DB7D9EF39D441CB60
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060773 Relevance: .1, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d31a1172b029cc91e79e8e0a22cedf31ee7c1e6ebdbcef7ca4e7be714b159d92
                                                                                  • Instruction ID: 278ef0ae9207710b5faecdecc2ff89cddc88e8f876f9df173f6cab573129da5e
                                                                                  • Opcode Fuzzy Hash: d31a1172b029cc91e79e8e0a22cedf31ee7c1e6ebdbcef7ca4e7be714b159d92
                                                                                  • Instruction Fuzzy Hash: BC211A35701201CFDB09EB38E150A6D73A7BB8920C7154469D806DBBEADF3AAC46DF81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05492400 Relevance: .1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510619394.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_5490000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2e68704f93d14871dfc383ce25a2398fb24bf08c64460d2b9872904a545b17a9
                                                                                  • Instruction ID: 01331b8975760d34c06da04b69c1438d57f2767859307ac60d51be30d7102be1
                                                                                  • Opcode Fuzzy Hash: 2e68704f93d14871dfc383ce25a2398fb24bf08c64460d2b9872904a545b17a9
                                                                                  • Instruction Fuzzy Hash: 3311BAB5948341AFD340CF19D881A5BFBE4FB88664F04896EF998D7311D231E9088FA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01070E0C Relevance: .1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507749059.0000000001070000.00000040.00000020.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1070000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 59c4dab4b3c20c11395518d125b9614c1cf9ec22c18c424f4526f556c9736ebe
                                                                                  • Instruction ID: fe504c73a5d8dbd51caf0e48e33f58b06d508e34fc061397ea355dd984693acf
                                                                                  • Opcode Fuzzy Hash: 59c4dab4b3c20c11395518d125b9614c1cf9ec22c18c424f4526f556c9736ebe
                                                                                  • Instruction Fuzzy Hash: 2311E471608280DFD711CB14D540B26BBE5EB8A708F28CAACF5890B797C337D803CA55
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01062B08 Relevance: .1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: abd4444b95a303d352132f11eee8b83d62cc999699c41456d73a1a95d5854538
                                                                                  • Instruction ID: 06ab32cb51f226b1ec51d3f4c71d796a702c329d51ae0f73a2b9408afbf18812
                                                                                  • Opcode Fuzzy Hash: abd4444b95a303d352132f11eee8b83d62cc999699c41456d73a1a95d5854538
                                                                                  • Instruction Fuzzy Hash: 67112632F042048AEB119EB89C003EE7AEADBC5324F45547AD644A73D0DA7D89058362
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01062BB0 Relevance: .1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9d629d64bc2f092ebbcc4cd77f2ee92550478b20abe2e2fdc548046288074210
                                                                                  • Instruction ID: 214585be3a8a65bfa6eb2201808f64bf1283da41d88205045bb13656e26ba39f
                                                                                  • Opcode Fuzzy Hash: 9d629d64bc2f092ebbcc4cd77f2ee92550478b20abe2e2fdc548046288074210
                                                                                  • Instruction Fuzzy Hash: D1012632E000158BDB01B7B89D154EE7BF4EF4925470549A0E540EB295DF29DE05C7A0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01061D61 Relevance: .1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b751b62e96cf6c133cb361fc49d9714bf7a61b42d89a5a3b49c6fec6d49ec31e
                                                                                  • Instruction ID: 3ed5dbff4ac8965447e2eeedb55ed70e768fe7a0355be5ccbb0ccb85c710ad6f
                                                                                  • Opcode Fuzzy Hash: b751b62e96cf6c133cb361fc49d9714bf7a61b42d89a5a3b49c6fec6d49ec31e
                                                                                  • Instruction Fuzzy Hash: 3C116172F012148FCB64EB7898805DEB7F6EF89258721417EC405E7795EB355E06CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010629F9 Relevance: .1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 800207accc477579cd4bed2ea38a0cba2234aaaa9374ca722c34636f5afed948
                                                                                  • Instruction ID: da840ad80cd628a12a73462d4e1e89e8bfb7561515f566dcc2f55339cdc1747a
                                                                                  • Opcode Fuzzy Hash: 800207accc477579cd4bed2ea38a0cba2234aaaa9374ca722c34636f5afed948
                                                                                  • Instruction Fuzzy Hash: 21110072E1110CAFDB04DFA9E8918DFBBF9EF88214F10853AE515E7254EA349A05CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00BAB5A0 Relevance: .1, Instructions: 52COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507223936.0000000000BAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAA000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_baa000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4ab0dfce46566390f8ed85089a5c2fb09586c8d5889e56b36ddfee7717b50fa4
                                                                                  • Instruction ID: 4b8ff015dbc9fe18a23105c8b1bee4cc501284ff2571890882fe58b6021dd296
                                                                                  • Opcode Fuzzy Hash: 4ab0dfce46566390f8ed85089a5c2fb09586c8d5889e56b36ddfee7717b50fa4
                                                                                  • Instruction Fuzzy Hash: F211A8B5948301AFD350CF09DC81E57FBE8EB98660F04896EF95997311D271E9098FA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01061D70 Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 85f3452f8cfa0f3512f2e006fb0c4163905804d16753adc6147e22c9375181f7
                                                                                  • Instruction ID: d216a31107e09891dace2e1a8b0e16323174423fe4deff85a9ad584cb668999a
                                                                                  • Opcode Fuzzy Hash: 85f3452f8cfa0f3512f2e006fb0c4163905804d16753adc6147e22c9375181f7
                                                                                  • Instruction Fuzzy Hash: EF015E72F002158F8B54EB78D84059EB7FAEF89258721407EC409E7795EB359D05CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010705DF Relevance: .0, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507749059.0000000001070000.00000040.00000020.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1070000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ede980ad8557fcf48c9733774e5c4d280ea3d233a82eb8790c3f4f0eeb40ba27
                                                                                  • Instruction ID: ca2986d5ed51a1f03100cb85e51d4b89e4aa0fb82b49c2aad6e8dcaf29fa9bb1
                                                                                  • Opcode Fuzzy Hash: ede980ad8557fcf48c9733774e5c4d280ea3d233a82eb8790c3f4f0eeb40ba27
                                                                                  • Instruction Fuzzy Hash: 6601DB765097805FD7118F05DC41863FFB8EF85520709C09FEC4987612C235B908CBA6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060889 Relevance: .0, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 69d9df9afa899d396024d6997504293a63848135f460a30f614b2cd53aabe676
                                                                                  • Instruction ID: e6118ca9fc5f6abc4008ee85893e61f6848543e7d0451ba8fb1b2317f4848478
                                                                                  • Opcode Fuzzy Hash: 69d9df9afa899d396024d6997504293a63848135f460a30f614b2cd53aabe676
                                                                                  • Instruction Fuzzy Hash: 920140706082428FC700FB74D55949DBBF5AF8130CB49C86DE895CB7A6EA7D8C0A8B52
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01060D98 Relevance: .0, Instructions: 42COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fd3c9732f3012467f6f7564220ad7dd93fb81e291d82b03bbd2817b64ce2addd
                                                                                  • Instruction ID: 5d07db7bf500d63269442a930a5a375444212f48c755f96255c01b93349ce4b3
                                                                                  • Opcode Fuzzy Hash: fd3c9732f3012467f6f7564220ad7dd93fb81e291d82b03bbd2817b64ce2addd
                                                                                  • Instruction Fuzzy Hash: 14015A74E01204CFDB18EFB9E0411ACB7F2BF49219B508469E0159B795DB39D441CF50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01061EB8 Relevance: .0, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ccd628d3a387ada34e59c30f91d0d65ba81bbcc9a6201ab61ed93cb6c57b63aa
                                                                                  • Instruction ID: b6f306a87c8f92392336dee8fd0d57f46e9b4dcb96e7075dd4e61bc98f1e23ba
                                                                                  • Opcode Fuzzy Hash: ccd628d3a387ada34e59c30f91d0d65ba81bbcc9a6201ab61ed93cb6c57b63aa
