Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
U22p1GcCSb.exe

Overview

General Information

Sample name:U22p1GcCSb.exe
renamed because original name is a hash value
Original sample name:0a5ef41dd9cdbad5c5aaf4ca7b177700.exe
Analysis ID:1406594
MD5:0a5ef41dd9cdbad5c5aaf4ca7b177700
SHA1:ab67841aaec06b8527596203c2c426e6f59b0470
SHA256:72feaca614e6e82fa5efd6d8795d68223fef6054ee898ad9cdaed71194a88c8d
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
Connects to many ports of the same IP (likely port scanning)
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Creates autorun.inf (USB autostart)
Disables the Windows task manager (taskmgr)
Disables zone checking for all users
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the program root directory (C:\Program Files)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • U22p1GcCSb.exe (PID: 7616 cmdline: C:\Users\user\Desktop\U22p1GcCSb.exe MD5: 0A5EF41DD9CDBAD5C5AAF4CA7B177700)
    • server.exe (PID: 7740 cmdline: "C:\Users\user\AppData\Roaming\server.exe" MD5: 0A5EF41DD9CDBAD5C5AAF4CA7B177700)
      • netsh.exe (PID: 7920 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 7256 cmdline: netsh firewall delete allowedprogram "C:\Users\user\AppData\Roaming\server.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 7276 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Explower.exe (PID: 7628 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe" MD5: 0A5EF41DD9CDBAD5C5AAF4CA7B177700)
  • Microsoft Corporation.exe (PID: 7812 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe" MD5: 0A5EF41DD9CDBAD5C5AAF4CA7B177700)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "7330bac122947b8db6af3ae8d6783a41", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
U22p1GcCSb.exeJoeSecurity_NjratYara detected NjratJoe Security
    U22p1GcCSb.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x115d2:$a1: get_Registry
    • 0x15a2d:$a2: SEE_MASK_NOZONECHECKS
    • 0x156cf:$a3: Download ERROR
    • 0x15c7f:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13c0c:$a5: netsh firewall delete allowedprogram "
    U22p1GcCSb.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x15c7f:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x13798:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x156ed:$s3: Executed As
    • 0x124f0:$s5: Stub.exe
    • 0x156cf:$s6: Download ERROR
    • 0x1375a:$s8: Select * From AntiVirusProduct
    U22p1GcCSb.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15a2d:$reg: SEE_MASK_NOZONECHECKS
    • 0x156b3:$msg: Execute ERROR
    • 0x15707:$msg: Execute ERROR
    • 0x15c7f:$ping: cmd.exe /c ping 0 -n 2 & del
    U22p1GcCSb.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x13c0c:$s1: netsh firewall delete allowedprogram
    • 0x13c5e:$s2: netsh firewall add allowedprogram
    • 0x15c7f:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x156b3:$s4: Execute ERROR
    • 0x15707:$s4: Execute ERROR
    • 0x156cf:$s5: Download ERROR

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Program Files (x86)\Explower.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Program Files (x86)\Explower.exeWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x115d2:$a1: get_Registry
      • 0x15a2d:$a2: SEE_MASK_NOZONECHECKS
      • 0x156cf:$a3: Download ERROR
      • 0x15c7f:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x13c0c:$a5: netsh firewall delete allowedprogram "
      C:\Program Files (x86)\Explower.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
      • 0x15c7f:$x1: cmd.exe /c ping 0 -n 2 & del "
      • 0x13798:$s1: winmgmts:\\.\root\SecurityCenter2
      • 0x156ed:$s3: Executed As
      • 0x124f0:$s5: Stub.exe
      • 0x156cf:$s6: Download ERROR
      • 0x1375a:$s8: Select * From AntiVirusProduct
      C:\Program Files (x86)\Explower.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x15a2d:$reg: SEE_MASK_NOZONECHECKS
      • 0x156b3:$msg: Execute ERROR
      • 0x15707:$msg: Execute ERROR
      • 0x15c7f:$ping: cmd.exe /c ping 0 -n 2 & del
      C:\Program Files (x86)\Explower.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
      • 0x13c0c:$s1: netsh firewall delete allowedprogram
      • 0x13c5e:$s2: netsh firewall add allowedprogram
      • 0x15c7f:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
      • 0x156b3:$s4: Execute ERROR
      • 0x15707:$s4: Execute ERROR
      • 0x156cf:$s5: Download ERROR
      Click to see the 75 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
        • 0x113d2:$a1: get_Registry
        • 0x1582d:$a2: SEE_MASK_NOZONECHECKS
        • 0x154cf:$a3: Download ERROR
        • 0x15a7f:$a4: cmd.exe /c ping 0 -n 2 & del "
        • 0x13a0c:$a5: netsh firewall delete allowedprogram "
        00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
        • 0x1582d:$reg: SEE_MASK_NOZONECHECKS
        • 0x154b3:$msg: Execute ERROR
        • 0x15507:$msg: Execute ERROR
        • 0x15a7f:$ping: cmd.exe /c ping 0 -n 2 & del
        00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
          • 0x115f2:$a1: get_Registry
          • 0x15a4d:$a2: SEE_MASK_NOZONECHECKS
          • 0x156ef:$a3: Download ERROR
          • 0x15c9f:$a4: cmd.exe /c ping 0 -n 2 & del "
          • 0x13c2c:$a5: netsh firewall delete allowedprogram "
          Click to see the 6 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.U22p1GcCSb.exe.e40000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
            0.0.U22p1GcCSb.exe.e40000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0x115d2:$a1: get_Registry
            • 0x15a2d:$a2: SEE_MASK_NOZONECHECKS
            • 0x156cf:$a3: Download ERROR
            • 0x15c7f:$a4: cmd.exe /c ping 0 -n 2 & del "
            • 0x13c0c:$a5: netsh firewall delete allowedprogram "
            0.0.U22p1GcCSb.exe.e40000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
            • 0x15c7f:$x1: cmd.exe /c ping 0 -n 2 & del "
            • 0x13798:$s1: winmgmts:\\.\root\SecurityCenter2
            • 0x156ed:$s3: Executed As
            • 0x124f0:$s5: Stub.exe
            • 0x156cf:$s6: Download ERROR
            • 0x1375a:$s8: Select * From AntiVirusProduct
            0.0.U22p1GcCSb.exe.e40000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x15a2d:$reg: SEE_MASK_NOZONECHECKS
            • 0x156b3:$msg: Execute ERROR
            • 0x15707:$msg: Execute ERROR
            • 0x15c7f:$ping: cmd.exe /c ping 0 -n 2 & del
            0.0.U22p1GcCSb.exe.e40000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
            • 0x13c0c:$s1: netsh firewall delete allowedprogram
            • 0x13c5e:$s2: netsh firewall add allowedprogram
            • 0x15c7f:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
            • 0x156b3:$s4: Execute ERROR
            • 0x15707:$s4: Execute ERROR
            • 0x156cf:$s5: Download ERROR

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\server.exe, ProcessId: 7740, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

            Snort Signatures

            Timestamp:03/11/24-13:57:55.365233
            SID:2033132
            Source Port:49723
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:57.972581
            SID:2033132
            Source Port:49724
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:10.905781
            SID:2033132
            Source Port:49703
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:48.181665
            SID:2033132
            Source Port:49721
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:52.998127
            SID:2033132
            Source Port:49722
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:00.582904
            SID:2033132
            Source Port:49725
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:13.390092
            SID:2033132
            Source Port:49704
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:45.527575
            SID:2033132
            Source Port:49720
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:03.810011
            SID:2033132
            Source Port:49727
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:06.238601
            SID:2033132
            Source Port:49728
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:17.866686
            SID:2033132
            Source Port:49705
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:20.184506
            SID:2033132
            Source Port:49707
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:43.174186
            SID:2814856
            Source Port:49751
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:44.353987
            SID:2814856
            Source Port:49762
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:31.511033
            SID:2814856
            Source Port:49715
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:08.861139
            SID:2033132
            Source Port:49744
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:11.494367
            SID:2033132
            Source Port:49745
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:40.524865
            SID:2814856
            Source Port:49750
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:59.718993
            SID:2814856
            Source Port:49753
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:37.885075
            SID:2814856
            Source Port:49717
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:05.101000
            SID:2033132
            Source Port:49743
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:40.494203
            SID:2814856
            Source Port:49718
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:43.148380
            SID:2814856
            Source Port:49719
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:49.035267
            SID:2033132
            Source Port:49740
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:51.830869
            SID:2033132
            Source Port:49741
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:36.746964
            SID:2814856
            Source Port:49737
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:58.414340
            SID:2033132
            Source Port:49742
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:31.179034
            SID:2814856
            Source Port:49736
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:00.884094
            SID:2814856
            Source Port:49725
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:28.707084
            SID:2814856
            Source Port:49714
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:58.274652
            SID:2814856
            Source Port:49724
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:55.667281
            SID:2814856
            Source Port:49723
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:33.042782
            SID:2814856
            Source Port:49760
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:26.008083
            SID:2814856
            Source Port:49713
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:30.876607
            SID:2033132
            Source Port:49736
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:48.411158
            SID:2814856
            Source Port:49721
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:23.387503
            SID:2814856
            Source Port:49711
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:36.488277
            SID:2033132
            Source Port:49737
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:39.527868
            SID:2033132
            Source Port:49738
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:45.787003
            SID:2814856
            Source Port:49720
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:45.841985
            SID:2033132
            Source Port:49739
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:25.706252
            SID:2033132
            Source Port:49713
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:30.357471
            SID:2814856
            Source Port:49759
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:28.403515
            SID:2033132
            Source Port:49714
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:41.703341
            SID:2033132
            Source Port:49761
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:23.086932
            SID:2033132
            Source Port:49711
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:31.210284
            SID:2033132
            Source Port:49715
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:44.051573
            SID:2033132
            Source Port:49762
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:37.582749
            SID:2033132
            Source Port:49717
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:35.262290
            SID:2033132
            Source Port:49716
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:40.192791
            SID:2033132
            Source Port:49718
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:28.032861
            SID:2033132
            Source Port:49735
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:13.692255
            SID:2814856
            Source Port:49704
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:17.004618
            SID:2033132
            Source Port:49747
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:20.488277
            SID:2033132
            Source Port:49733
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:23.099308
            SID:2033132
            Source Port:49734
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:21.876862
            SID:2033132
            Source Port:49748
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:17.878508
            SID:2033132
            Source Port:49732
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:31.590664
            SID:2033132
            Source Port:49749
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:09.186733
            SID:2814856
            Source Port:49729
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:12.641935
            SID:2033132
            Source Port:49730
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:20.486728
            SID:2814856
            Source Port:49707
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:06.541661
            SID:2814856
            Source Port:49728
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:15.255220
            SID:2033132
            Source Port:49731
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:32.739203
            SID:2033132
            Source Port:49760
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:22.150528
            SID:2814856
            Source Port:49748
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:40.223106
            SID:2033132
            Source Port:49750
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:17.380683
            SID:2814856
            Source Port:49757
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:14.671406
            SID:2814856
            Source Port:49746
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:17.306266
            SID:2814856
            Source Port:49747
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:42.872534
            SID:2033132
            Source Port:49751
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:56.068201
            SID:2033132
            Source Port:49752
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:23.402360
            SID:2814856
            Source Port:49734
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:11.796875
            SID:2814856
            Source Port:49745
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:15.559318
            SID:2814856
            Source Port:49731
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:58.717130
            SID:2814856
            Source Port:49742
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:08.210628
            SID:2814856
            Source Port:49755
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:02.370471
            SID:2814856
            Source Port:49754
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:10.893695
            SID:2814856
            Source Port:49756
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:20.790475
            SID:2814856
            Source Port:49733
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:09.163778
            SID:2814856
            Source Port:49744
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:18.179511
            SID:2814856
            Source Port:49732
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:05.403490
            SID:2814856
            Source Port:49743
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:17.081352
            SID:2033132
            Source Port:49757
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:14.496224
            SID:2033132
            Source Port:49746
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:25.827295
            SID:2033132
            Source Port:49758
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:57:42.903315
            SID:2033132
            Source Port:49719
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:08.885686
            SID:2033132
            Source Port:49729
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:07.909379
            SID:2033132
            Source Port:49755
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:10.590931
            SID:2033132
            Source Port:49756
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:12.944215
            SID:2814856
            Source Port:49730
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:52.029514
            SID:2814856
            Source Port:49741
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:30.052643
            SID:2033132
            Source Port:49759
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:59:59.415669
            SID:2033132
            Source Port:49753
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-14:00:02.066515
            SID:2033132
            Source Port:49754
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:03/11/24-13:58:49.337814
            SID:2814856
            Source Port:49740
            Destination Port:13672
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: U22p1GcCSb.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\system.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Notepad.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Umbrella.flv.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Users\user\AppData\Roaming\server.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Source: C:\Program Files (x86)\Explower.exeAvira: detection malicious, Label: TR/Dropper.Gen
            Found malware configuration
            Source: 0.0.U22p1GcCSb.exe.e40000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "7330bac122947b8db6af3ae8d6783a41", "Install Dir": "system", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
            Multi AV Scanner detection for domain / URL
            Source: 6.tcp.eu.ngrok.ioVirustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Notepad.exeReversingLabs: Detection: 81%
            Source: C:\Notepad.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Program Files (x86)\Explower.exeReversingLabs: Detection: 81%
            Source: C:\Program Files (x86)\Explower.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Umbrella.flv.exeReversingLabs: Detection: 81%
            Source: C:\Umbrella.flv.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Users\user\AppData\Local\Explower.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\AppData\Local\Explower.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Users\user\AppData\Roaming\server.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\AppData\Roaming\server.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Users\user\Desktop\Explower.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\Desktop\Explower.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Users\user\Documents\Explower.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\Documents\Explower.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Users\user\Favorites\Explower.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\Favorites\Explower.exeVirustotal: Detection: 73%Perma Link
            Source: C:\Windows\SysWOW64\Explower.exeReversingLabs: Detection: 81%
            Source: C:\Windows\SysWOW64\Explower.exeVirustotal: Detection: 73%Perma Link
            Source: C:\system.exeReversingLabs: Detection: 81%
            Source: C:\system.exeVirustotal: Detection: 73%Perma Link
            Multi AV Scanner detection for submitted file
            Source: U22p1GcCSb.exeReversingLabs: Detection: 81%
            Source: U22p1GcCSb.exeVirustotal: Detection: 73%Perma Link
            Yara detected Njrat
            Source: Yara matchFile source: U22p1GcCSb.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.U22p1GcCSb.exe.e40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: U22p1GcCSb.exe PID: 7616, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: server.exe PID: 7740, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 7330bac122947b8db6af3ae8d6783a41Windows Update.exe PID: 1472, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Explower.exe PID: 7628, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Microsoft Corporation.exe PID: 7812, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED
            Source: Yara matchFile source: C:\system.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Notepad.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, type: DROPPED
            Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Machine Learning detection for dropped file
            Source: C:\system.exeJoe Sandbox ML: detected
            Source: C:\Notepad.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
            Source: C:\Umbrella.flv.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\server.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Explower.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: U22p1GcCSb.exeJoe Sandbox ML: detected
            Source: U22p1GcCSb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: U22p1GcCSb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Spreading