                                                                                  • Instruction Fuzzy Hash: 88F04F70E04258DECF11DFB889017DFBFF5AB89300F2040BAC148EB251EB3A4A018BA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01070EC8 Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507749059.0000000001070000.00000040.00000020.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1070000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d8f64259f8cb5ed8e117f0788ec71aade31bd2426502afbbcd141e4d6d13a6b5
                                                                                  • Instruction ID: 58fda59e3823efa740b147b1d8f64ba4efc7d1a39363636c31534217d8408944
                                                                                  • Opcode Fuzzy Hash: d8f64259f8cb5ed8e117f0788ec71aade31bd2426502afbbcd141e4d6d13a6b5
                                                                                  • Instruction Fuzzy Hash: 92F0FB35508644DFC306CB04D540B16FBA2EB89718F24CAA9E98907756C337A812DA85
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01070606 Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507749059.0000000001070000.00000040.00000020.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1070000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d074a58fb55cc3315eab931616507a7852096fdcd5f912712fd6c2600f24264f
                                                                                  • Instruction ID: c741f2edf7387be76b73d0315968732ac6aa252c779027e1a743cd7fc64ee3b7
                                                                                  • Opcode Fuzzy Hash: d074a58fb55cc3315eab931616507a7852096fdcd5f912712fd6c2600f24264f
                                                                                  • Instruction Fuzzy Hash: B6E092B66406005B9750CF0BEC82452F7E8EB88630718C07FDC0D8B701D275B508CAA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0549246B Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510619394.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_5490000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 40d964ed2d3950d703b686816e3aedc8c5cdab43f8c35951b7d570d69bb32f87
                                                                                  • Instruction ID: a84593234d649f6eaf3bdf297a6694272f93a92050fa0116a6d3e5d43abb0030
                                                                                  • Opcode Fuzzy Hash: 40d964ed2d3950d703b686816e3aedc8c5cdab43f8c35951b7d570d69bb32f87
                                                                                  • Instruction Fuzzy Hash: 43E0D8F254120067D3109F069C46F53FB9CEB54931F08C567ED081B745D171B51489F5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05491D17 Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4510619394.0000000005490000.00000040.00000800.00020000.00000000.sdmp, Offset: 05490000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_5490000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f13c3c6c3773721105ca20a0bac7b56b27ba8c4c46b98b9ce3c7b06ff3e3aba4
                                                                                  • Instruction ID: 9c8a49c74ce539c42389d2536ecd4dc994115e027adb5cc425df55904620f0b5
                                                                                  • Opcode Fuzzy Hash: f13c3c6c3773721105ca20a0bac7b56b27ba8c4c46b98b9ce3c7b06ff3e3aba4
                                                                                  • Instruction Fuzzy Hash: 7EE0D8F254020067D3109F06AC46F53FB9CEB40930F08C567EE081B705D172B514C9F5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00BAB5EF Relevance: .0, Instructions: 26COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507223936.0000000000BAA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BAA000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_baa000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e254c5d2fe509a00b925ea859dac8fd7d2c4d50954b8008828c0d5b5fabfe82e
                                                                                  • Instruction ID: c4c923196ef057f8a6015ab5cd4c10064d5cbf2ae80ab8961913bec0d0abb3e1
                                                                                  • Opcode Fuzzy Hash: e254c5d2fe509a00b925ea859dac8fd7d2c4d50954b8008828c0d5b5fabfe82e
                                                                                  • Instruction Fuzzy Hash: E7E0D8F254020467D3109F069C46F53F79CEB50931F08C567EE081B711D171B504C9F5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A823F4 Relevance: .0, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507116991.0000000000A82000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A82000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a82000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 67aa53d710feaf628d5e00a37ac8dae6cc1e486606ed8bb99e587c5c5f9d11d7
                                                                                  • Instruction ID: e4c131e85e7ddf442dc4b5a7805c193108e5e5c5ea93911c72c9b2e09dd75fb0
                                                                                  • Opcode Fuzzy Hash: 67aa53d710feaf628d5e00a37ac8dae6cc1e486606ed8bb99e587c5c5f9d11d7
                                                                                  • Instruction Fuzzy Hash: E6D05E792456C14FD316AB1CC1A4BA637E4AB51714F4A44FEA840CB7A3C76CD981D710
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A823BC Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507116991.0000000000A82000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A82000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_a82000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 76f4a195ddddfa11646916b8cfc31d6acacde4fb76b8ad3246810e8ccdf76326
                                                                                  • Instruction ID: bcc7ca6bb869a7b97762aac2a093620df0f19d260602afc429d57c7bd3272052
                                                                                  • Opcode Fuzzy Hash: 76f4a195ddddfa11646916b8cfc31d6acacde4fb76b8ad3246810e8ccdf76326
                                                                                  • Instruction Fuzzy Hash: 11D05E342002814BD716EB0CC2E4F6937E4AB40714F1644ECBC108F762C7A8D9C0DB00
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01062C59 Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.4507729577.0000000001060000.00000040.00000800.00020000.00000000.sdmp, Offset: 01060000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_1060000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b740da65c000d33ca5b7cf5ae00701935927a86c6285e6d65079d1e0398043e2
                                                                                  • Instruction ID: 336facaf716dace09bc4d5b89f0dd27d3f8afa9519a3760e1b79b4562f9f38df
                                                                                  • Opcode Fuzzy Hash: b740da65c000d33ca5b7cf5ae00701935927a86c6285e6d65079d1e0398043e2
                                                                                  • Instruction Fuzzy Hash: 37D0A7B1D092489FC716C7B0AE550DD3B749A1210535501DED849A76A2E9344F4AC710
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Execution Graph

                                                                                  Execution Coverage:17.8%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:12
                                                                                  Total number of Limit Nodes:0
                                                                                  execution_graph 557 147a646 559 147a67e CreateMutexW 557->559 560 147a6c1 559->560 569 147a462 570 147a486 RegSetValueExW 569->570 572 147a507 570->572 577 147a612 579 147a646 CreateMutexW 577->579 580 147a6c1 579->580 573 147a361 574 147a392 RegQueryValueExW 573->574 576 147a41b 574->576

                                                                                  Callgraph

                                                                                  Executed Functions

                                                                                  Function 05330310 Relevance: 3.9, Strings: 3, Instructions: 193COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 5330310-5330334 2 5330336-5330338 0->2 3 533033e-5330346 0->3 2->3 4 5330348-533034d 3->4 5 533034e-533035c 3->5 7 5330362-5330391 5->7 8 533035e-5330360 5->8 10 5330393-53303ce 7->10 11 53303d8-5330418 7->11 8->7 10->11 18 533041a 11->18 19 533041f-5330434 11->19 18->19 21 5330436-5330460 19->21 22 533046b-5330523 19->22 21->22 41 5330570-5330587 22->41 42 5330525-5330569 22->42 43 5330880 41->43 44 533058d-53305bf 41->44 42->41 44->43
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2354133659.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_5330000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 2Ll$2Ll$2Ll
                                                                                  • API String ID: 0-342096312
                                                                                  • Opcode ID: 306590e8b502e0d60f5cbfe6bfe7edbb744500d7de03eda0153c50ac71307514
                                                                                  • Instruction ID: 6190474db3a5831fc9ae653eb70c0b03dfb1c74fd58c1d3bf1a7db522da90cea
                                                                                  • Opcode Fuzzy Hash: 306590e8b502e0d60f5cbfe6bfe7edbb744500d7de03eda0153c50ac71307514
                                                                                  • Instruction Fuzzy Hash: 935113307042019BD719EB7A9454ABE77E7BF86204B15406ED002CB7E4CF39CC8A8BA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 053303BD Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 55 53303bd-5330418 63 533041a 55->63 64 533041f-5330434 55->64 63->64 66 5330436-5330460 64->66 67 533046b-5330523 64->67 66->67 86 5330570-5330587 67->86 87 5330525-5330569 67->87 88 5330880 86->88 89 533058d-53305bf 86->89 87->86 89->88
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2354133659.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_5330000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 2Ll$2Ll$2Ll
                                                                                  • API String ID: 0-342096312
                                                                                  • Opcode ID: 0ce0af3466ee50610e76bf2dd91b116e7bb0b4545edbfaa519ea56b6ba4f428b
                                                                                  • Instruction ID: 64316fbc45593f47c9e53541d93c0d651bbae67196baad2af3924ea5f2b8e075
                                                                                  • Opcode Fuzzy Hash: 0ce0af3466ee50610e76bf2dd91b116e7bb0b4545edbfaa519ea56b6ba4f428b
                                                                                  • Instruction Fuzzy Hash: 6741C030B001128BDB19EB7A8054ABDB2D7AFD5549B05402ED002DBBE4DF78CD4A8BE2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0147A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 100 147a612-147a695 104 147a697 100->104 105 147a69a-147a6a3 100->105 104->105 106 147a6a5 105->106 107 147a6a8-147a6b1 105->107 106->107 108 147a6b3-147a6d7 CreateMutexW 107->108 109 147a702-147a707 107->109 112 147a709-147a70e 108->112 113 147a6d9-147a6ff 108->113 109->108 112->113
                                                                                  APIs
                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 0147A6B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2353664773.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_147a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: 424166e14cfdebf9a7eda50ad55d9fd20eb1634b0a9586279c5fb2ee62ed72e7
                                                                                  • Instruction ID: 0d106e8c580b82f097c7dd6efc1155a56f89126a5edc31b726cb3d56daf3d6df
                                                                                  • Opcode Fuzzy Hash: 424166e14cfdebf9a7eda50ad55d9fd20eb1634b0a9586279c5fb2ee62ed72e7
                                                                                  • Instruction Fuzzy Hash: 0E31C1715093806FE712CB25CC45B96FFF8EF06214F19849EE9848B293D335E809C761
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0147A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 116 147a361-147a3cf 119 147a3d4-147a3dd 116->119 120 147a3d1 116->120 121 147a3e2-147a3e8 119->121 122 147a3df 119->122 120->119 123 147a3ed-147a404 121->123 124 147a3ea 121->124 122->121 126 147a406-147a419 RegQueryValueExW 123->126 127 147a43b-147a440 123->127 124->123 128 147a442-147a447 126->128 129 147a41b-147a438 126->129 127->126 128->129
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,3696D909,00000000,00000000,00000000,00000000), ref: 0147A40C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2353664773.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_147a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: de7a426b538e552b8cc91660da9ec658c2e1ef472d66d781f5ce6b7bf4209694
                                                                                  • Instruction ID: 3ecb21daa1e10711be7a2f35addc7f9e628d2b3672c1c762a220dc17dadc67ce
                                                                                  • Opcode Fuzzy Hash: de7a426b538e552b8cc91660da9ec658c2e1ef472d66d781f5ce6b7bf4209694
                                                                                  • Instruction Fuzzy Hash: 3631AE75109380AFE722CF15CC84F97BFF8EF06214F18849AE9458B6A2D364E809CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0147A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 133 147a462-147a4c3 136 147a4c5 133->136 137 147a4c8-147a4d4 133->137 136->137 138 147a4d6 137->138 139 147a4d9-147a4f0 137->139 138->139 141 147a527-147a52c 139->141 142 147a4f2-147a505 RegSetValueExW 139->142 141->142 143 147a507-147a524 142->143 144 147a52e-147a533 142->144 144->143
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,3696D909,00000000,00000000,00000000,00000000), ref: 0147A4F8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2353664773.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_147a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: 3992e964cbbf546097673e9d612b7a4ac1da390e5fe7f98fda052fc17adf5768
                                                                                  • Instruction ID: d60e00497f75c7e5fe4af7563855627cbdfe4a1f4d794fda9c41a726fc4da0f8
                                                                                  • Opcode Fuzzy Hash: 3992e964cbbf546097673e9d612b7a4ac1da390e5fe7f98fda052fc17adf5768
                                                                                  • Instruction Fuzzy Hash: 9E21B2B61053806FE7228F15DC44FA7BFB8EF45214F18849AE945CB6A2D364E408CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0147A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 148 147a646-147a695 151 147a697 148->151 152 147a69a-147a6a3 148->152 151->152 153 147a6a5 152->153 154 147a6a8-147a6b1 152->154 153->154 155 147a6b3-147a6bb CreateMutexW 154->155 156 147a702-147a707 154->156 158 147a6c1-147a6d7 155->158 156->155 159 147a709-147a70e 158->159 160 147a6d9-147a6ff 158->160 159->160
                                                                                  APIs
                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 0147A6B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2353664773.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_147a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: 53772059994b0b7f064cd79614fafa017ce4cb20a77661b47160e096ab105430
                                                                                  • Instruction ID: 70618bd899301ad69bd6dcb36d42b43b5e3dc61342d508281d028e81a1cce0e7
                                                                                  • Opcode Fuzzy Hash: 53772059994b0b7f064cd79614fafa017ce4cb20a77661b47160e096ab105430
                                                                                  • Instruction Fuzzy Hash: 4821B371601200AFE710CB65CC85B9AFBE8EF04214F18846EE9498B752D371E409CB71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0147A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 163 147a392-147a3cf 165 147a3d4-147a3dd 163->165 166 147a3d1 163->166 167 147a3e2-147a3e8 165->167 168 147a3df 165->168 166->165 169 147a3ed-147a404 167->169 170 147a3ea 167->170 168->167 172 147a406-147a419 RegQueryValueExW 169->172 173 147a43b-147a440 169->173 170->169 174 147a442-147a447 172->174 175 147a41b-147a438 172->175 173->172 174->175
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,3696D909,00000000,00000000,00000000,00000000), ref: 0147A40C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2353664773.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_147a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 601cda876d872ab501e1fdac28047269527a4e2ed6aff830966b17c54c7ac53c
                                                                                  • Instruction ID: 7806c16e95b64a25cc6f52222c62a23401577b6002fadf6fadef2a6dacd00434
                                                                                  • Opcode Fuzzy Hash: 601cda876d872ab501e1fdac28047269527a4e2ed6aff830966b17c54c7ac53c
                                                                                  • Instruction Fuzzy Hash: E0218E75600204AFE721CF15CC84FABBBECEF04614F1884AAE9458B762D375E809CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0147A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 179 147a486-147a4c3 181 147a4c5 179->181 182 147a4c8-147a4d4 179->182 181->182 183 147a4d6 182->183 184 147a4d9-147a4f0 182->184 183->184 186 147a527-147a52c 184->186 187 147a4f2-147a505 RegSetValueExW 184->187 186->187 188 147a507-147a524 187->188 189 147a52e-147a533 187->189 189->188
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,3696D909,00000000,00000000,00000000,00000000), ref: 0147A4F8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2353664773.000000000147A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_147a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: 285055867a4c2bf2b2d04586790afe40a015a86c0e9afe2fe33ee6c8660cd81f
                                                                                  • Instruction ID: d9b3b41ae4727ff58a8d80c936853c79ff55e5119b082a25f6d9cac83996cdc7
                                                                                  • Opcode Fuzzy Hash: 285055867a4c2bf2b2d04586790afe40a015a86c0e9afe2fe33ee6c8660cd81f
                                                                                  • Instruction Fuzzy Hash: 6911D3B6600200AFE7218F15DC44FABFBECEF04614F18845AED458BBA2D371E409CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05330080 Relevance: .1, Instructions: 128COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 193 5330080-53300ad 196 53300b8-53302f9 193->196
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2354133659.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_5330000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f979e33e29740267b93d3f843fe30bc55a3a70f0d42d3ceef1e068187d8f9cbc
                                                                                  • Instruction ID: 86afad95729880cc431f4c3238f68c52ce802f4c0e44bbec343a628268b771c2