            barindex
            Contains functionality to spread to USB devices (.Net source)
            Source: U22p1GcCSb.exe, Usb1.cs.Net Code: infect
            Source: server.exe.0.dr, Usb1.cs.Net Code: infect
            Source: Explower.exe.2.dr, Usb1.cs.Net Code: infect
            Source: Explower.exe0.2.dr, Usb1.cs.Net Code: infect
            Source: Explower.exe1.2.dr, Usb1.cs.Net Code: infect
            Source: Explower.exe2.2.dr, Usb1.cs.Net Code: infect
            Source: Explower.exe3.2.dr, Usb1.cs.Net Code: infect
            Source: Explower.exe4.2.dr, Usb1.cs.Net Code: infect
            Source: Explower.exe5.2.dr, Usb1.cs.Net Code: infect
            Source: Explower.exe6.2.dr, Usb1.cs.Net Code: infect
            Creates autorun.inf (USB autostart)
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\autorun.infJump to behavior
            Source: U22p1GcCSb.exe, 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \autorun.inf
            Source: U22p1GcCSb.exe, 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
            Source: U22p1GcCSb.exe, 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
            Source: U22p1GcCSb.exe, 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \autorun.inf
            Source: U22p1GcCSb.exe, 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: U22p1GcCSb.exe, 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \autorun.inf
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf$O
            Source: U22p1GcCSb.exeBinary or memory string: \autorun.inf
            Source: U22p1GcCSb.exeBinary or memory string: [autorun]
            Source: U22p1GcCSb.exeBinary or memory string: autorun.inf
            Source: autorun.inf.2.drBinary or memory string: [autorun]
            Source: system.exe.2.drBinary or memory string: \autorun.inf
            Source: system.exe.2.drBinary or memory string: [autorun]
            Source: system.exe.2.drBinary or memory string: autorun.inf
            Source: Notepad.exe.2.drBinary or memory string: \autorun.inf
            Source: Notepad.exe.2.drBinary or memory string: [autorun]
            Source: Notepad.exe.2.drBinary or memory string: autorun.inf
            Source: Explower.exe7.2.drBinary or memory string: \autorun.inf
            Source: Explower.exe7.2.drBinary or memory string: [autorun]
            Source: Explower.exe7.2.drBinary or memory string: autorun.inf
            Source: Explower.exe2.2.drBinary or memory string: \autorun.inf
            Source: Explower.exe2.2.drBinary or memory string: [autorun]
            Source: Explower.exe2.2.drBinary or memory string: autorun.inf
            Source: Explower.exe5.2.drBinary or memory string: \autorun.inf
            Source: Explower.exe5.2.drBinary or memory string: [autorun]
            Source: Explower.exe5.2.drBinary or memory string: autorun.inf
            Source: Microsoft Corporation.exe.2.drBinary or memory string: \autorun.inf
            Source: Microsoft Corporation.exe.2.drBinary or memory string: [autorun]
            Source: Microsoft Corporation.exe.2.drBinary or memory string: autorun.inf
            Source: Explower.exe4.2.drBinary or memory string: \autorun.inf
            Source: Explower.exe4.2.drBinary or memory string: [autorun]
            Source: Explower.exe4.2.drBinary or memory string: autorun.inf
            Source: Explower.exe0.2.drBinary or memory string: \autorun.inf
            Source: Explower.exe0.2.drBinary or memory string: [autorun]
            Source: Explower.exe0.2.drBinary or memory string: autorun.inf
            Source: 7330bac122947b8db6af3ae8d6783a41Windows Update.exe.2.drBinary or memory string: \autorun.inf
            Source: 7330bac122947b8db6af3ae8d6783a41Windows Update.exe.2.drBinary or memory string: [autorun]
            Source: 7330bac122947b8db6af3ae8d6783a41Windows Update.exe.2.drBinary or memory string: autorun.inf
            Source: Explower.exe8.2.drBinary or memory string: \autorun.inf
            Source: Explower.exe8.2.drBinary or memory string: [autorun]
            Source: Explower.exe8.2.drBinary or memory string: autorun.inf
            Source: Umbrella.flv.exe.2.drBinary or memory string: \autorun.inf
            Source: Umbrella.flv.exe.2.drBinary or memory string: [autorun]
            Source: Umbrella.flv.exe.2.drBinary or memory string: autorun.inf
            Source: server.exe.0.drBinary or memory string: \autorun.inf
            Source: server.exe.0.drBinary or memory string: [autorun]
            Source: server.exe.0.drBinary or memory string: autorun.inf
            Source: Explower.exe1.2.drBinary or memory string: \autorun.inf
            Source: Explower.exe1.2.drBinary or memory string: [autorun]
            Source: Explower.exe1.2.drBinary or memory string: autorun.inf
            Source: Explower.exe.2.drBinary or memory string: \autorun.inf
            Source: Explower.exe.2.drBinary or memory string: [autorun]
            Source: Explower.exe.2.drBinary or memory string: autorun.inf
            Source: Explower.exe3.2.drBinary or memory string: \autorun.inf
            Source: Explower.exe3.2.drBinary or memory string: [autorun]
            Source: Explower.exe3.2.drBinary or memory string: autorun.inf
            Source: Explower.exe6.2.drBinary or memory string: \autorun.inf
            Source: Explower.exe6.2.drBinary or memory string: [autorun]
            Source: Explower.exe6.2.drBinary or memory string: autorun.inf
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\Jump to behavior

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49703 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49704 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49704 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49705 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49707 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49707 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49711 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49711 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49713 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49713 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49714 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49714 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49715 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49715 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49716 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49717 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49717 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49718 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49718 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49719 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49719 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49720 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49720 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49721 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49721 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49722 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49723 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49723 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49724 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49724 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49725 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49725 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49727 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49728 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49728 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49729 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49729 -> 3.66.38.117:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49730 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49730 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49731 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49731 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49732 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49732 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49733 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49733 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49734 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49734 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49735 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49736 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49736 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49737 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49737 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49738 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49739 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49740 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49740 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49741 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49741 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49742 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49742 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49743 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49743 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49744 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49744 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49745 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49745 -> 18.197.239.109:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49746 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49746 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49747 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49747 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49748 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49748 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49749 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49750 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49750 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49751 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49751 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49752 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49753 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49753 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49754 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49754 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49755 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49755 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49756 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49756 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49757 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49757 -> 52.28.247.255:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49758 -> 3.68.171.119:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49759 -> 3.68.171.119:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49759 -> 3.68.171.119:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49760 -> 3.68.171.119:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49760 -> 3.68.171.119:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49761 -> 3.68.171.119:13672
            Source: TrafficSnort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.10:49762 -> 3.68.171.119:13672
            Source: TrafficSnort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.10:49762 -> 3.68.171.119:13672
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 3.66.38.117 ports 13672,1,2,3,6,7
            Source: global trafficTCP traffic: 52.28.247.255 ports 13672,1,2,3,6,7
            Source: global trafficTCP traffic: 18.197.239.109 ports 13672,1,2,3,6,7
            Source: global trafficTCP traffic: 3.68.171.119 ports 13672,1,2,3,6,7
            Source: global trafficTCP traffic: 192.168.2.10:49703 -> 3.66.38.117:13672
            Source: global trafficTCP traffic: 192.168.2.10:49730 -> 18.197.239.109:13672
            Source: global trafficTCP traffic: 192.168.2.10:49746 -> 52.28.247.255:13672
            Source: global trafficTCP traffic: 192.168.2.10:49758 -> 3.68.171.119:13672
            Source: Joe Sandbox ViewIP Address: 3.66.38.117 3.66.38.117
            Source: Joe Sandbox ViewIP Address: 52.28.247.255 52.28.247.255
            Source: Joe Sandbox ViewIP Address: 18.197.239.109 18.197.239.109
            Source: Joe Sandbox ViewIP Address: 3.68.171.119 3.68.171.119
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: 6.tcp.eu.ngrok.io
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            E-Banking Fraud

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: U22p1GcCSb.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.U22p1GcCSb.exe.e40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: U22p1GcCSb.exe PID: 7616, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: server.exe PID: 7740, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 7330bac122947b8db6af3ae8d6783a41Windows Update.exe PID: 1472, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Explower.exe PID: 7628, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Microsoft Corporation.exe PID: 7812, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED
            Source: Yara matchFile source: C:\system.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Notepad.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, type: DROPPED
            Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: U22p1GcCSb.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: U22p1GcCSb.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: U22p1GcCSb.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: U22p1GcCSb.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.0.U22p1GcCSb.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.0.U22p1GcCSb.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 0.0.U22p1GcCSb.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.0.U22p1GcCSb.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\system.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\system.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\system.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\system.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Notepad.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Notepad.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Notepad.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\server.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_0074BF22 NtQuerySystemInformation,2_2_0074BF22
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_0074BEF1 NtQuerySystemInformation,2_2_0074BEF1
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_057542980_2_05754298
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_057544F10_2_057544F1
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_057549F90_2_057549F9
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_057550E30_2_057550E3
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_0575536F0_2_0575536F
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_057542690_2_05754269
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_057547D40_2_057547D4
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_0575505D0_2_0575505D
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_057554590_2_05755459
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_05754B5B0_2_05754B5B
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_057545440_2_05754544
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_057549360_2_05754936
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_057546300_2_05754630
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_05754F2F0_2_05754F2F
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_05754F9D0_2_05754F9D
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_0575499D0_2_0575499D
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_057550000_2_05755000
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_0575470F0_2_0575470F
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeCode function: 0_2_05754C8F0_2_05754C8F
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE75A82_2_00EE75A8
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE42982_2_00EE4298
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE50E32_2_00EE50E3
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE49F92_2_00EE49F9
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE44F12_2_00EE44F1
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE47D42_2_00EE47D4
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE758E2_2_00EE758E
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE4C8F2_2_00EE4C8F
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE499D2_2_00EE499D
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE4F9D2_2_00EE4F9D
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE42912_2_00EE4291
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE536F2_2_00EE536F
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE45442_2_00EE4544
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE505D2_2_00EE505D
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE4B5B2_2_00EE4B5B
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE54592_2_00EE5459
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE4F2F2_2_00EE4F2F
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE49362_2_00EE4936
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE46302_2_00EE4630
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE470F2_2_00EE470F
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_00EE50002_2_00EE5000
            Source: U22p1GcCSb.exe, 00000000.00000002.1256459948.00000000014FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs U22p1GcCSb.exe
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: acgenral.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: msacm32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: winmmbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeSection loaded: shfolder.dllJump to behavior
            Source: U22p1GcCSb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: U22p1GcCSb.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: U22p1GcCSb.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: U22p1GcCSb.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: U22p1GcCSb.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.0.U22p1GcCSb.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.0.U22p1GcCSb.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.U22p1GcCSb.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.0.U22p1GcCSb.exe.e40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\system.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\system.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\system.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\system.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Notepad.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Notepad.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Notepad.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Notepad.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Umbrella.flv.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: C:\Program Files (x86)\Explower.exe, type: DROPPEDMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: classification engineClassification label: mal100.spre.phis.troj.adwa.evad.winEXE@16/25@4/4
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_0074BDA6 AdjustTokenPrivileges,2_2_0074BDA6
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_0074BD6F AdjustTokenPrivileges,2_2_0074BD6F
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Program Files (x86)\Explower.exeJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\server.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\server.exeMutant created: \Sessions\1\BaseNamedObjects\7330bac122947b8db6af3ae8d6783a41
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
            Source: U22p1GcCSb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: U22p1GcCSb.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: U22p1GcCSb.exeReversingLabs: Detection: 81%
            Source: U22p1GcCSb.exeVirustotal: Detection: 73%
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeFile read: C:\Users\user\Desktop\U22p1GcCSb.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\U22p1GcCSb.exe C:\Users\user\Desktop\U22p1GcCSb.exe
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess created: C:\Users\user\AppData\Roaming\server.exe "C:\Users\user\AppData\Roaming\server.exe"
            Source: C:\Users\user\AppData\Roaming\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Roaming\server.exe"
            Source: C:\Users\user\AppData\Roaming\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe"
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess created: C:\Users\user\AppData\Roaming\server.exe "C:\Users\user\AppData\Roaming\server.exe" Jump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLEJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Roaming\server.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLEJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: U22p1GcCSb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: U22p1GcCSb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: U22p1GcCSb.exe, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: server.exe.0.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: Explower.exe.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: Explower.exe0.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: Explower.exe1.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: Explower.exe2.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: Explower.exe3.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: Explower.exe4.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: Explower.exe5.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: Explower.exe6.2.dr, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_05C30F8B push cs; ret 2_2_05C30F8E
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_05C3077F push es; ret 2_2_05C30782
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_05C3177F push ss; ret 2_2_05C31782
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_05C31F20 push ds; ret 2_2_05C31F22
            Source: C:\Users\user\AppData\Roaming\server.exeCode function: 2_2_05C31F25 push ds; ret 2_2_05C31F26
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeCode function: 22_2_00DF37E1 push ss; retf 0000h22_2_00DF37E2