                                                                                  • Opcode Fuzzy Hash: f979e33e29740267b93d3f843fe30bc55a3a70f0d42d3ceef1e068187d8f9cbc
                                                                                  • Instruction Fuzzy Hash: 61510B30211286ABD704DF37E48499E77A2FF9564C745896DD0148B7A8EF389CCECBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05330006 Relevance: .0, Instructions: 44COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 234 5330006-5330069 236 5330070 call 1560606 234->236 237 5330070 call 5330301 234->237 238 5330070 call 5330310 234->238 239 5330070 call 15605e1 234->239 240 5330070 call 53303bd 234->240 235 5330076 236->235 237->235 238->235 239->235 240->235
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2354133659.0000000005330000.00000040.00000800.00020000.00000000.sdmp, Offset: 05330000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_5330000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4b1f50d16be99f0691a4e1525c3aa75f5015d1381fe97bdd77c0d00af9fdcbaa
                                                                                  • Instruction ID: 1106a3461bd86be0b490988b48094f4e259fbca5eb8179f4b7d3217bdd807336
                                                                                  • Opcode Fuzzy Hash: 4b1f50d16be99f0691a4e1525c3aa75f5015d1381fe97bdd77c0d00af9fdcbaa
                                                                                  • Instruction Fuzzy Hash: A4017AA644E3C08FDB138770A8A56853FB0AF17226B4B00DBC080CF4B7E59C984AD732
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 015605E1 Relevance: .0, Instructions: 42COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 241 15605e1-1560620 243 1560626-1560643 241->243
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2353864375.0000000001560000.00000040.00000020.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_1560000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5427c442ad64cafc3893e8ebb159457eaed82ff90eba0a643d24b473fe711721
                                                                                  • Instruction ID: 5a8cb86854de503f6b71c0504f3fe4d75200de9d0551bfc50a79913c13602275
                                                                                  • Opcode Fuzzy Hash: 5427c442ad64cafc3893e8ebb159457eaed82ff90eba0a643d24b473fe711721
                                                                                  • Instruction Fuzzy Hash: 3DF0A9B65093806FD7118F06AC40863FFF8EF86670719C49FEC4987622D225A918CBB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01560606 Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 244 1560606-1560620 245 1560626-1560643 244->245
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2353864375.0000000001560000.00000040.00000020.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_1560000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a66407b492f7b834e5d650b4544c8f190b9da9baa9ee2aea879f5f08fbe16f44
                                                                                  • Instruction ID: 4917a4571f6d9765bc99ce9d576fd1b122593a7b7c9967297bd5fea4af74b004
                                                                                  • Opcode Fuzzy Hash: a66407b492f7b834e5d650b4544c8f190b9da9baa9ee2aea879f5f08fbe16f44
                                                                                  • Instruction Fuzzy Hash: A8E06DB66006045B9650CF0AEC41452F7E8EB88630718C06FDC0D8B701E239B5188AE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 014723F4 Relevance: .0, Instructions: 15COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 246 14723f4-14723ff 247 1472412-1472417 246->247 248 1472401-147240e 246->248 249 147241a 247->249 250 1472419 247->250 248->247 251 1472420-1472421 249->251
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2353648393.0000000001472000.00000040.00000800.00020000.00000000.sdmp, Offset: 01472000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_1472000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7a0581e23ebaf4d906993f6ff3fcecc4e1e081f0f33c0bd88bd85d1024229788
                                                                                  • Instruction ID: 0155c42913b435c977a047e03f4a75b53617e959e471536702ceed92d73edb12
                                                                                  • Opcode Fuzzy Hash: 7a0581e23ebaf4d906993f6ff3fcecc4e1e081f0f33c0bd88bd85d1024229788
                                                                                  • Instruction Fuzzy Hash: B1D05E7A2056D18FE3169A1CC1A4FD63BE4AB51714F4A44FEA800CB7B3C7BCD581D600
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 014723BC Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 252 14723bc-14723c3 253 14723d6-14723db 252->253 254 14723c5-14723d2 252->254 255 14723e1 253->255 256 14723dd-14723e0 253->256 254->253 257 14723e7-14723e8 255->257
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2353648393.0000000001472000.00000040.00000800.00020000.00000000.sdmp, Offset: 01472000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_1472000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a8fd56ce3d2630f59f8a5630fcceebb86541f3e5b823d123f921c54b432d5ba1
                                                                                  • Instruction ID: ba305c201cc7ec4f1518935b987d516d2e4fb7ca6d293a182ed691bfc22e074a
                                                                                  • Opcode Fuzzy Hash: a8fd56ce3d2630f59f8a5630fcceebb86541f3e5b823d123f921c54b432d5ba1
                                                                                  • Instruction Fuzzy Hash: B6D05E342006814BD715DA2CC2E4F9A3BE4AB40714F1644EDAC108B772C7B8D8C0DA00
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Execution Graph

                                                                                  Execution Coverage:17.4%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:19
                                                                                  Total number of Limit Nodes:1
                                                                                  execution_graph 682 113a612 684 113a646 CreateMutexW 682->684 685 113a6c1 684->685 690 113a462 691 113a486 RegSetValueExW 690->691 693 113a507 691->693 694 113a361 696 113a392 RegQueryValueExW 694->696 697 113a41b 696->697 686 113a710 687 113a74e FindCloseChangeNotification 686->687 689 113a788 687->689 674 113a646 675 113a67e CreateMutexW 674->675 677 113a6c1 675->677 678 113a74e 679 113a77a FindCloseChangeNotification 678->679 680 113a7b9 678->680 681 113a788 679->681 680->679

                                                                                  Callgraph

                                                                                  Executed Functions

                                                                                  Function 05220310 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 5220310-5220334 2 5220336-5220338 0->2 3 522033e-5220346 0->3 2->3 4 5220348-522034d 3->4 5 522034e-5220391 3->5 8 5220393-52203ce 5->8 9 52203d8-5220418 5->9 8->9 16 522041a 9->16 17 522041f-5220434 9->17 16->17 19 5220436-5220460 17->19 20 522046b-5220523 17->20 19->20 39 5220570-5220587 20->39 40 5220525-5220569 20->40 41 5220880 39->41 42 522058d-52205bf 39->42 40->39 42->41
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446614506.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_5220000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 2Ll$2Ll$2Ll
                                                                                  • API String ID: 0-342096312
                                                                                  • Opcode ID: 0fa00826da6deef7e20b74ee0f02bd4f0a41456d39e16906a3a31b190084c39c
                                                                                  • Instruction ID: 63e64c01496e12e740017161b68c5a77571fdb304eeff5bff20156f477c28ff9
                                                                                  • Opcode Fuzzy Hash: 0fa00826da6deef7e20b74ee0f02bd4f0a41456d39e16906a3a31b190084c39c
                                                                                  • Instruction Fuzzy Hash: 4E51F330B202119BC718DB759414ABEB7E7BF85248B044079E016EB7A4DF38DC4AC7A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 052203BD Relevance: 3.9, Strings: 3, Instructions: 135COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 53 52203bd-5220418 61 522041a 53->61 62 522041f-5220434 53->62 61->62 64 5220436-5220460 62->64 65 522046b-5220523 62->65 64->65 84 5220570-5220587 65->84 85 5220525-5220569 65->85 86 5220880 84->86 87 522058d-52205bf 84->87 85->84 87->86
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446614506.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_5220000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 2Ll$2Ll$2Ll
                                                                                  • API String ID: 0-342096312
                                                                                  • Opcode ID: d558fd5c7d21cfb8f292753c27623a7492ace642f3fce80f00f42f8c406a8498
                                                                                  • Instruction ID: 97f9bab1504dace7da0a43edd7b9320c2603f210bec1bad4fa6f2956d90ac918
                                                                                  • Opcode Fuzzy Hash: d558fd5c7d21cfb8f292753c27623a7492ace642f3fce80f00f42f8c406a8498