            Persistence and Installation Behavior

            barindex
            Drops PE files to the document folder of the user
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\Documents\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\system.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\Desktop\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to dropped file
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeFile created: C:\Users\user\AppData\Roaming\server.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Notepad.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\Favorites\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\Documents\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Program Files (x86)\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Umbrella.flv.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Local\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Program Files (x86)\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Windows\SysWOW64\Explower.exeJump to dropped file

            Boot Survival

            barindex
            Drops PE files to the startup folder
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeMemory allocated: 1940000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeMemory allocated: 3580000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeMemory allocated: 5580000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: CC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 4860000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 5B80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 6B80000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 6EB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 7EB0000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 8110000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 9110000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: A110000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: B110000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: B5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: C5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: D5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: E5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: F5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 105D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 115D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 125D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 135D0000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 13F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 14F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 15F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 16F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 17F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 18F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 19F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1AF50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: B250000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1BF50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1CF50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1DF50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1EF50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1FF50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 20F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 21F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 22F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 23F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 24F50000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 26240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 27240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 28240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 29240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 2A240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 2B240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 2C240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 2D240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 135D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 145D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 155D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 165D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 175D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 185D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 195D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1A5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1B5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1C5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1D5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1E5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1F5D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 205D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 215D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 225D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 235D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: CE10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: DE10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: EE10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: FE10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 10E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 11E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 12E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 13E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 14E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 15E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 16E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 17E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 18E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 19E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1AE10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1BE10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1CE10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1DE10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1EE10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1FE10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 20E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 21E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 22E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 23E10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 2E240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 2F240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 30240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 31240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 111D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: DBD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: ED10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 121D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 131D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 141D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 151D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 161D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 171D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 181D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 191D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1A1D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1B1D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1C1D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1D1D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1E1D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 1F1D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 201D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 211D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 221D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 231D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 124D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 134D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 144D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 32240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 33240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 34240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 35240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 36240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeMemory allocated: 37240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeMemory allocated: A90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeMemory allocated: 4AA0000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMemory allocated: 830000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMemory allocated: 2940000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeMemory allocated: 4940000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeMemory allocated: C50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeMemory allocated: E20000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeWindow / User API: threadDelayed 386Jump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeWindow / User API: threadDelayed 2310Jump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeWindow / User API: threadDelayed 2351Jump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeWindow / User API: foregroundWindowGot 362Jump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exe TID: 7652Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exe TID: 8180Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exe TID: 7184Thread sleep time: -1155000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exe TID: 7184Thread sleep time: -1175500s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe TID: 7884Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe TID: 7340Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe TID: 7824Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exeFile opened: C:\Users\user\Jump to behavior
            Source: netsh.exe, 00000007.00000002.1277157562.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000000B.00000003.1352540513.0000000000761000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
            Source: netsh.exe, 0000000A.00000003.1343761186.0000000000C91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
            Source: server.exe, 00000002.00000002.3706026943.0000000006E8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\AppData\Roaming\server.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\U22p1GcCSb.exeProcess created: C:\Users\user\AppData\Roaming\server.exe "C:\Users\user\AppData\Roaming\server.exe" Jump to behavior
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:58:36 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 14:07:37 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:04 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:11 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/12 | 00:05:07 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:31 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:58:29 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 14:43:39 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:24 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/12 | 01:01:42 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:58:02 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 14:00:33 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 14:01:37 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 16:37:18 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:59:54 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 19:36:55 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:23 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:58:42 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:40 - Program Manager
            Source: U22p1GcCSb.exe, 00000000.00000002.1256975107.00000000035B3000.00000004.00000800.00020000.00000000.sdmp, U22p1GcCSb.exe, 00000000.00000002.1256975107.0000000003581000.00000004.00000800.00020000.00000000.sdmp, 7330bac122947b8db6af3ae8d6783a41Windows Update.exe, 00000012.00000002.1456137029.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -jledProgram Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:58:08 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 15:11:26 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:10 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:53 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:43 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:59 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/14 | 14:03:16 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 14:00:47 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:58:44 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:02 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:42 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:38 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 16:10:15 - Program Manager
            Source: U22p1GcCSb.exe, 00000000.00000002.1256975107.00000000035B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:01 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/12 | 05:38:31 - Program Manager
            Source: U22p1GcCSb.exe, 00000000.00000002.1256975107.00000000035B3000.00000004.00000800.00020000.00000000.sdmp, U22p1GcCSb.exe, 00000000.00000002.1256975107.0000000003581000.00000004.00000800.00020000.00000000.sdmp, U22p1GcCSb.exe, 00000000.00000002.1257363082.000000000590B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: U22p1GcCSb.exe, system.exe.2.dr, Notepad.exe.2.dr, Explower.exe7.2.dr, Explower.exe2.2.dr, Explower.exe5.2.dr, Microsoft Corporation.exe.2.dr, Explower.exe4.2.dr, Explower.exe0.2.dr, 7330bac122947b8db6af3ae8d6783a41Windows Update.exe.2.dr, Explower.exe8.2.drBinary or memory string: ProgMan
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:58:33 - Program Manager
            Source: 7330bac122947b8db6af3ae8d6783a41Windows Update.exe, 00000012.00000002.1456137029.0000000002AD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager\Ojl
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:58:19 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmp, 7330bac122947b8db6af3ae8d6783a41Windows Update.exe, 00000012.00000002.1456137029.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:21 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:41 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:47 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:58:05 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:39 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:13 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 17:54:14 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 14:59:06 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:58:38 - Program Manager
            Source: U22p1GcCSb.exe, system.exe.2.dr, Notepad.exe.2.dr, Explower.exe7.2.dr, Explower.exe2.2.dr, Explower.exe5.2.dr, Microsoft Corporation.exe.2.dr, Explower.exe4.2.dr, Explower.exe0.2.dr, 7330bac122947b8db6af3ae8d6783a41Windows Update.exe.2.dr, Explower.exe8.2.drBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
            Source: U22p1GcCSb.exe, 00000000.00000002.1257363082.000000000590B000.00000004.00000010.00020000.00000000.sdmp, Microsoft Corporation.exe, 00000016.00000002.1620771348.0000000004E7B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: dProgram Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:56 - Program Manager
            Source: U22p1GcCSb.exe, system.exe.2.dr, Notepad.exe.2.dr, Explower.exe7.2.dr, Explower.exe2.2.dr, Explower.exe5.2.dr, Microsoft Corporation.exe.2.dr, Explower.exe4.2.dr, Explower.exe0.2.dr, 7330bac122947b8db6af3ae8d6783a41Windows Update.exe.2.dr, Explower.exe8.2.drBinary or memory string: Shell_TrayWnd
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 15:17:37 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:05 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:58:01 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/12 | 03:05:39 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 15:34:56 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:57:25 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/12 | 07:48:48 - Program Manager
            Source: server.exe, 00000002.00000002.3698774456.000000000286E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/03/11 | 13:59:42 - Program Manager
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\server.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Contains functionality to disable the Task Manager (.Net Source)
            Source: U22p1GcCSb.exe, Fransesco.cs.Net Code: INS
            Source: server.exe.0.dr, Fransesco.cs.Net Code: INS
            Source: Explower.exe.2.dr, Fransesco.cs.Net Code: INS
            Source: Explower.exe0.2.dr, Fransesco.cs.Net Code: INS
            Source: Explower.exe1.2.dr, Fransesco.cs.Net Code: INS
            Source: Explower.exe2.2.dr, Fransesco.cs.Net Code: INS
            Source: Explower.exe3.2.dr, Fransesco.cs.Net Code: INS
            Source: Explower.exe4.2.dr, Fransesco.cs.Net Code: INS
            Source: Explower.exe5.2.dr, Fransesco.cs.Net Code: INS
            Source: Explower.exe6.2.dr, Fransesco.cs.Net Code: INS
            Disables the Windows task manager (taskmgr)
            Source: C:\Users\user\AppData\Roaming\server.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior
            Disables zone checking for all users
            Source: C:\Users\user\AppData\Roaming\server.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
            Modifies the windows firewall
            Source: C:\Users\user\AppData\Roaming\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\Users\user\AppData\Roaming\server.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE

            Stealing of Sensitive Information

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: U22p1GcCSb.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.U22p1GcCSb.exe.e40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: U22p1GcCSb.exe PID: 7616, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: server.exe PID: 7740, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 7330bac122947b8db6af3ae8d6783a41Windows Update.exe PID: 1472, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Explower.exe PID: 7628, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Microsoft Corporation.exe PID: 7812, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED
            Source: Yara matchFile source: C:\system.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Notepad.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, type: DROPPED
            Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: U22p1GcCSb.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.U22p1GcCSb.exe.e40000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: U22p1GcCSb.exe PID: 7616, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: server.exe PID: 7740, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 7330bac122947b8db6af3ae8d6783a41Windows Update.exe PID: 1472, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Explower.exe PID: 7628, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: Microsoft Corporation.exe PID: 7812, type: MEMORYSTR
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\server.exe, type: DROPPED
            Source: Yara matchFile source: C:\system.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Notepad.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, type: DROPPED
            Source: Yara matchFile source: C:\Umbrella.flv.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Explower.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure21
            Replication Through Removable Media            		Windows Management Instrumentation12
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		32
            Masquerading            		OS Credential Dumping11
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		12
            Process Injection            		51
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Clipboard Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
            Registry Run Keys / Startup Folder            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Access Token Manipulation            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
            Process Injection            		LSA Secrets1
            Peripheral Device Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Software Packing            		DCSync12
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1406594 Sample: U22p1GcCSb.exe Startdate: 11/03/2024 Architecture: WINDOWS Score: 100 45 6.tcp.eu.ngrok.io 2->45 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 12 other signatures 2->59 9 U22p1GcCSb.exe 7 2->9         started        12 Microsoft Corporation.exe 3 2->12         started        14 Explower.exe 3 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 43 C:\Users\user\AppData\Roaming\server.exe, PE32 9->43 dropped 18 server.exe 2 24 9->18         started        process6 dnsIp7 47 18.197.239.109, 13672, 49730, 49731 AMAZON-02US United States 18->47 49 6.tcp.eu.ngrok.io 3.66.38.117, 13672, 49703, 49704 AMAZON-02US United States 18->49 51 2 other IPs or domains 18->51 35 C:\system.exe, PE32 18->35 dropped 37 C:\Windows\SysWOW64xplower.exe, PE32 18->37 dropped 39 C:\Users\user\Favoritesxplower.exe, PE32 18->39 dropped 41 13 other malicious files 18->41 dropped 61 Antivirus detection for dropped file 18->61 63 Multi AV Scanner detection for dropped file 18->63 65 Drops PE files to the document folder of the user 18->65 67 7 other signatures 18->67 23 netsh.exe 2 18->23         started        25 netsh.exe 2 18->25         started        27 netsh.exe 2 18->27         started        file8 signatures9 process10 process11 29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 27->33         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            U22p1GcCSb.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            U22p1GcCSb.exe74%VirustotalBrowse
            U22p1GcCSb.exe100%AviraTR/Dropper.Gen
            U22p1GcCSb.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\system.exe100%AviraTR/Dropper.Gen
            C:\Notepad.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
            C:\Umbrella.flv.exe100%AviraTR/Dropper.Gen
            C:\Users\user\AppData\Roaming\server.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
            C:\Program Files (x86)\Explower.exe100%AviraTR/Dropper.Gen
            C:\system.exe100%Joe Sandbox ML
            C:\Notepad.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
            C:\Umbrella.flv.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\server.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Explower.exe100%Joe Sandbox ML
            C:\Notepad.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Notepad.exe74%VirustotalBrowse
            C:\Program Files (x86)\Explower.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Program Files (x86)\Explower.exe74%VirustotalBrowse
            C:\Umbrella.flv.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Umbrella.flv.exe74%VirustotalBrowse
            C:\Users\user\AppData\Local\Explower.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\AppData\Local\Explower.exe74%VirustotalBrowse
            C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe74%VirustotalBrowse
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe74%VirustotalBrowse
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe74%VirustotalBrowse
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe74%VirustotalBrowse
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe74%VirustotalBrowse
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe74%VirustotalBrowse
            C:\Users\user\AppData\Roaming\server.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\AppData\Roaming\server.exe74%VirustotalBrowse
            C:\Users\user\Desktop\Explower.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\Desktop\Explower.exe74%VirustotalBrowse
            C:\Users\user\Documents\Explower.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\Documents\Explower.exe74%VirustotalBrowse
            C:\Users\user\Favorites\Explower.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Users\user\Favorites\Explower.exe74%VirustotalBrowse
            C:\Windows\SysWOW64\Explower.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\Windows\SysWOW64\Explower.exe74%VirustotalBrowse
            C:\system.exe82%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
            C:\system.exe74%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            6.tcp.eu.ngrok.io11%VirustotalBrowse