                                                                                  • Instruction Fuzzy Hash: 4C41C534B102518B8B5DEB799014ABDB2D7AFC5248B44403DD426EFBE4DF68CD0A97E2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0113A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 98 113a612-113a695 102 113a697 98->102 103 113a69a-113a6a3 98->103 102->103 104 113a6a5 103->104 105 113a6a8-113a6b1 103->105 104->105 106 113a6b3-113a6d7 CreateMutexW 105->106 107 113a702-113a707 105->107 110 113a709-113a70e 106->110 111 113a6d9-113a6ff 106->111 107->106 110->111
                                                                                  APIs
                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 0113A6B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446150201.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_113a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: a6c52298fc23564e68689f05752ed5c2c2244ecfd85b0ac2c991a521d21d0cb5
                                                                                  • Instruction ID: 68809ad44f980e0781a2f0338650aabdf812a1af8e7c6d02b317dc2b1905b572
                                                                                  • Opcode Fuzzy Hash: a6c52298fc23564e68689f05752ed5c2c2244ecfd85b0ac2c991a521d21d0cb5
                                                                                  • Instruction Fuzzy Hash: 7A31CFB55093806FE712CB25DC85B96BFF8EF46210F08849AE984CB293D325A809C761
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0113A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 114 113a361-113a3cf 117 113a3d1 114->117 118 113a3d4-113a3dd 114->118 117->118 119 113a3e2-113a3e8 118->119 120 113a3df 118->120 121 113a3ea 119->121 122 113a3ed-113a404 119->122 120->119 121->122 124 113a406-113a419 RegQueryValueExW 122->124 125 113a43b-113a440 122->125 126 113a442-113a447 124->126 127 113a41b-113a438 124->127 125->124 126->127
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,4004B1D5,00000000,00000000,00000000,00000000), ref: 0113A40C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446150201.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_113a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 705c3be24a9c31094f7ae7e9d9573b7763db23922c3ef5f1f5cacab08b60cbbf
                                                                                  • Instruction ID: 00df0d9d0aacece1b6888947f4de9a792ac60cbe589c438d10e49a4a16e7d3e4
                                                                                  • Opcode Fuzzy Hash: 705c3be24a9c31094f7ae7e9d9573b7763db23922c3ef5f1f5cacab08b60cbbf
                                                                                  • Instruction Fuzzy Hash: 2431AE75109380AFE722CF15DC84F92BFF8EF46310F08849AE985CB692D364E809CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0113A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 131 113a462-113a4c3 134 113a4c5 131->134 135 113a4c8-113a4d4 131->135 134->135 136 113a4d6 135->136 137 113a4d9-113a4f0 135->137 136->137 139 113a4f2-113a505 RegSetValueExW 137->139 140 113a527-113a52c 137->140 141 113a507-113a524 139->141 142 113a52e-113a533 139->142 140->139 142->141
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,4004B1D5,00000000,00000000,00000000,00000000), ref: 0113A4F8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446150201.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_113a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: f8dcc77d4735a7305dd2d8ae2b847f2b0edbbf3055f4f279c2dfb486dcfb9cf2
                                                                                  • Instruction ID: 5dbcb108557db0866994f7e1dd999f6858afa7accc51171a347194b755152e68
                                                                                  • Opcode Fuzzy Hash: f8dcc77d4735a7305dd2d8ae2b847f2b0edbbf3055f4f279c2dfb486dcfb9cf2
                                                                                  • Instruction Fuzzy Hash: 712181765053806FE7228B15DC44F67BFB8EF46610F08849AE985CB692D364E808C771
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0113A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 146 113a646-113a695 149 113a697 146->149 150 113a69a-113a6a3 146->150 149->150 151 113a6a5 150->151 152 113a6a8-113a6b1 150->152 151->152 153 113a6b3-113a6bb CreateMutexW 152->153 154 113a702-113a707 152->154 156 113a6c1-113a6d7 153->156 154->153 157 113a709-113a70e 156->157 158 113a6d9-113a6ff 156->158 157->158
                                                                                  APIs
                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 0113A6B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446150201.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_113a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: 34f3783b9388af7624b572d57b9c8db9f52cf469d7b7f20d2161d76c92507235
                                                                                  • Instruction ID: 441d8c7ac6b4d3bf79fdc1cdb3f245b288951e2a095709a739150987b4432e39
                                                                                  • Opcode Fuzzy Hash: 34f3783b9388af7624b572d57b9c8db9f52cf469d7b7f20d2161d76c92507235
                                                                                  • Instruction Fuzzy Hash: 9D21B0B5600200AFE715CB26DC85BA6FBE8EF44220F048469E985CB646D771E809CA71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0113A710 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 161 113a710-113a778 163 113a77a-113a782 FindCloseChangeNotification 161->163 164 113a7b9-113a7be 161->164 166 113a788-113a79a 163->166 164->163 167 113a7c0-113a7c5 166->167 168 113a79c-113a7b8 166->168 167->168
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0113A780
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446150201.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_113a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: 0385fb8e137efbf3ce0861b81064e9b6a83172095b2b889371a47a4c6af2eaa9
                                                                                  • Instruction ID: 006bda72f5e3186acef7901383c4d0c9e54cd8fbc32de97530dd904dcbbe4a0e
                                                                                  • Opcode Fuzzy Hash: 0385fb8e137efbf3ce0861b81064e9b6a83172095b2b889371a47a4c6af2eaa9
                                                                                  • Instruction Fuzzy Hash: FF2105B54087809FDB028F25DC85752BFB8EF43220F0984EBDD858F663D2359909CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0113A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 170 113a392-113a3cf 172 113a3d1 170->172 173 113a3d4-113a3dd 170->173 172->173 174 113a3e2-113a3e8 173->174 175 113a3df 173->175 176 113a3ea 174->176 177 113a3ed-113a404 174->177 175->174 176->177 179 113a406-113a419 RegQueryValueExW 177->179 180 113a43b-113a440 177->180 181 113a442-113a447 179->181 182 113a41b-113a438 179->182 180->179 181->182
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,4004B1D5,00000000,00000000,00000000,00000000), ref: 0113A40C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446150201.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_113a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: b55a52712e314c320e23382d2ed572f60008083567cd9846196050916feba154
                                                                                  • Instruction ID: 3e6c263c81adbdea74eedb403309c2908a8608fe04208f1b80fb740b671de268
                                                                                  • Opcode Fuzzy Hash: b55a52712e314c320e23382d2ed572f60008083567cd9846196050916feba154
                                                                                  • Instruction Fuzzy Hash: B421A2B6600204AFE721CF15DC84FA7F7ECEF44710F18845AEA86CB656D364E809CA71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0113A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 186 113a486-113a4c3 188 113a4c5 186->188 189 113a4c8-113a4d4 186->189 188->189 190 113a4d6 189->190 191 113a4d9-113a4f0 189->191 190->191 193 113a4f2-113a505 RegSetValueExW 191->193 194 113a527-113a52c 191->194 195 113a507-113a524 193->195 196 113a52e-113a533 193->196 194->193 196->195
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,4004B1D5,00000000,00000000,00000000,00000000), ref: 0113A4F8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446150201.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_113a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: 2f529df6c823fb6c6e64fdbc082aeb38c12da83a4d511424bb5b0875432099ef
                                                                                  • Instruction ID: 4fd0c9e70ba39effd49a11542a936e2cbf2918dd9019a8341066be0704f4dac0
                                                                                  • Opcode Fuzzy Hash: 2f529df6c823fb6c6e64fdbc082aeb38c12da83a4d511424bb5b0875432099ef
                                                                                  • Instruction Fuzzy Hash: 0B1193B6600600AFEB21CF15DC45FA7FBECEF44614F18845AED45CBA96D360E409CAB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0113A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 200 113a74e-113a778 201 113a77a-113a782 FindCloseChangeNotification 200->201 202 113a7b9-113a7be 200->202 204 113a788-113a79a 201->204 202->201 205 113a7c0-113a7c5 204->205 206 113a79c-113a7b8 204->206 205->206
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0113A780
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446150201.000000000113A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_113a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: a31c125fcb72fd2763da0f338375ae4911332d237e83d0e7afcc0662f5911297
                                                                                  • Instruction ID: 222cde25577f94cd01c94afcb122c1d7396fb3e91393cad184a2c3a7e03fd956
                                                                                  • Opcode Fuzzy Hash: a31c125fcb72fd2763da0f338375ae4911332d237e83d0e7afcc0662f5911297
                                                                                  • Instruction Fuzzy Hash: DA01DFB55006009FDB158F19E885766FBE4EF40220F08C4ABDD8ACF756D376E408CAA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05220080 Relevance: .1, Instructions: 128COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 208 5220080-52200ad 211 52200b8-52202f9 208->211
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446614506.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_5220000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 63bc29855f503d243f10a48773d6123c7e18a55f39dbb655c4fd341a63e0f8f7
                                                                                  • Instruction ID: f4f25b762f040212e596848346f525ac5cac8837f7503c1c8bd3a8e91f0f040f
                                                                                  • Opcode Fuzzy Hash: 63bc29855f503d243f10a48773d6123c7e18a55f39dbb655c4fd341a63e0f8f7
                                                                                  • Instruction Fuzzy Hash: 09510030A11A82CBC704EF35E48498A77E2FF9424CB41857CD0255F7A9DB3C9D5ADB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01740648 Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 249 1740648-1740649 250 17405fc-1740620 249->250 251 174064b-1740665 call 174066a 249->251 255 1740626-1740643 250->255
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446419313.0000000001740000.00000040.00000020.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_1740000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ac0b113d3f1ea7c8e7509de585a7a9334ca881e6f66bd84e5bdbb9e078b7ccc3
                                                                                  • Instruction ID: 8d3c0456bfbd9e6eb5264607cc615c6b0df9a4c6a4c25fa7f9826626e9df13fe
                                                                                  • Opcode Fuzzy Hash: ac0b113d3f1ea7c8e7509de585a7a9334ca881e6f66bd84e5bdbb9e078b7ccc3
                                                                                  • Instruction Fuzzy Hash: D401A27610C7805FC3128F15AC55892FFF8EB85630B1884AFE949CB653D229A809CBA6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 017405E0 Relevance: .0, Instructions: 43COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 256 17405e0-1740620 259 1740626-1740643 256->259
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446419313.0000000001740000.00000040.00000020.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_1740000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2832e5533a193b26e59a43cea3dd1cff68f7b0aa89f91217d12cad18188e8e9c
                                                                                  • Instruction ID: 662b5aced8ac9ebc45573e976a52523cf2d848b01ac4c154a10039880ba2b24e
                                                                                  • Opcode Fuzzy Hash: 2832e5533a193b26e59a43cea3dd1cff68f7b0aa89f91217d12cad18188e8e9c
                                                                                  • Instruction Fuzzy Hash: C101D6765093806FC7018F05EC41893BFF8EF8623070A84ABED498B612C225B909CBB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05220006 Relevance: .0, Instructions: 42COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 260 5220006-522006b 262 5220070 call 1740606 260->262 263 5220070 call 5220310 260->263 264 5220070 call 5220301 260->264 265 5220070 call 17405e0 260->265 266 5220070 call 1740648 260->266 267 5220070 call 52203bd 260->267 261 5220076 262->261 263->261 264->261 265->261 266->261 267->261
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446614506.0000000005220000.00000040.00000800.00020000.00000000.sdmp, Offset: 05220000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_5220000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1238091a04684b8a3b6284304a5761e472d6943a1b1a4d7d5c1ab3bd02ebb570
                                                                                  • Instruction ID: a15e9b21d45513264acf709c7500bb6bad7602a8260b8b5c6e31157eb1a90fc6
                                                                                  • Opcode Fuzzy Hash: 1238091a04684b8a3b6284304a5761e472d6943a1b1a4d7d5c1ab3bd02ebb570
                                                                                  • Instruction Fuzzy Hash: 71F076A686E3C48FEB134770A86A6903F70AE23215B4F45D7C0D1CB0E3E588494AC332
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 01740606 Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 268 1740606-1740620 269 1740626-1740643 268->269
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446419313.0000000001740000.00000040.00000020.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_1740000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d2f0fdd68b734cd000517fa4c3b6c9c92caaf5e71ffee07c4524f8ecf2f33f97
                                                                                  • Instruction ID: b3d11f75ddb28712baf69738bc10b919f422f95a30a47bf69e31a13604320cb2
                                                                                  • Opcode Fuzzy Hash: d2f0fdd68b734cd000517fa4c3b6c9c92caaf5e71ffee07c4524f8ecf2f33f97
                                                                                  • Instruction Fuzzy Hash: BBE092B66006004B9750CF0AEC41452F7E8EB88630718C07FDC0E8BB11E235B908CAA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 011323F4 Relevance: .0, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446136062.0000000001132000.00000040.00000800.00020000.00000000.sdmp, Offset: 01132000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_1132000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b391e967e0f9d0116567ead3decaefd39d5bba3a084f6b4d56ea09c206fd3992
                                                                                  • Instruction ID: a54df477a2d7d75570b4b22d2637157885fbecd4bbc49aa0c53e30571fb57f4b
                                                                                  • Opcode Fuzzy Hash: b391e967e0f9d0116567ead3decaefd39d5bba3a084f6b4d56ea09c206fd3992
                                                                                  • Instruction Fuzzy Hash: 01D05E793056C14FE31AAA1CC1A4B963BE4AB91714F5A44FDE800CB7A7C77CE581D600
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 011323BC Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.2446136062.0000000001132000.00000040.00000800.00020000.00000000.sdmp, Offset: 01132000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_1132000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ab631c6dddf077b46442c268d1b0c524c7559c50e19699aa1d752ed303566783
                                                                                  • Instruction ID: 5a59d3746d5cee5d4d113f3e538f90c6a85bb1ea9f4367173b65a6aae2e7568a
                                                                                  • Opcode Fuzzy Hash: ab631c6dddf077b46442c268d1b0c524c7559c50e19699aa1d752ed303566783
                                                                                  • Instruction Fuzzy Hash: F4D05E352442814BD719EA0CC2E4F597BE4AB84B14F1644ECAC108B766C7B8D8C0DA00
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Execution Graph

                                                                                  Execution Coverage:17.5%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:19
                                                                                  Total number of Limit Nodes:1
                                                                                  execution_graph 505 62a462 507 62a486 RegSetValueExW 505->507 508 62a507 507->508 513 62a612 514 62a646 CreateMutexW 513->514 516 62a6c1 514->516 517 62a710 518 62a74e FindCloseChangeNotification 517->518 520 62a788 518->520 509 62a361 511 62a392 RegQueryValueExW 509->511 512 62a41b 511->512 493 62a646 495 62a67e CreateMutexW 493->495 496 62a6c1 495->496 501 62a74e 502 62a77a FindCloseChangeNotification 501->502 503 62a7b9 501->503 504 62a788 502->504 503->502

                                                                                  Callgraph

                                                                                  Executed Functions

                                                                                  Function 00B00310 Relevance: 7.7, Strings: 6, Instructions: 194COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 b00310-b00334 2 b00336-b00338 0->2 3 b0033e-b00346 0->3 2->3 4 b00348-b0034d 3->4 5 b0034e-b0035c 3->5 7 b00362-b00391 5->7 8 b0035e-b00360 5->8 10 b00393-b003ce 7->10 11 b003d8-b00418 7->11 8->7 10->11 18 b0041a 11->18 19 b0041f-b00434 11->19 18->19 21 b00436-b00460 19->21 22 b0046b-b00523 19->22 21->22 41 b00570-b00587 22->41 42 b00525-b00569 22->42 43 b00880 41->43 44 b0058d-b005bf 41->44 42->41 44->43
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2528095567.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_b00000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: [{l^$-[{l^$2Ll$2Ll$2Ll$=[{l^
                                                                                  • API String ID: 0-1852449191
                                                                                  • Opcode ID: 74542fda594648f52e2fafab93848dce0a9384d106d8835bc57e51d987410a50
                                                                                  • Instruction ID: 2c7e207c6b73ee1e8a0280ccd35553c4c2c38e54d1ec68b54de247cbe4f6b510