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            6.tcp.eu.ngrok.io
            		3.66.38.117
            		truetrueunknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            3.66.38.117
            		6.tcp.eu.ngrok.ioUnited States
            		16509AMAZON-02UStrue
            52.28.247.255
            		unknownUnited States
            		16509AMAZON-02UStrue
            18.197.239.109
            		unknownUnited States
            		16509AMAZON-02UStrue
            3.68.171.119
            		unknownUnited States
            		16509AMAZON-02UStrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1406594
            Start date and time:2024-03-11 13:56:10 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 9m 12s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:25
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:1
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:U22p1GcCSb.exe
            renamed because original name is a hash value
            Original Sample Name:0a5ef41dd9cdbad5c5aaf4ca7b177700.exe
            Detection:MAL
            Classification:mal100.spre.phis.troj.adwa.evad.winEXE@16/25@4/4
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 139
            • Number of non-executed functions: 17
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            13:57:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe
            13:57:17AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
            13:57:26AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
            13:57:42API Interceptor167570x Sleep call for process: server.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            3.66.38.117NfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
              ziTLBa3N50.exeGet hashmaliciousNjratBrowse
                1.exeGet hashmaliciousNjratBrowse
                  226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                    IsJb5hB84q.exeGet hashmaliciousNjratBrowse
                      Terraria.exeGet hashmaliciousNjratBrowse
                        rkIcS0Y2WY.exeGet hashmaliciousNjratBrowse
                          m5l9v13hIi.exeGet hashmaliciousNjratBrowse
                            QsKtlzYaKF.exeGet hashmaliciousNjratBrowse
                              dKe1GfZOs1.exeGet hashmaliciousNjratBrowse
                                52.28.247.255M5vARlA2c4.exeGet hashmaliciousNjratBrowse
                                  1.exeGet hashmaliciousNjratBrowse
                                    rkIcS0Y2WY.exeGet hashmaliciousNjratBrowse
                                      N1aqZIb7KG.exeGet hashmaliciousNjratBrowse
                                        QsKtlzYaKF.exeGet hashmaliciousNjratBrowse
                                          dKe1GfZOs1.exeGet hashmaliciousNjratBrowse
                                            X5eo58PPCB.exeGet hashmaliciousNjratBrowse
                                              ZuXcnAYgVp.exeGet hashmaliciousNjratBrowse
                                                wiUnP1h5Ex.exeGet hashmaliciousNjratBrowse
                                                  BqFosj9Wcb.exeGet hashmaliciousNjratBrowse
                                                    18.197.239.109Client.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                      zyx3qItgQK.exeGet hashmaliciousNjratBrowse
                                                        226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                                                          IsJb5hB84q.exeGet hashmaliciousNjratBrowse
                                                            rkIcS0Y2WY.exeGet hashmaliciousNjratBrowse
                                                              30b4CoDmKk.exeGet hashmaliciousNjratBrowse
                                                                N1aqZIb7KG.exeGet hashmaliciousNjratBrowse
                                                                  dKe1GfZOs1.exeGet hashmaliciousNjratBrowse
                                                                    bRxR.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                      ZuXcnAYgVp.exeGet hashmaliciousNjratBrowse
                                                                        3.68.171.119M5vARlA2c4.exeGet hashmaliciousNjratBrowse
                                                                          YTYyFVemXR.exeGet hashmaliciousNjratBrowse
                                                                            zyx3qItgQK.exeGet hashmaliciousNjratBrowse
                                                                              NfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                                                226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                                                                                  N1aqZIb7KG.exeGet hashmaliciousNjratBrowse
                                                                                    m5l9v13hIi.exeGet hashmaliciousNjratBrowse
                                                                                      sCXwkZrcZ3.exeGet hashmaliciousNjratBrowse
                                                                                        X5eo58PPCB.exeGet hashmaliciousNjratBrowse
                                                                                          wiUnP1h5Ex.exeGet hashmaliciousNjratBrowse

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            6.tcp.eu.ngrok.ioClient.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                            • 3.69.157.220
                                                                                            M5vARlA2c4.exeGet hashmaliciousNjratBrowse
                                                                                            • 3.68.171.119
                                                                                            YTYyFVemXR.exeGet hashmaliciousNjratBrowse
                                                                                            • 3.68.171.119
                                                                                            zyx3qItgQK.exeGet hashmaliciousNjratBrowse
                                                                                            • 3.69.115.178
                                                                                            NfJ0jC2dPr.exeGet hashmaliciousNjratBrowse
                                                                                            • 3.69.157.220
                                                                                            ziTLBa3N50.exeGet hashmaliciousNjratBrowse
                                                                                            • 3.69.157.220
                                                                                            1.exeGet hashmaliciousNjratBrowse
                                                                                            • 3.66.38.117
                                                                                            226dVJ2zRZ.exeGet hashmaliciousNjratBrowse
                                                                                            • 3.69.157.220
                                                                                            IsJb5hB84q.exeGet hashmaliciousNjratBrowse
                                                                                            • 3.66.38.117
                                                                                            Terraria.exeGet hashmaliciousNjratBrowse
                                                                                            • 3.66.38.117

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            AMAZON-02UShttps://tbyvhszminlmkuuwnrfkaos.s3.eu-west-2.amazonaws.com/url.htmlGet hashmaliciousPhisherBrowse
                                                                                            • 52.95.148.118
                                                                                            Qr03qxnwhC.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                            • 34.249.145.219
                                                                                            https://sourceforge.net/projects/docfetcher/files/docfetcher/1.1.25/docfetcher_1.1.25_win32_setup.exe/downloadGet hashmaliciousUnknownBrowse
                                                                                            • 13.226.210.86
                                                                                            g0mgJJSvHD.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                            • 34.243.160.129
                                                                                            aLbc2QiwYI.exeGet hashmaliciousNjratBrowse
                                                                                            • 18.192.31.165
                                                                                            FOS2UmYQkF.exeGet hashmaliciousNjratBrowse
                                                                                            • 18.158.249.75
                                                                                            CtEeMS3H62.exeGet hashmaliciousAmadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, VidarBrowse
                                                                                            • 76.223.105.230
                                                                                            7ssYCeK26Z.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                            • 34.249.145.219
                                                                                            IDliVBPiHv.elfGet hashmaliciousKaijiBrowse
                                                                                            • 54.171.230.55
                                                                                            LN1ynNRug5.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                            • 34.249.145.219
                                                                                            AMAZON-02UShttps://tbyvhszminlmkuuwnrfkaos.s3.eu-west-2.amazonaws.com/url.htmlGet hashmaliciousPhisherBrowse
                                                                                            • 52.95.148.118
                                                                                            Qr03qxnwhC.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                            • 34.249.145.219
                                                                                            https://sourceforge.net/projects/docfetcher/files/docfetcher/1.1.25/docfetcher_1.1.25_win32_setup.exe/downloadGet hashmaliciousUnknownBrowse
                                                                                            • 13.226.210.86
                                                                                            g0mgJJSvHD.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                            • 34.243.160.129
                                                                                            aLbc2QiwYI.exeGet hashmaliciousNjratBrowse
                                                                                            • 18.192.31.165
                                                                                            FOS2UmYQkF.exeGet hashmaliciousNjratBrowse
                                                                                            • 18.158.249.75
                                                                                            CtEeMS3H62.exeGet hashmaliciousAmadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, VidarBrowse
                                                                                            • 76.223.105.230
                                                                                            7ssYCeK26Z.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                            • 34.249.145.219
                                                                                            IDliVBPiHv.elfGet hashmaliciousKaijiBrowse
                                                                                            • 54.171.230.55
                                                                                            LN1ynNRug5.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                            • 34.249.145.219
                                                                                            AMAZON-02UShttps://tbyvhszminlmkuuwnrfkaos.s3.eu-west-2.amazonaws.com/url.htmlGet hashmaliciousPhisherBrowse
                                                                                            • 52.95.148.118
                                                                                            Qr03qxnwhC.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                            • 34.249.145.219
                                                                                            https://sourceforge.net/projects/docfetcher/files/docfetcher/1.1.25/docfetcher_1.1.25_win32_setup.exe/downloadGet hashmaliciousUnknownBrowse
                                                                                            • 13.226.210.86
                                                                                            g0mgJJSvHD.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                            • 34.243.160.129
                                                                                            aLbc2QiwYI.exeGet hashmaliciousNjratBrowse
                                                                                            • 18.192.31.165
                                                                                            FOS2UmYQkF.exeGet hashmaliciousNjratBrowse
                                                                                            • 18.158.249.75
                                                                                            CtEeMS3H62.exeGet hashmaliciousAmadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, VidarBrowse
                                                                                            • 76.223.105.230
                                                                                            7ssYCeK26Z.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                            • 34.249.145.219
                                                                                            IDliVBPiHv.elfGet hashmaliciousKaijiBrowse
                                                                                            • 54.171.230.55
                                                                                            LN1ynNRug5.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                            • 34.249.145.219
                                                                                            AMAZON-02UShttps://tbyvhszminlmkuuwnrfkaos.s3.eu-west-2.amazonaws.com/url.htmlGet hashmaliciousPhisherBrowse
                                                                                            • 52.95.148.118
                                                                                            Qr03qxnwhC.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                            • 34.249.145.219
                                                                                            https://sourceforge.net/projects/docfetcher/files/docfetcher/1.1.25/docfetcher_1.1.25_win32_setup.exe/downloadGet hashmaliciousUnknownBrowse
                                                                                            • 13.226.210.86
                                                                                            g0mgJJSvHD.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                            • 34.243.160.129
                                                                                            aLbc2QiwYI.exeGet hashmaliciousNjratBrowse
                                                                                            • 18.192.31.165
                                                                                            FOS2UmYQkF.exeGet hashmaliciousNjratBrowse
                                                                                            • 18.158.249.75
                                                                                            CtEeMS3H62.exeGet hashmaliciousAmadey, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Stealc, VidarBrowse
                                                                                            • 76.223.105.230
                                                                                            7ssYCeK26Z.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                            • 34.249.145.219
                                                                                            IDliVBPiHv.elfGet hashmaliciousKaijiBrowse
                                                                                            • 54.171.230.55
                                                                                            LN1ynNRug5.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                            • 34.249.145.219

                                                                                            JA3 Fingerprints

                                                                                            No context

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\Notepad.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Notepad.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Notepad.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Notepad.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Notepad.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Notepad.exe, Author: ditekSHen
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Reputation:low
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Program Files (x86)\Explower.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Program Files (x86)\Explower.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Program Files (x86)\Explower.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Program Files (x86)\Explower.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Program Files (x86)\Explower.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Program Files (x86)\Explower.exe, Author: ditekSHen
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Reputation:low
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Umbrella.flv.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Umbrella.flv.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Umbrella.flv.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Umbrella.flv.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Umbrella.flv.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Umbrella.flv.exe, Author: ditekSHen
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Reputation:low
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Users\user\AppData\Local\Explower.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Reputation:low
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\7330bac122947b8db6af3ae8d6783a41Windows Update.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):525
                                                                                            Entropy (8bit):5.259753436570609
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                            MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                            SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                            SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                            SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                            Malicious:false
                                                                                            Reputation:moderate, very likely benign file
                                                                                            Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Explower.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):525
                                                                                            Entropy (8bit):5.259753436570609
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                            MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                            SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                            SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                            SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                            Malicious:false
                                                                                            Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Microsoft Corporation.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):525
                                                                                            Entropy (8bit):5.259753436570609
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                            MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                            SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                            SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                            SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                            Malicious:false
                                                                                            Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\U22p1GcCSb.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\U22p1GcCSb.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):525
                                                                                            Entropy (8bit):5.259753436570609
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:Q3LaJU2C9XAn10Ug+9pfu9t0U29xtUz1B0U2uk71K6xhk7v:MLF2CpI3zffup29Iz52Ve
                                                                                            MD5:260E01CC001F9C4643CA7A62F395D747
                                                                                            SHA1:492AD0ACE3A9C8736909866EEA168962D418BE5A
                                                                                            SHA-256:4BC52CCF866F489772A6919A0CC2C55B1432729D6BDF29E17E5853ABDFAB6030
                                                                                            SHA-512:01AF7D75257E3DBD460E328F5C057D0367B83D3D9397E89CA3AE54AB9B2842D62352D8CCB4BE98ACE0C5667846759D32C199DE39ECCD0CF9CD6A83267D27E7C4
                                                                                            Malicious:false
                                                                                            Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\History\Explower.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explower.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Explower.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, Author: ditekSHen
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Users\user\AppData\Roaming\app

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\U22p1GcCSb.exe
                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):5
                                                                                            Entropy (8bit):1.9219280948873623
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:yn:yn
                                                                                            MD5:24E9E7D7EEA4DE90C8FC67AE1145ABF2
                                                                                            SHA1:DD9BB46CCC6340CA892CF17EBE32B9BDBADEE2D1
                                                                                            SHA-256:BD6C1D15579254E8879ADA07376F93CB2E959F45670374892FDE2EFAF4194F6C
                                                                                            SHA-512:5572AFD61C7BA666515A987F23AD0A05AB753BDC28CFA492ADB30200207427A4A38699D3B7981E0750414775A4CE72A209511951D38A8673C709B08774FCA01F
                                                                                            Malicious:false
                                                                                            Preview:.11

                                                                                            C:\Users\user\AppData\Roaming\server.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\U22p1GcCSb.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\server.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\server.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\server.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\server.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\server.exe, Author: ditekSHen
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Users\user\Desktop\Explower.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Users\user\Documents\Explower.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Users\user\Favorites\Explower.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\Windows\SysWOW64\Explower.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            C:\autorun.inf

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:Microsoft Windows Autorun file
                                                                                            Category:dropped
                                                                                            Size (bytes):55
                                                                                            Entropy (8bit):4.474554204780528
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:It1KV2PHQCyK0x:e1KAwCyD
                                                                                            MD5:40B1630BE21F39CB17BD1963CAE5A207
                                                                                            SHA1:63C14BD151D42820DD45C033363FA5B9E1D34124
                                                                                            SHA-256:F87E55F1A423B65FD639146F71F6027DBD4D6E69B65D9A17F1744774AA6589E1
                                                                                            SHA-512:833112ED4A9A3C621D2FFFC78F83502B2937B82A2CF9BC692D75D907CE2AA46C2D97CFE23C402DB3292B2DD2655FF8692C3CD00D5BA4D792C3D8AF24958E1926
                                                                                            Malicious:true
                                                                                            Preview:[autorun]..open=C:\Umbrella.flv.exe..shellexecute=C:\..

                                                                                            C:\system.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\server.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):95232
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            MD5:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            SHA1:AB67841AAEC06B8527596203C2C426E6F59B0470
                                                                                            SHA-256:72FEACA614E6E82FA5EFD6D8795D68223FEF6054EE898AD9CDAED71194A88C8D
                                                                                            SHA-512:D1B2E87C510BD0DF4C801572DABFE14C6CE04B7FFAC5883B3A26CF21A252369C026E878A3FEE1D5BB0E5402B0D94146149F2DA8418099DE5AFD63B4DC7FCA653
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\system.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\system.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\system.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\system.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\system.exe, Author: ditekSHen
                                                                                            Antivirus:
                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                            • Antivirus: Virustotal, Detection: 74%, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....o... ...p.................. ..`.reloc...............r..............@..B................................................................H.......................................................................&.(......**..(......*.s.........s ........s!........s".........*.0...........~....o#....+..*.0...........~....o$....+..*.0...........~....o%....+..*.0...........~....o&....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                            \Device\ConDrv

                                                                                            Download File
                                                                                            Process:C:\Windows\SysWOW64\netsh.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):313
                                                                                            Entropy (8bit):4.971939296804078
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                                                                            MD5:689E2126A85BF55121488295EE068FA1
                                                                                            SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                                                                            SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                                                                            SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                                                                            Malicious:false
                                                                                            Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Entropy (8bit):5.557340269197646
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                            File name:U22p1GcCSb.exe
                                                                                            File size:95'232 bytes
                                                                                            MD5:0a5ef41dd9cdbad5c5aaf4ca7b177700
                                                                                            SHA1:ab67841aaec06b8527596203c2c426e6f59b0470
                                                                                            SHA256:72feaca614e6e82fa5efd6d8795d68223fef6054ee898ad9cdaed71194a88c8d
                                                                                            SHA512:d1b2e87c510bd0df4c801572dabfe14c6ce04b7ffac5883b3a26cf21a252369c026e878a3fee1d5bb0e5402b0d94146149f2da8418099de5afd63b4dc7fca653
                                                                                            SSDEEP:768:uY35sTnkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3PsGdpKgM:7s7kVbPGHz88Eb71pjEwzGi1dD7DKgS
                                                                                            TLSH:4A93D84977E56524E1BF5AF75471F2004E34B48B1602E39D88F218AA1A33AC44F99FEB
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.................p............... ........@.. ....................................@................................

                                                                                            File Icon

                                                                                            Icon Hash:90cececece8e8eb0

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x418efe
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x64F0D6BD [Thu Aug 31 18:06:53 2023 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:4
                                                                                            OS Version Minor:0
                                                                                            File Version Major:4
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:4
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            jmp dword ptr [00402000h]
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x18eac0x4f.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x20000x16f040x17000e687a70f31430dc5bac78782b1fb2d58False0.3680579144021739data5.5890604802345525IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .reloc0x1a0000xc0x20002466978873e232bef309f048b95192fFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                            Imports

                                                                                            DLLImport
                                                                                            mscoree.dll_CorExeMain

                                                                                            Network Behavior

                                                                                            Snort IDS Alerts

                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                            03/11/24-13:57:55.365233TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972313672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:57.972581TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972413672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:10.905781TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970313672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:48.181665TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972113672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:52.998127TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972213672192.168.2.103.66.38.117
                                                                                            03/11/24-13:58:00.582904TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972513672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:13.390092TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970413672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:45.527575TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972013672192.168.2.103.66.38.117
                                                                                            03/11/24-13:58:03.810011TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972713672192.168.2.103.66.38.117
                                                                                            03/11/24-13:58:06.238601TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972813672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:17.866686TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970513672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:20.184506TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4970713672192.168.2.103.66.38.117
                                                                                            03/11/24-13:59:43.174186TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975113672192.168.2.1052.28.247.255
                                                                                            03/11/24-14:00:44.353987TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4976213672192.168.2.103.68.171.119
                                                                                            03/11/24-13:57:31.511033TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971513672192.168.2.103.66.38.117
                                                                                            03/11/24-13:59:08.861139TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974413672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:59:11.494367TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974513672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:59:40.524865TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975013672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:59:59.718993TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975313672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:57:37.885075TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971713672192.168.2.103.66.38.117
                                                                                            03/11/24-13:59:05.101000TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974313672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:57:40.494203TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971813672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:43.148380TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971913672192.168.2.103.66.38.117
                                                                                            03/11/24-13:58:49.035267TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974013672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:58:51.830869TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974113672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:58:36.746964TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973713672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:58:58.414340TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974213672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:58:31.179034TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973613672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:58:00.884094TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972513672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:28.707084TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971413672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:58.274652TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972413672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:55.667281TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972313672192.168.2.103.66.38.117
                                                                                            03/11/24-14:00:33.042782TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4976013672192.168.2.103.68.171.119
                                                                                            03/11/24-13:57:26.008083TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971313672192.168.2.103.66.38.117
                                                                                            03/11/24-13:58:30.876607TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973613672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:57:48.411158TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972113672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:23.387503TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4971113672192.168.2.103.66.38.117
                                                                                            03/11/24-13:58:36.488277TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973713672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:58:39.527868TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973813672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:57:45.787003TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972013672192.168.2.103.66.38.117
                                                                                            03/11/24-13:58:45.841985TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973913672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:57:25.706252TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971313672192.168.2.103.66.38.117
                                                                                            03/11/24-14:00:30.357471TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975913672192.168.2.103.68.171.119
                                                                                            03/11/24-13:57:28.403515TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971413672192.168.2.103.66.38.117
                                                                                            03/11/24-14:00:41.703341TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976113672192.168.2.103.68.171.119
                                                                                            03/11/24-13:57:23.086932TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971113672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:31.210284TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971513672192.168.2.103.66.38.117
                                                                                            03/11/24-14:00:44.051573TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976213672192.168.2.103.68.171.119
                                                                                            03/11/24-13:57:37.582749TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971713672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:35.262290TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971613672192.168.2.103.66.38.117
                                                                                            03/11/24-13:57:40.192791TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971813672192.168.2.103.66.38.117
                                                                                            03/11/24-13:58:28.032861TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973513672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:57:13.692255TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4970413672192.168.2.103.66.38.117
                                                                                            03/11/24-13:59:17.004618TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974713672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:58:20.488277TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973313672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:58:23.099308TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973413672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:59:21.876862TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974813672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:58:17.878508TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973213672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:59:31.590664TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974913672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:58:09.186733TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972913672192.168.2.103.66.38.117
                                                                                            03/11/24-13:58:12.641935TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973013672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:57:20.486728TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4970713672192.168.2.103.66.38.117
                                                                                            03/11/24-13:58:06.541661TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4972813672192.168.2.103.66.38.117
                                                                                            03/11/24-13:58:15.255220TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4973113672192.168.2.1018.197.239.109
                                                                                            03/11/24-14:00:32.739203TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4976013672192.168.2.103.68.171.119
                                                                                            03/11/24-13:59:22.150528TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974813672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:59:40.223106TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975013672192.168.2.1052.28.247.255
                                                                                            03/11/24-14:00:17.380683TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975713672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:59:14.671406TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974613672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:59:17.306266TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974713672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:59:42.872534TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975113672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:59:56.068201TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975213672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:58:23.402360TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973413672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:59:11.796875TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974513672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:58:15.559318TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973113672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:58:58.717130TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974213672192.168.2.1018.197.239.109
                                                                                            03/11/24-14:00:08.210628TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975513672192.168.2.1052.28.247.255
                                                                                            03/11/24-14:00:02.370471TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975413672192.168.2.1052.28.247.255
                                                                                            03/11/24-14:00:10.893695TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4975613672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:58:20.790475TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973313672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:59:09.163778TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974413672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:58:18.179511TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973213672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:59:05.403490TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974313672192.168.2.1018.197.239.109
                                                                                            03/11/24-14:00:17.081352TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975713672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:59:14.496224TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4974613672192.168.2.1052.28.247.255
                                                                                            03/11/24-14:00:25.827295TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975813672192.168.2.103.68.171.119
                                                                                            03/11/24-13:57:42.903315TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4971913672192.168.2.103.66.38.117
                                                                                            03/11/24-13:58:08.885686TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4972913672192.168.2.103.66.38.117
                                                                                            03/11/24-14:00:07.909379TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975513672192.168.2.1052.28.247.255
                                                                                            03/11/24-14:00:10.590931TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975613672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:58:12.944215TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4973013672192.168.2.1018.197.239.109
                                                                                            03/11/24-13:58:52.029514TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974113672192.168.2.1018.197.239.109
                                                                                            03/11/24-14:00:30.052643TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975913672192.168.2.103.68.171.119
                                                                                            03/11/24-13:59:59.415669TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975313672192.168.2.1052.28.247.255
                                                                                            03/11/24-14:00:02.066515TCP2033132ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)4975413672192.168.2.1052.28.247.255
                                                                                            03/11/24-13:58:49.337814TCP2814856ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf)4974013672192.168.2.1018.197.239.109