                                                                                  • Opcode Fuzzy Hash: 74542fda594648f52e2fafab93848dce0a9384d106d8835bc57e51d987410a50
                                                                                  • Instruction Fuzzy Hash: F261FF317102118FD709EB799460ABE7BE7AB85304B548479E401DB7E5DF28CD06CBE6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00B003BD Relevance: 7.6, Strings: 6, Instructions: 135COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 55 b003bd-b00418 63 b0041a 55->63 64 b0041f-b00434 55->64 63->64 66 b00436-b00460 64->66 67 b0046b-b00523 64->67 66->67 86 b00570-b00587 67->86 87 b00525-b00569 67->87 88 b00880 86->88 89 b0058d-b005bf 86->89 87->86 89->88
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2528095567.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_b00000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: [{l^$-[{l^$2Ll$2Ll$2Ll$=[{l^
                                                                                  • API String ID: 0-1852449191
                                                                                  • Opcode ID: d72c83eadada056e15e5d0cd87b7bcbf9ca9d9f3c66ca3f80e1ad9a3ca2f6542
                                                                                  • Instruction ID: 123bcc130720a025d48cbf3e11a474f43429df09c87b0097097c88ae2863efd5
                                                                                  • Opcode Fuzzy Hash: d72c83eadada056e15e5d0cd87b7bcbf9ca9d9f3c66ca3f80e1ad9a3ca2f6542
                                                                                  • Instruction Fuzzy Hash: 2141C431B101118BCB08EB799460ABD76D7AFC5308B44847DE402DBBE5DF28CD0A9BE6
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0062A612 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 100 62a612-62a695 104 62a697 100->104 105 62a69a-62a6a3 100->105 104->105 106 62a6a5 105->106 107 62a6a8-62a6b1 105->107 106->107 108 62a702-62a707 107->108 109 62a6b3-62a6d7 CreateMutexW 107->109 108->109 112 62a709-62a70e 109->112 113 62a6d9-62a6ff 109->113 112->113
                                                                                  APIs
                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 0062A6B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2527624220.000000000062A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_62a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: 88282af88b803452380154f7722b17356fd955a6f2c851d9e7a662292263c57d
                                                                                  • Instruction ID: 2713ef354de81a35d2a1d30c28af1dbdfd270740a7e732106f2caa5a4ad6310c
                                                                                  • Opcode Fuzzy Hash: 88282af88b803452380154f7722b17356fd955a6f2c851d9e7a662292263c57d
                                                                                  • Instruction Fuzzy Hash: 1031C1755097806FE711CB61DC45B96FFF8EF06310F08849AE9848B293D375A809CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0062A361 Relevance: 1.6, APIs: 1, Instructions: 85registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 116 62a361-62a3cf 119 62a3d1 116->119 120 62a3d4-62a3dd 116->120 119->120 121 62a3e2-62a3e8 120->121 122 62a3df 120->122 123 62a3ea 121->123 124 62a3ed-62a404 121->124 122->121 123->124 126 62a406-62a419 RegQueryValueExW 124->126 127 62a43b-62a440 124->127 128 62a442-62a447 126->128 129 62a41b-62a438 126->129 127->126 128->129
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,332FBA08,00000000,00000000,00000000,00000000), ref: 0062A40C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2527624220.000000000062A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_62a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 1676cc6197fcf9517abade19b59a14b41781ef5b07d85397f87ab5cd6aa1a5d9
                                                                                  • Instruction ID: d43d37b94584bf84fd5c97aabafcec135cdc82a9635cb825a9c60fbe676ee250
                                                                                  • Opcode Fuzzy Hash: 1676cc6197fcf9517abade19b59a14b41781ef5b07d85397f87ab5cd6aa1a5d9
                                                                                  • Instruction Fuzzy Hash: BD318F75505780AFE722CF51DC84F96FBF8EF06710F08849AE985CB692D364E909CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0062A462 Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 133 62a462-62a4c3 136 62a4c5 133->136 137 62a4c8-62a4d4 133->137 136->137 138 62a4d6 137->138 139 62a4d9-62a4f0 137->139 138->139 141 62a4f2-62a505 RegSetValueExW 139->141 142 62a527-62a52c 139->142 143 62a507-62a524 141->143 144 62a52e-62a533 141->144 142->141 144->143
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,332FBA08,00000000,00000000,00000000,00000000), ref: 0062A4F8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2527624220.000000000062A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_62a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: dea4926862e3df1ec4b44853d3b5d0e47262aaee9e2eed07a5520af7a8a5a29a
                                                                                  • Instruction ID: 746416866f62b49235971e85163fefb916bc5e6122bbe00b7cf20d96850e3d2d
                                                                                  • Opcode Fuzzy Hash: dea4926862e3df1ec4b44853d3b5d0e47262aaee9e2eed07a5520af7a8a5a29a
                                                                                  • Instruction Fuzzy Hash: CC21B0725057806FD7228F51DC44FA7BFB8EF06710F08849AE985DB692C2A4E808CB72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0062A646 Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 148 62a646-62a695 151 62a697 148->151 152 62a69a-62a6a3 148->152 151->152 153 62a6a5 152->153 154 62a6a8-62a6b1 152->154 153->154 155 62a702-62a707 154->155 156 62a6b3-62a6bb CreateMutexW 154->156 155->156 157 62a6c1-62a6d7 156->157 159 62a709-62a70e 157->159 160 62a6d9-62a6ff 157->160 159->160
                                                                                  APIs
                                                                                  • CreateMutexW.KERNELBASE(?,?), ref: 0062A6B9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2527624220.000000000062A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_62a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMutex
                                                                                  • String ID:
                                                                                  • API String ID: 1964310414-0
                                                                                  • Opcode ID: 77a0862664e53705b3714ff61c63591a579a83ca42d23362abed8831f73c9036
                                                                                  • Instruction ID: 1eda3714c83badcfa80ccdca40e44b998fdcba1cc4e6a16020c8f51fabeef3bb
                                                                                  • Opcode Fuzzy Hash: 77a0862664e53705b3714ff61c63591a579a83ca42d23362abed8831f73c9036
                                                                                  • Instruction Fuzzy Hash: 7721B075601640AFE710CB65DC85BA6FBE8EF14314F1884AAE9458B742D3B1E809CB72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0062A710 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 163 62a710-62a778 165 62a77a-62a782 FindCloseChangeNotification 163->165 166 62a7b9-62a7be 163->166 167 62a788-62a79a 165->167 166->165 169 62a7c0-62a7c5 167->169 170 62a79c-62a7b8 167->170 169->170
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0062A780
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2527624220.000000000062A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_62a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: 9e1dac8ea34fcfde9f4ac956c117fa8b97063aa734dfa2f116dad5fc6e6a9b03
                                                                                  • Instruction ID: 998119241486e5ac089ea5f1d9ab87960689bdc6179cbb503a4ed83bbeffaa35
                                                                                  • Opcode Fuzzy Hash: 9e1dac8ea34fcfde9f4ac956c117fa8b97063aa734dfa2f116dad5fc6e6a9b03
                                                                                  • Instruction Fuzzy Hash: 7321F3B54097809FDB028F25DC85752BFB8EF02320F0984EBDC848F6A3D2759909CB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0062A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 172 62a392-62a3cf 174 62a3d1 172->174 175 62a3d4-62a3dd 172->175 174->175 176 62a3e2-62a3e8 175->176 177 62a3df 175->177 178 62a3ea 176->178 179 62a3ed-62a404 176->179 177->176 178->179 181 62a406-62a419 RegQueryValueExW 179->181 182 62a43b-62a440 179->182 183 62a442-62a447 181->183 184 62a41b-62a438 181->184 182->181 183->184
                                                                                  APIs
                                                                                  • RegQueryValueExW.KERNELBASE(?,00000E24,332FBA08,00000000,00000000,00000000,00000000), ref: 0062A40C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2527624220.000000000062A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_62a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: QueryValue
                                                                                  • String ID:
                                                                                  • API String ID: 3660427363-0
                                                                                  • Opcode ID: 902053410796a38a9a70f5c331a4c3aaa563dacadc81324e3e4b1b43c49e6fa3