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Mar 11, 2024 13:57:09.645006895 CET4970313672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:09.947551966 CET13672497033.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:09.947696924 CET4970313672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:10.250400066 CET13672497033.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:10.250636101 CET4970313672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:10.905781031 CET4970313672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:11.208283901 CET13672497033.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:13.085860014 CET4970413672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:13.388524055 CET13672497043.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:13.388621092 CET4970413672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:13.390091896 CET4970413672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:13.692145109 CET13672497043.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:13.692255020 CET4970413672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:13.692562103 CET13672497043.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:13.994998932 CET13672497043.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:15.700782061 CET4970513672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:16.002398014 CET13672497053.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:16.002540112 CET4970513672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:16.304155111 CET13672497053.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:16.304260969 CET4970513672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:17.866686106 CET4970513672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:18.168008089 CET13672497053.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:19.881009102 CET4970713672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:20.183681011 CET13672497073.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:20.183769941 CET4970713672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:20.184505939 CET4970713672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:20.486643076 CET13672497073.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:20.486727953 CET4970713672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:20.487020969 CET13672497073.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:20.790882111 CET13672497073.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:22.784390926 CET4971113672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:23.085717916 CET13672497113.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:23.085916042 CET4971113672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:23.086931944 CET4971113672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:23.387434959 CET13672497113.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:23.387502909 CET4971113672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:23.388139009 CET13672497113.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:23.688759089 CET13672497113.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:25.403351068 CET4971313672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:25.705478907 CET13672497133.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:25.705666065 CET4971313672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:25.706252098 CET4971313672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:26.008016109 CET13672497133.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:26.008083105 CET4971313672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:26.008269072 CET13672497133.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:26.310225964 CET13672497133.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:28.098973036 CET4971413672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:28.402806044 CET13672497143.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:28.402898073 CET4971413672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:28.403515100 CET4971413672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:28.706772089 CET13672497143.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:28.707003117 CET13672497143.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:28.707083941 CET4971413672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:29.010780096 CET13672497143.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:30.902940035 CET4971513672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:31.206784010 CET13672497153.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:31.206885099 CET4971513672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:31.210283995 CET4971513672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:31.510900974 CET13672497153.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:31.511033058 CET4971513672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:31.514084101 CET13672497153.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:31.814663887 CET13672497153.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:33.837455988 CET4971613672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:34.138740063 CET13672497163.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:34.138828993 CET4971613672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:34.440287113 CET13672497163.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:34.440396070 CET4971613672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:35.262290001 CET4971613672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:35.563515902 CET13672497163.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:37.279566050 CET4971713672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:37.581957102 CET13672497173.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:37.582092047 CET4971713672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:37.582748890 CET4971713672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:37.884744883 CET13672497173.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:37.885073900 CET13672497173.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:37.885075092 CET4971713672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:38.187553883 CET13672497173.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:39.890285969 CET4971813672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:40.192110062 CET13672497183.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:40.192220926 CET4971813672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:40.192790985 CET4971813672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:40.494117975 CET13672497183.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:40.494203091 CET4971813672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:40.494329929 CET13672497183.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:40.796051979 CET13672497183.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:42.543217897 CET4971913672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:42.845766068 CET13672497193.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:42.845854044 CET4971913672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:42.903315067 CET4971913672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:43.148163080 CET13672497193.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:43.148380041 CET4971913672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:43.205451012 CET13672497193.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:43.450644970 CET13672497193.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:45.183165073 CET4972013672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:45.484903097 CET13672497203.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:45.484978914 CET4972013672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:45.527575016 CET4972013672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:45.786851883 CET13672497203.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:45.787003040 CET4972013672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:45.830986023 CET13672497203.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:46.088855028 CET13672497203.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:47.807840109 CET4972113672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:48.109126091 CET13672497213.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:48.109353065 CET4972113672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:48.181664944 CET4972113672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:48.411067009 CET13672497213.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:48.411158085 CET4972113672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:48.483130932 CET13672497213.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:48.712657928 CET13672497213.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:50.421475887 CET4972213672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:50.723081112 CET13672497223.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:50.723298073 CET4972213672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:51.024945021 CET13672497223.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:51.025039911 CET4972213672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:52.998126984 CET4972213672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:53.299704075 CET13672497223.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:55.061574936 CET4972313672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:55.364404917 CET13672497233.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:55.364548922 CET4972313672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:55.365232944 CET4972313672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:55.667160034 CET13672497233.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:55.667280912 CET4972313672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:55.667505026 CET13672497233.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:55.969821930 CET13672497233.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:57.669158936 CET4972413672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:57.971760988 CET13672497243.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:57.971893072 CET4972413672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:57.972580910 CET4972413672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:58.274547100 CET13672497243.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:58.274652004 CET4972413672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:57:58.274946928 CET13672497243.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:57:58.577326059 CET13672497243.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:00.279340029 CET4972513672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:00.581954956 CET13672497253.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:00.582144022 CET4972513672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:00.582904100 CET4972513672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:00.883681059 CET13672497253.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:00.884088039 CET13672497253.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:00.884094000 CET4972513672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:01.185262918 CET13672497253.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:03.014173031 CET4972713672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:03.317982912 CET13672497273.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:03.318089008 CET4972713672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:03.622334003 CET13672497273.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:03.622405052 CET4972713672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:03.810010910 CET4972713672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:04.113915920 CET13672497273.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:05.934539080 CET4972813672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:06.237926006 CET13672497283.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:06.238025904 CET4972813672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:06.238600969 CET4972813672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:06.541533947 CET13672497283.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:06.541661024 CET4972813672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:06.541709900 CET13672497283.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:06.844878912 CET13672497283.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:08.583369017 CET4972913672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:08.884912014 CET13672497293.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:08.885025978 CET4972913672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:08.885685921 CET4972913672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:09.186614990 CET13672497293.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:09.186733007 CET4972913672192.168.2.103.66.38.117
                                                                                            Mar 11, 2024 13:58:09.186995029 CET13672497293.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:09.488308907 CET13672497293.66.38.117192.168.2.10
                                                                                            Mar 11, 2024 13:58:12.338223934 CET4973013672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:12.640997887 CET136724973018.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:12.641109943 CET4973013672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:12.641935110 CET4973013672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:12.943979979 CET136724973018.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:12.944215059 CET4973013672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:12.944384098 CET136724973018.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:13.246992111 CET136724973018.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:14.950637102 CET4973113672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:15.254528046 CET136724973118.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:15.254653931 CET4973113672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:15.255219936 CET4973113672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:15.559189081 CET136724973118.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:15.559252024 CET136724973118.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:15.559318066 CET4973113672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:15.863009930 CET136724973118.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:17.575287104 CET4973213672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:17.877708912 CET136724973218.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:17.877844095 CET4973213672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:17.878508091 CET4973213672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:18.179378986 CET136724973218.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:18.179511070 CET4973213672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:18.179759026 CET136724973218.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:18.480838060 CET136724973218.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:20.184632063 CET4973313672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:20.487030983 CET136724973318.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:20.487292051 CET4973313672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:20.488276958 CET4973313672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:20.790370941 CET136724973318.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:20.790461063 CET136724973318.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:20.790474892 CET4973313672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:21.092624903 CET136724973318.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:22.794888020 CET4973413672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:23.098407984 CET136724973418.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:23.098567963 CET4973413672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:23.099308014 CET4973413672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:23.402288914 CET136724973418.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:23.402359962 CET4973413672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:23.402631998 CET136724973418.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:23.706012964 CET136724973418.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:25.443025112 CET4973513672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:25.746617079 CET136724973518.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:25.746753931 CET4973513672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:26.050605059 CET136724973518.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:26.050704956 CET4973513672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:28.032860994 CET4973513672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:28.336569071 CET136724973518.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:30.572118998 CET4973613672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:30.875456095 CET136724973618.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:30.875658989 CET4973613672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:30.876606941 CET4973613672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:31.178870916 CET136724973618.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:31.179033995 CET4973613672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:31.179409981 CET136724973618.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:31.481913090 CET136724973618.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:36.143305063 CET4973713672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:36.444757938 CET136724973718.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:36.444925070 CET4973713672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:36.488276958 CET4973713672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:36.746718884 CET136724973718.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:36.746963978 CET4973713672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:36.789741993 CET136724973718.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:37.048332930 CET136724973718.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:38.808583975 CET4973813672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:39.111543894 CET136724973818.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:39.111787081 CET4973813672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:39.414803028 CET136724973818.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:39.414874077 CET4973813672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:39.527868032 CET4973813672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:39.830934048 CET136724973818.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:41.848782063 CET4973913672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:42.151618958 CET136724973918.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:42.151707888 CET4973913672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:42.454761982 CET136724973918.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:42.455029964 CET4973913672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:45.841984987 CET4973913672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:46.144819975 CET136724973918.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:48.731004000 CET4974013672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:49.034123898 CET136724974018.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:49.034250975 CET4974013672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:49.035267115 CET4974013672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:49.337562084 CET136724974018.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:49.337814093 CET4974013672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:49.338061094 CET136724974018.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:49.640866041 CET136724974018.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:51.424014091 CET4974113672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:51.726561069 CET136724974118.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:51.726707935 CET4974113672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:51.830868959 CET4974113672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:52.029422998 CET136724974118.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:52.029514074 CET4974113672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:52.133250952 CET136724974118.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:52.331893921 CET136724974118.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:58.109159946 CET4974213672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:58.413026094 CET136724974218.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:58.413211107 CET4974213672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:58.414340019 CET4974213672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:58.717036963 CET136724974218.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:58.717129946 CET4974213672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:58:58.717698097 CET136724974218.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:58:59.021668911 CET136724974218.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:04.797328949 CET4974313672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:59:05.100234985 CET136724974318.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:05.100347996 CET4974313672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:59:05.101000071 CET4974313672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:59:05.403341055 CET136724974318.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:05.403490067 CET4974313672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:59:05.403858900 CET136724974318.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:05.706274986 CET136724974318.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:08.557496071 CET4974413672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:59:08.860275030 CET136724974418.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:08.860374928 CET4974413672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:59:08.861139059 CET4974413672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:59:09.163405895 CET136724974418.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:09.163721085 CET136724974418.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:09.163778067 CET4974413672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:59:09.466584921 CET136724974418.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:11.190541029 CET4974513672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:59:11.493544102 CET136724974518.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:11.493637085 CET4974513672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:59:11.494366884 CET4974513672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:59:11.796794891 CET136724974518.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:11.796875000 CET4974513672192.168.2.1018.197.239.109
                                                                                            Mar 11, 2024 13:59:11.797326088 CET136724974518.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:12.099800110 CET136724974518.197.239.109192.168.2.10
                                                                                            Mar 11, 2024 13:59:14.062299967 CET4974613672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:14.366671085 CET136724974652.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:14.366970062 CET4974613672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:14.496223927 CET4974613672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:14.671315908 CET136724974652.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:14.671406031 CET4974613672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:14.800461054 CET136724974652.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:14.975611925 CET136724974652.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:16.701688051 CET4974713672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:17.003771067 CET136724974752.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:17.003935099 CET4974713672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:17.004617929 CET4974713672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:17.306041956 CET136724974752.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:17.306240082 CET136724974752.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:17.306266069 CET4974713672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:17.608254910 CET136724974752.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:21.543081045 CET4974813672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:21.846718073 CET136724974852.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:21.847063065 CET4974813672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:21.876862049 CET4974813672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:22.150458097 CET136724974852.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:22.150527954 CET4974813672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:22.180015087 CET136724974852.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:22.453712940 CET136724974852.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:27.320369005 CET4974913672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:27.623827934 CET136724974952.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:27.623944998 CET4974913672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:27.927575111 CET136724974952.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:27.927844048 CET4974913672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:31.590663910 CET4974913672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:31.894100904 CET136724974952.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:39.919795990 CET4975013672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:40.222042084 CET136724975052.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:40.222214937 CET4975013672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:40.223105907 CET4975013672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:40.524707079 CET136724975052.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:40.524864912 CET4975013672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:40.525063038 CET136724975052.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:40.827114105 CET136724975052.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:42.568969965 CET4975113672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:42.871674061 CET136724975152.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:42.871812105 CET4975113672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:42.872534037 CET4975113672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:43.174077988 CET136724975152.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:43.174185991 CET4975113672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:43.174367905 CET136724975152.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:43.476387024 CET136724975152.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:47.021269083 CET4975213672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:47.324359894 CET136724975252.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:47.324455023 CET4975213672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:47.627574921 CET136724975252.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:47.627693892 CET4975213672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:56.068201065 CET4975213672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:56.371258020 CET136724975252.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:59.111341953 CET4975313672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:59.414920092 CET136724975352.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:59.415178061 CET4975313672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:59.415668964 CET4975313672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 13:59:59.718700886 CET136724975352.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:59.718816042 CET136724975352.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 13:59:59.718992949 CET4975313672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:00.022591114 CET136724975352.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:01.761234999 CET4975413672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:02.065705061 CET136724975452.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:02.065793037 CET4975413672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:02.066514969 CET4975413672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:02.370208025 CET136724975452.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:02.370471001 CET4975413672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:02.370608091 CET136724975452.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:02.674849987 CET136724975452.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:07.606574059 CET4975513672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:07.908606052 CET136724975552.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:07.908718109 CET4975513672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:07.909379005 CET4975513672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:08.210570097 CET136724975552.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:08.210628033 CET4975513672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:08.210998058 CET136724975552.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:08.512487888 CET136724975552.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:10.286257982 CET4975613672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:10.589849949 CET136724975652.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:10.590017080 CET4975613672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:10.590930939 CET4975613672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:10.893604994 CET136724975652.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:10.893695116 CET4975613672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:10.893893957 CET136724975652.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:11.196926117 CET136724975652.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:16.771349907 CET4975713672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:17.075843096 CET136724975752.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:17.076132059 CET4975713672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:17.081351995 CET4975713672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:17.380568027 CET136724975752.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:17.380682945 CET4975713672192.168.2.1052.28.247.255
                                                                                            Mar 11, 2024 14:00:17.385586023 CET136724975752.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:17.687813997 CET136724975752.28.247.255192.168.2.10
                                                                                            Mar 11, 2024 14:00:25.521779060 CET4975813672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:25.826143026 CET13672497583.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:25.826369047 CET4975813672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:25.827295065 CET4975813672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:26.131145954 CET13672497583.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:29.748328924 CET4975913672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:30.051716089 CET13672497593.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:30.051840067 CET4975913672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:30.052643061 CET4975913672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:30.357106924 CET13672497593.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:30.357153893 CET13672497593.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:30.357470989 CET4975913672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:30.660990953 CET13672497593.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:32.433968067 CET4976013672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:32.738195896 CET13672497603.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:32.738497019 CET4976013672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:32.739202976 CET4976013672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:33.042680979 CET13672497603.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:33.042782068 CET4976013672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:33.042843103 CET13672497603.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:33.346991062 CET13672497603.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:37.575567007 CET4976113672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:37.878402948 CET13672497613.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:37.878504038 CET4976113672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:38.181423903 CET13672497613.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:38.181652069 CET4976113672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:41.703341007 CET4976113672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:42.006295919 CET13672497613.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:43.747519970 CET4976213672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:44.050623894 CET13672497623.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:44.050793886 CET4976213672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:44.051573038 CET4976213672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:44.353816032 CET13672497623.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:44.353986979 CET4976213672192.168.2.103.68.171.119
                                                                                            Mar 11, 2024 14:00:44.354207993 CET13672497623.68.171.119192.168.2.10
                                                                                            Mar 11, 2024 14:00:44.657107115 CET13672497623.68.171.119192.168.2.10

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Mar 11, 2024 13:57:09.344049931 CET5263653192.168.2.101.1.1.1
                                                                                            Mar 11, 2024 13:57:09.610778093 CET53526361.1.1.1192.168.2.10
                                                                                            Mar 11, 2024 13:58:12.168956995 CET5374953192.168.2.101.1.1.1
                                                                                            Mar 11, 2024 13:58:12.337052107 CET53537491.1.1.1192.168.2.10
                                                                                            Mar 11, 2024 13:59:13.897991896 CET6527653192.168.2.101.1.1.1
                                                                                            Mar 11, 2024 13:59:14.060705900 CET53652761.1.1.1192.168.2.10
                                                                                            Mar 11, 2024 14:00:21.552649021 CET5621353192.168.2.101.1.1.1
                                                                                            Mar 11, 2024 14:00:21.715055943 CET53562131.1.1.1192.168.2.10

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Mar 11, 2024 13:57:09.344049931 CET192.168.2.101.1.1.10x104fStandard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                            Mar 11, 2024 13:58:12.168956995 CET192.168.2.101.1.1.10xf900Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                            Mar 11, 2024 13:59:13.897991896 CET192.168.2.101.1.1.10xa216Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false
                                                                                            Mar 11, 2024 14:00:21.552649021 CET192.168.2.101.1.1.10x5516Standard query (0)6.tcp.eu.ngrok.ioA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Mar 11, 2024 13:57:09.610778093 CET1.1.1.1192.168.2.100x104fNo error (0)6.tcp.eu.ngrok.io3.66.38.117A (IP address)IN (0x0001)false
                                                                                            Mar 11, 2024 13:58:12.337052107 CET1.1.1.1192.168.2.100xf900No error (0)6.tcp.eu.ngrok.io18.197.239.109A (IP address)IN (0x0001)false
                                                                                            Mar 11, 2024 13:59:14.060705900 CET1.1.1.1192.168.2.100xa216No error (0)6.tcp.eu.ngrok.io52.28.247.255A (IP address)IN (0x0001)false
                                                                                            Mar 11, 2024 14:00:21.715055943 CET1.1.1.1192.168.2.100x5516No error (0)6.tcp.eu.ngrok.io3.68.171.119A (IP address)IN (0x0001)false

                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:13:57:00
                                                                                            Start date:11/03/2024
                                                                                            Path:C:\Users\user\Desktop\U22p1GcCSb.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Users\user\Desktop\U22p1GcCSb.exe
                                                                                            Imagebase:0xe40000
                                                                                            File size:95'232 bytes
                                                                                            MD5 hash:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.1237415316.0000000000E42000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.1257055398.0000000004588000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:13:57:01
                                                                                            Start date:11/03/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\server.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\server.exe"
                                                                                            Imagebase:0x210000
                                                                                            File size:95'232 bytes
                                                                                            MD5 hash:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\server.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\server.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\server.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\server.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\server.exe, Author: ditekSHen
                                                                                            Antivirus matches:
                                                                                            • Detection: 100%, Avira
                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                            • Detection: 82%, ReversingLabs
                                                                                            • Detection: 74%, Virustotal, Browse
                                                                                            Reputation:low
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:7
                                                                                            Start time:13:57:03
                                                                                            Start date:11/03/2024
                                                                                            Path:C:\Windows\SysWOW64\netsh.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE
                                                                                            Imagebase:0x1160000
                                                                                            File size:82'432 bytes
                                                                                            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:9
                                                                                            Start time:13:57:03
                                                                                            Start date:11/03/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff620390000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:10
                                                                                            Start time:13:57:05
                                                                                            Start date:11/03/2024
                                                                                            Path:C:\Windows\SysWOW64\netsh.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:netsh firewall delete allowedprogram "C:\Users\user\AppData\Roaming\server.exe"
                                                                                            Imagebase:0x1160000
                                                                                            File size:82'432 bytes
                                                                                            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:11
                                                                                            Start time:13:57:05
                                                                                            Start date:11/03/2024
                                                                                            Path:C:\Windows\SysWOW64\netsh.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\server.exe" "server.exe" ENABLE
                                                                                            Imagebase:0x1160000
                                                                                            File size:82'432 bytes
                                                                                            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:moderate
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:12
                                                                                            Start time:13:57:06
                                                                                            Start date:11/03/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff620390000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:13
                                                                                            Start time:13:57:06
                                                                                            Start date:11/03/2024
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff620390000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:14
                                                                                            Start time:13:57:16
                                                                                            Start date:11/03/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe"
                                                                                            Imagebase:0x8d0000
                                                                                            File size:95'232 bytes
                                                                                            MD5 hash:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe, Author: ditekSHen
                                                                                            Antivirus matches:
                                                                                            • Detection: 100%, Avira
                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                            • Detection: 82%, ReversingLabs
                                                                                            • Detection: 74%, Virustotal, Browse
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:18
                                                                                            Start time:13:57:20
                                                                                            Start date:11/03/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7330bac122947b8db6af3ae8d6783a41Windows Update.exe"
                                                                                            Imagebase:0x470000
                                                                                            File size:95'232 bytes
                                                                                            MD5 hash:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:20
                                                                                            Start time:13:57:25
                                                                                            Start date:11/03/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe"
                                                                                            Imagebase:0x2d0000
                                                                                            File size:95'232 bytes
                                                                                            MD5 hash:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Antivirus matches:
                                                                                            • Detection: 82%, ReversingLabs
                                                                                            • Detection: 74%, Virustotal, Browse
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:22
                                                                                            Start time:13:57:34
                                                                                            Start date:11/03/2024
                                                                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe"
                                                                                            Imagebase:0x420000
                                                                                            File size:95'232 bytes
                                                                                            MD5 hash:0A5EF41DD9CDBAD5C5AAF4CA7B177700
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Joe Security
                                                                                            • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: unknown
                                                                                            • Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: Florian Roth
                                                                                            • Rule: Njrat, Description: detect njRAT in memory, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: JPCERT/CC Incident Response Group
                                                                                            • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe, Author: ditekSHen
                                                                                            Antivirus matches:
                                                                                            • Detection: 100%, Avira
                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                            • Detection: 82%, ReversingLabs
                                                                                            • Detection: 74%, Virustotal, Browse
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:2.7%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:58
                                                                                              Total number of Limit Nodes:4
                                                                                              execution_graph 14197 149b06a 14200 149b0a2 CreateMutexW 14197->14200 14199 149b0e5 14200->14199 14208 149aeae 14210 149aee3 WriteFile 14208->14210 14211 149af15 14210->14211 14268 149a6ce 14269 149a72e OleGetClipboard 14268->14269 14271 149a78c 14269->14271 14256 149b424 14259 149b446 ShellExecuteExW 14256->14259 14258 149b488 14259->14258 14212 149b446 14215 149b46c ShellExecuteExW 14212->14215 14214 149b488 14215->14214 14216 149aaa6 14218 149aade CreateFileW 14216->14218 14219 149ab2d 14218->14219 14220 149a59a 14221 149a5d8 DuplicateHandle 14220->14221 14222 149a610 14220->14222 14223 149a5e6 14221->14223 14222->14221 14236 149ab7c 14237 149abbe FindCloseChangeNotification 14236->14237 14239 149abf8 14237->14239 14272 149a9bf 14273 149a9c9 SetErrorMode 14272->14273 14275 149aa53 14273->14275 14224 149a65e 14225 149a68a OleInitialize 14224->14225 14226 149a6c0 14224->14226 14227 149a698 14225->14227 14226->14225 14228 149abbe 14229 149ac29 14228->14229 14230 149abea FindCloseChangeNotification 14228->14230 14229->14230 14231 149abf8 14230->14231 14252 149a61e 14254 149a65e OleInitialize 14252->14254 14255 149a698 14254->14255 14240 149a573 14241 149a59a DuplicateHandle 14240->14241 14243 149a5e6 14241->14243 14232 149aa12 14233 149aa3e SetErrorMode 14232->14233 14234 149aa67 14232->14234 14235 149aa53 14233->14235 14234->14233 14244 149aa75 14246 149aaa6 CreateFileW 14244->14246 14247 149ab2d 14246->14247 14248 149ae77 14249 149aeae WriteFile 14248->14249 14251 149af15 14249->14251 14260 149ac37 14261 149ac6a GetFileType 14260->14261 14263 149accc 14261->14263 14264 149b036 14266 149b06a CreateMutexW 14264->14266 14267 149b0e5 14266->14267