                                                                                  • Instruction ID: 3fda15b3032fd4041f1bd3a8389beff7a5a0ade1e4b2050e3a6cba965b57f2d0
                                                                                  • Opcode Fuzzy Hash: 902053410796a38a9a70f5c331a4c3aaa563dacadc81324e3e4b1b43c49e6fa3
                                                                                  • Instruction Fuzzy Hash: 69216AB5600A04AFE720DF55DC84FA6F7ECEF04720F18849AE945CB752D3A0E809CA72
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0062A486 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 188 62a486-62a4c3 190 62a4c5 188->190 191 62a4c8-62a4d4 188->191 190->191 192 62a4d6 191->192 193 62a4d9-62a4f0 191->193 192->193 195 62a4f2-62a505 RegSetValueExW 193->195 196 62a527-62a52c 193->196 197 62a507-62a524 195->197 198 62a52e-62a533 195->198 196->195 198->197
                                                                                  APIs
                                                                                  • RegSetValueExW.KERNELBASE(?,00000E24,332FBA08,00000000,00000000,00000000,00000000), ref: 0062A4F8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2527624220.000000000062A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_62a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: Value
                                                                                  • String ID:
                                                                                  • API String ID: 3702945584-0
                                                                                  • Opcode ID: cca10f297ebe544bd3e8171e0024b0f1bf54ef24a4d3453a32e41c5f8723de1b
                                                                                  • Instruction ID: e1d89ec3c0697b2c80d52025e38e24397422fc40ca994df8c910a6499a5d0741
                                                                                  • Opcode Fuzzy Hash: cca10f297ebe544bd3e8171e0024b0f1bf54ef24a4d3453a32e41c5f8723de1b
                                                                                  • Instruction Fuzzy Hash: B411B1B6600600AFE7208F51DC44FA7FBECEF04714F14845AED459AB52D3A0E809CEB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0062A74E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 202 62a74e-62a778 203 62a77a-62a782 FindCloseChangeNotification 202->203 204 62a7b9-62a7be 202->204 205 62a788-62a79a 203->205 204->203 207 62a7c0-62a7c5 205->207 208 62a79c-62a7b8 205->208 207->208
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0062A780
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2527624220.000000000062A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0062A000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_62a000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindNotification
                                                                                  • String ID:
                                                                                  • API String ID: 2591292051-0
                                                                                  • Opcode ID: bef3fe059323a3f45ad1a8325e78793fa5c8c6f942b05a541584653c4c61281f
                                                                                  • Instruction ID: 1569a7634ea0fecb39d68212ade338ea391ec38ab5da5462fec2928d5d2c0a9e
                                                                                  • Opcode Fuzzy Hash: bef3fe059323a3f45ad1a8325e78793fa5c8c6f942b05a541584653c4c61281f
                                                                                  • Instruction Fuzzy Hash: 5C018F799006409FDB10CF55E9857A6FBE4EF04720F08C4ABDD498F752D2B5E849CEA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00B00080 Relevance: .1, Instructions: 130COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 210 b00080-b000ad 213 b000b8-b002f9 210->213
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2528095567.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_b00000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8ff93d1ec8bed9842414fcf494c9d52ebe6ee3ddd8c73dc37e8b9e877d4dfab8
                                                                                  • Instruction ID: 81046d6306c467b2265eccd812285c049cabe4def5e6186b99ce7045c68af01b
                                                                                  • Opcode Fuzzy Hash: 8ff93d1ec8bed9842414fcf494c9d52ebe6ee3ddd8c73dc37e8b9e877d4dfab8
                                                                                  • Instruction Fuzzy Hash: EF511F32216286CFC704FB3DE55598977F6BF8420C781C929D1148F7AEDB38994ACB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00B00006 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 251 b00006-b0006d 253 b00070 call b00310 251->253 254 b00070 call a205e0 251->254 255 b00070 call a20606 251->255 256 b00070 call b003bd 251->256 252 b00076 253->252 254->252 255->252 256->252
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2528095567.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_b00000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: af2abaf02e9cb0b66de57a9a0bccd787c054719a71d3f2b1bc3aca06f8117989
                                                                                  • Instruction ID: 77431260614fff99ec2652aa92ffb8b145b41117ed4623ed82c6106bc3de25d1
                                                                                  • Opcode Fuzzy Hash: af2abaf02e9cb0b66de57a9a0bccd787c054719a71d3f2b1bc3aca06f8117989
                                                                                  • Instruction Fuzzy Hash: 6601456544E3C04FEB039BB458295913FB06E23220B5F51DBC481CF1B3E65C1A49D732
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A205E0 Relevance: .0, Instructions: 44COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 257 a205e0-a20620 259 a20626-a20643 257->259
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2528044680.0000000000A20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_a20000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 58737cd45a45ade0e5675db8353911a7e8b59ccdd5b9edfdd30a2eb9bca071cb
                                                                                  • Instruction ID: 9f17a26879c2419a65125ec6ea5586c745bdcd666a3c24eef327bec14e8dc775
                                                                                  • Opcode Fuzzy Hash: 58737cd45a45ade0e5675db8353911a7e8b59ccdd5b9edfdd30a2eb9bca071cb
                                                                                  • Instruction Fuzzy Hash: D10186B65093805FD712CB169C50863FFB8EF8A630709C4DFE8498B612D225B908CBB2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00A20606 Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 260 a20606-a20620 261 a20626-a20643 260->261
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2528044680.0000000000A20000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_a20000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b3e280a5659dca5fca559d61efa5613bcbf53db22072f075ba76a0b82c2fd4b1
                                                                                  • Instruction ID: 9d84ee6b0e0f6a0af1471aa98a23407bcaedaec47b470bbb11a8a591423f4c49
                                                                                  • Opcode Fuzzy Hash: b3e280a5659dca5fca559d61efa5613bcbf53db22072f075ba76a0b82c2fd4b1
                                                                                  • Instruction Fuzzy Hash: 38E092B6A006404B9650CF0AEC41452F7E8EB88630B18C07FDC0D8BB01D276B508CEA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006223F4 Relevance: .0, Instructions: 15COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 262 6223f4-6223ff 263 622412-622417 262->263 264 622401-62240e 262->264 265 62241a 263->265 266 622419 263->266 264->263 267 622420-622421 265->267
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2527610322.0000000000622000.00000040.00000800.00020000.00000000.sdmp, Offset: 00622000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_622000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f2e02e73e2699b605cac4b1ec65091a332953b67436a0cd2f1290ae58405e486
                                                                                  • Instruction ID: 2c14172d7e198fa83ec0d39823c91efb686c52acb72360c1e3fe5d5a01e3b408
                                                                                  • Opcode Fuzzy Hash: f2e02e73e2699b605cac4b1ec65091a332953b67436a0cd2f1290ae58405e486
                                                                                  • Instruction Fuzzy Hash: E3D02E39200AD24FD316AA0CD1B4BC637E4AB40704F0A00FEAC00CB7A3C76CD8C0CA00
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 006223BC Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2527610322.0000000000622000.00000040.00000800.00020000.00000000.sdmp, Offset: 00622000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_622000_ESET Service.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f2f6f8bd0dcc910806a8aa580390a6c16abc3439bd2f2695e4ee4251d05eeba8
                                                                                  • Instruction ID: ced31d5a0285199254b97d026a4f8d8dc14992c0e638ad37fe33ddd7b71bb92e
                                                                                  • Opcode Fuzzy Hash: f2f6f8bd0dcc910806a8aa580390a6c16abc3439bd2f2695e4ee4251d05eeba8
                                                                                  • Instruction Fuzzy Hash: C0D05E342006824BC719DA0CD2E4F9937E5AF40714F1644ECAC108B762C7A8DCC0DE00
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%