                                                                                              Executed Functions

                                                                                              Function 05754298 Relevance: 13.2, Strings: 9, Instructions: 1950COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 5754298-57542c9 5 5754352-575435a 0->5 6 57542ca-5754350 0->6 7 5754366-575437a 5->7 6->5 34 575435c 6->34 8 5754380-57543bc 7->8 9 575452f-575467d 7->9 20 57543ed-57544ea 8->20 21 57543be-57543e6 8->21 46 5754683-57547d2 9->46 47 575480d-5754821 9->47 141 57544ef 20->141 21->20 34->7 46->47 49 5754827-5754934 47->49 50 575496f-5754983 47->50 49->50 52 5754985-575499b call 5754210 50->52 53 57549d6-57549ea 50->53 52->53 57 5754a32-5754a46 53->57 58 57549ec-57549f7 53->58 61 5754b94-5754ba8 57->61 62 5754a4c-5754b59 57->62 58->57 65 5754cd4-5754ce8 61->65 66 5754bae-5754bc2 61->66 62->61 74 5754f74-5754f88 65->74 75 5754cee-5754f2d 65->75 70 5754bc4-5754bcb 66->70 71 5754bd0-5754be4 66->71 77 5754c48-5754c5c 70->77 78 5754be6-5754bed 71->78 79 5754bef-5754c03 71->79 80 5754fe2-5754ff6 74->80 81 5754f8a-5754f9b 74->81 75->74 88 5754c76-5754c82 77->88 89 5754c5e-5754c74 77->89 78->77 83 5754c05-5754c0c 79->83 84 5754c0e-5754c22 79->84 86 5755045-5755059 80->86 87 5754ff8-5754ffe 80->87 81->80 83->77 93 5754c24-5754c2b 84->93 94 5754c2d-5754c41 84->94 96 57550a2-57550b6 86->96 97 575505b 86->97 87->86 95 5754c8d 88->95 89->95 93->77 94->77 104 5754c43-5754c45 94->104 95->65 106 575512d-5755141 96->106 107 57550b8-57550e1 96->107 97->96 104->77 109 57553b4-57553c8 106->109 110 5755147-5755363 106->110 107->106 113 575549e-57554b2 109->113 114 57553ce-5755457 109->114 495 5755365 110->495 496 5755367 110->496 119 575566f-5755683 113->119 120 57554b8-5755628 113->120 114->113 124 57557e6-57557fa 119->124 125 5755689-575579f 119->125 120->119 133 5755800-5755916 124->133 134 575595d-5755971 124->134 125->124 133->134 138 5755ad4-5755ae8 134->138 139 5755977-5755a8d 134->139 145 5755aee-5755c04 138->145 146 5755c4b-5755c5f 138->146 139->138 141->9 145->146 157 5755c65-5755d7b 146->157 158 5755dc2-5755dd6 146->158 157->158 163 5755ddc-5755ef2 158->163 164 5755f39-5755f4d 158->164 163->164 169 57560b0-57560c4 164->169 170 5755f53-5756069 164->170 179 5756227-575623b 169->179 180 57560ca-57561e0 169->180 170->169 186 5756241-5756357 179->186 187 575639e-57563b2 179->187 180->179 186->187 194 5756536-575654a 187->194 195 57563b8-57563fd call 5754278 187->195 210 5756550-575656f 194->210 211 575668d-57566a1 194->211 326 57564bd-57564df 195->326 245 5756614-5756636 210->245 223 57566a7-57567a7 211->223 224 57567ee-5756802 211->224 223->224 229 575694f-5756963 224->229 230 5756808-5756908 224->230 237 5756ab0-5756ada 229->237 238 5756969-5756a69 229->238 230->229 271 5756ae0-5756b53 237->271 272 5756b9a-5756bae 237->272 238->237 256 5756574-5756583 245->256 257 575663c 245->257 268 575663e 256->268 269 5756589-57565bc 256->269 257->211 287 5756643-575668b 268->287 360 5756603-575660c 269->360 361 57565be-57565f8 269->361 271->272 275 5756bb4-5756c44 272->275 276 5756c8b-5756c9f 272->276 275->276 294 5756de5-5756df9 276->294 295 5756ca5-5756d9e 276->295 287->211 303 575705c-5757070 294->303 304 5756dff-5756e4f 294->304 295->294 315 5757076-5757111 call 5754278 * 2 303->315 316 5757158-575715f 303->316 417 5756e51-5756e77 304->417 418 5756ebd-5756ee8 304->418 315->316 340 57564e5 326->340 341 5756402-5756411 326->341 340->194 356 57564e7 341->356 357 5756417-57564b5 341->357 381 57564ec-5756534 356->381 357->381 494 57564b7 357->494 360->287 363 575660e 360->363 361->360 363->245 381->194 492 5756e79-5756e99 417->492 493 5756eb8 417->493 490 5756fc6-5757057 418->490 491 5756eee-5756fc1 418->491 490->303 491->303 492->493 493->303 494->326 502 575536d 495->502 496->502 502->109
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$@$\Ojl$2jl
                                                                                              • API String ID: 0-3089121696
                                                                                              • Opcode ID: d6821452e015c46dd4c0f679609d49e207f22a079c4d93d5678f79c3773e0b4e
                                                                                              • Instruction ID: 482f7b9dba8e18c4f20b6fc6993539aadd6df79f3097c70e2055db6962b17fda
                                                                                              • Opcode Fuzzy Hash: d6821452e015c46dd4c0f679609d49e207f22a079c4d93d5678f79c3773e0b4e
                                                                                              • Instruction Fuzzy Hash: 03230374A052288FDB25DF60D8A4BADB7B2FB89304F1081E9D909A7390DF355E89DF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05754269 Relevance: 13.0, Strings: 9, Instructions: 1772COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 558 5754269-5754288 559 57542b1-57542c2 558->559 560 575428a 558->560 568 57542c4-57542c9 559->568 561 5754291-5754292 560->561 562 575428c-575428d 560->562 565 5754294 561->565 566 5754299-57542af 561->566 563 5754295-5754298 562->563 564 5754290 562->564 563->566 564->561 564->568 565->563 566->559 570 5754352-575435a 568->570 571 57542ca-5754350 568->571 572 5754366-575437a 570->572 571->570 599 575435c 571->599 573 5754380-57543bc 572->573 574 575452f-575467d 572->574 585 57543ed-57544ea 573->585 586 57543be-57543e6 573->586 611 5754683-57547d2 574->611 612 575480d-5754821 574->612 706 57544ef 585->706 586->585 599->572 611->612 614 5754827-5754934 612->614 615 575496f-5754983 612->615 614->615 617 5754985-575499b call 5754210 615->617 618 57549d6-57549ea 615->618 617->618 622 5754a32-5754a46 618->622 623 57549ec-57549f7 618->623 626 5754b94-5754ba8 622->626 627 5754a4c-5754b59 622->627 623->622 630 5754cd4-5754ce8 626->630 631 5754bae-5754bc2 626->631 627->626 639 5754f74-5754f88 630->639 640 5754cee-5754f2d 630->640 635 5754bc4-5754bcb 631->635 636 5754bd0-5754be4 631->636 642 5754c48-5754c5c 635->642 643 5754be6-5754bed 636->643 644 5754bef-5754c03 636->644 645 5754fe2-5754ff6 639->645 646 5754f8a-5754f9b 639->646 640->639 653 5754c76-5754c82 642->653 654 5754c5e-5754c74 642->654 643->642 648 5754c05-5754c0c 644->648 649 5754c0e-5754c22 644->649 651 5755045-5755059 645->651 652 5754ff8-5754ffe 645->652 646->645 648->642 658 5754c24-5754c2b 649->658 659 5754c2d-5754c41 649->659 661 57550a2-57550b6 651->661 662 575505b 651->662 652->651 660 5754c8d 653->660 654->660 658->642 659->642 669 5754c43-5754c45 659->669 660->630 671 575512d-5755141 661->671 672 57550b8-57550e1 661->672 662->661 669->642 674 57553b4-57553c8 671->674 675 5755147-5755363 671->675 672->671 678 575549e-57554b2 674->678 679 57553ce-5755457 674->679 1060 5755365 675->1060 1061 5755367 675->1061 684 575566f-5755683 678->684 685 57554b8-5755628 678->685 679->678 689 57557e6-57557fa 684->689 690 5755689-575579f 684->690 685->684 698 5755800-5755916 689->698 699 575595d-5755971 689->699 690->689 698->699 703 5755ad4-5755ae8 699->703 704 5755977-5755a8d 699->704 710 5755aee-5755c04 703->710 711 5755c4b-5755c5f 703->711 704->703 706->574 710->711 722 5755c65-5755d7b 711->722 723 5755dc2-5755dd6 711->723 722->723 728 5755ddc-5755ef2 723->728 729 5755f39-5755f4d 723->729 728->729 734 57560b0-57560c4 729->734 735 5755f53-5756069 729->735 744 5756227-575623b 734->744 745 57560ca-57561e0 734->745 735->734 751 5756241-5756357 744->751 752 575639e-57563b2 744->752 745->744 751->752 759 5756536-575654a 752->759 760 57563b8-57563fd call 5754278 752->760 775 5756550-575656f 759->775 776 575668d-57566a1 759->776 891 57564bd-57564df 760->891 810 5756614-5756636 775->810 788 57566a7-57567a7 776->788 789 57567ee-5756802 776->789 788->789 794 575694f-5756963 789->794 795 5756808-5756908 789->795 802 5756ab0-5756ada 794->802 803 5756969-5756a69 794->803 795->794 836 5756ae0-5756b53 802->836 837 5756b9a-5756bae 802->837 803->802 821 5756574-5756583 810->821 822 575663c 810->822 833 575663e 821->833 834 5756589-57565bc 821->834 822->776 852 5756643-575668b 833->852 925 5756603-575660c 834->925 926 57565be-57565f8 834->926 836->837 840 5756bb4-5756c44 837->840 841 5756c8b-5756c9f 837->841 840->841 859 5756de5-5756df9 841->859 860 5756ca5-5756d9e 841->860 852->776 868 575705c-5757070 859->868 869 5756dff-5756e4f 859->869 860->859 880 5757076-5757111 call 5754278 * 2 868->880 881 5757158-575715f 868->881 982 5756e51-5756e77 869->982 983 5756ebd-5756ee8 869->983 880->881 905 57564e5 891->905 906 5756402-5756411 891->906 905->759 921 57564e7 906->921 922 5756417-57564b5 906->922 946 57564ec-5756534 921->946 922->946 1059 57564b7 922->1059 925->852 928 575660e 925->928 926->925 928->810 946->759 1057 5756e79-5756e99 982->1057 1058 5756eb8 982->1058 1055 5756fc6-5757057 983->1055 1056 5756eee-5756fc1 983->1056 1055->868 1056->868 1057->1058 1058->868 1059->891 1067 575536d 1060->1067 1061->1067 1067->674
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-3269062517
                                                                                              • Opcode ID: c180e97e71123026adfcab781c9db374a915aad376cd027e89d732f472d5bbec
                                                                                              • Instruction ID: 57cd8ecd5293ed69c4f8bf52cc5685bde3f85441c04c28d379b5b2c088d2bff0
                                                                                              • Opcode Fuzzy Hash: c180e97e71123026adfcab781c9db374a915aad376cd027e89d732f472d5bbec
                                                                                              • Instruction Fuzzy Hash: 3E131774A05228CFDB25DF20D8A4BA9B7B2FB89304F1081EAD90967391DF355E89DF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05753803 Relevance: 3.0, Strings: 2, Instructions: 497COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1123 5753803-5753911 1140 5753917-5753919 1123->1140 1141 5753913 1123->1141 1144 5753920-5753927 1140->1144 1142 5753915 1141->1142 1143 575391b 1141->1143 1142->1140 1143->1144 1145 57539bd-5753adf 1144->1145 1146 575392d-57539b2 1144->1146 1170 5753ae1-5753b51 1145->1170 1171 5753b5b-5753bae 1145->1171 1146->1145 1170->1171 1179 5753bb5 1171->1179 1180 5753bb0 1171->1180 1259 5753bb5 call 1440606 1179->1259 1260 5753bb5 call 14405e0 1179->1260 1261 5753bb5 call 5754269 1179->1261 1262 5753bb5 call 5754298 1179->1262 1180->1179 1181 5753bbb-5753bcf 1182 5753c06-5753cbb 1181->1182 1183 5753bd1-5753bfb 1181->1183 1194 5753cc1-5753cff 1182->1194 1195 5753d43 1182->1195 1183->1182 1194->1195 1196 57541dd-57541e8 1195->1196 1197 57541ee-57541f5 1196->1197 1198 5753d48-5753d66 1196->1198 1202 5753d71-5753d7c 1198->1202 1203 5753d68-5753d6e 1198->1203 1207 5754193-57541db 1202->1207 1208 5753d82-5753d96 1202->1208 1203->1202 1207->1196 1209 5753e0e-5753e1f 1208->1209 1210 5753d98-5753dca 1208->1210 1212 5753e21-5753e4b 1209->1212 1213 5753e6f-5753e7d 1209->1213 1210->1209 1212->1213 1225 5753e4d-5753e67 1212->1225 1215 5754191 1213->1215 1216 5753e83-5753f36 1213->1216 1215->1196 1236 5753fc6-57540bd 1216->1236 1237 5753f3c-5753fbf 1216->1237 1225->1213 1252 57540c3-5754146 1236->1252 1253 575414d 1236->1253 1237->1236 1252->1253 1253->1215 1259->1181 1260->1181 1261->1181 1262->1181
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: \Ojl$2jl
                                                                                              • API String ID: 0-1695366678
                                                                                              • Opcode ID: 28dac57e6a72ca711a385f20b84d9a3a3a1e6e4e6d922003579483b1842b7c34
                                                                                              • Instruction ID: 3415f742b706fc380ae308a225886b53bb258e91facae144b8a0655f2fe8825a
                                                                                              • Opcode Fuzzy Hash: 28dac57e6a72ca711a385f20b84d9a3a3a1e6e4e6d922003579483b1842b7c34
                                                                                              • Instruction Fuzzy Hash: CC32F370A00258CFCB14DF74D954BADB7B2FB89304F1045A9D80AAB3A4DB799E89DF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 057500B8 Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1263 57500b8-57500cd 1294 57500d0 call 1440606 1263->1294 1295 57500d0 call 149a23a 1263->1295 1296 57500d0 call 14405e0 1263->1296 1297 57500d0 call 149a20c 1263->1297 1266 57500d5-57500f7 1269 57500f9-575010a 1266->1269 1270 575010b-575011a 1266->1270 1273 5750121-57501d5 1270->1273 1274 575011c-5750120 1270->1274 1289 57501d5 call 1440606 1273->1289 1290 57501d5 call 14405e0 1273->1290 1291 57501d5 call 5753803 1273->1291 1292 57501d5 call 57539bf 1273->1292 1293 57501d5 call 5753b18 1273->1293 1274->1273 1288 57501db-57501de 1289->1288 1290->1288 1291->1288 1292->1288 1293->1288 1294->1266 1295->1266 1296->1266 1297->1266
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 2jl$2jl
                                                                                              • API String ID: 0-1801541598
                                                                                              • Opcode ID: e4d7debc39a20d43c44b9523ed6dfd4435da1d6085df2bc99427e62767daf85e
                                                                                              • Instruction ID: 48a2998df0809b08363622a88b8045aa6e2093cfd6dd6766384e509ae20ef637
                                                                                              • Opcode Fuzzy Hash: e4d7debc39a20d43c44b9523ed6dfd4435da1d6085df2bc99427e62767daf85e
                                                                                              • Instruction Fuzzy Hash: 9031F8317043449FD704EBB598916ED3B67ABC3218B14846ED501DB392CF759C0983A5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05750118 Relevance: 2.6, Strings: 2, Instructions: 61COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1298 5750118-575011a 1299 5750121-5750169 1298->1299 1300 575011c-5750120 1298->1300 1306 5750174-575017a 1299->1306 1300->1299 1307 5750181-57501bd 1306->1307 1312 57501c8-57501d5 1307->1312 1315 57501d5 call 1440606 1312->1315 1316 57501d5 call 14405e0 1312->1316 1317 57501d5 call 5753803 1312->1317 1318 57501d5 call 57539bf 1312->1318 1319 57501d5 call 5753b18 1312->1319 1314 57501db-57501de 1315->1314 1316->1314 1317->1314 1318->1314 1319->1314
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 2jl$2jl
                                                                                              • API String ID: 0-1801541598
                                                                                              • Opcode ID: 3d7710ead2cbf9d21c13f592d1d624463e720f2af192cefb72b23a948f17f085
                                                                                              • Instruction ID: c665898f07b48175042c1a5122d8323252bead016f65a81be353a2f2c1e129e3
                                                                                              • Opcode Fuzzy Hash: 3d7710ead2cbf9d21c13f592d1d624463e720f2af192cefb72b23a948f17f085
                                                                                              • Instruction Fuzzy Hash: D21106307042509FC314EBB5A4916ED3B57ABC7218358806FD401CB762CFB58C0D93BA
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1320 149aa75-149aafe 1324 149ab00 1320->1324 1325 149ab03-149ab0f 1320->1325 1324->1325 1326 149ab11 1325->1326 1327 149ab14-149ab1d 1325->1327 1326->1327 1328 149ab1f-149ab43 CreateFileW 1327->1328 1329 149ab6e-149ab73 1327->1329 1332 149ab75-149ab7a 1328->1332 1333 149ab45-149ab6b 1328->1333 1329->1328 1332->1333
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0149AB25
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: b66e982cfe4a2a6d674137f16336ca60ce409c9855b5f370b9b167a97057e52b
                                                                                              • Instruction ID: efe6ef295e5b8da206e867c578c7b8a88cdda98dae2a6a7241f69e1b1fa1c220
                                                                                              • Opcode Fuzzy Hash: b66e982cfe4a2a6d674137f16336ca60ce409c9855b5f370b9b167a97057e52b
                                                                                              • Instruction Fuzzy Hash: FB317075509380AFEB22CF25CC45F56BFF8EF05210F09889EEA458B252D375E808CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149B036 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1336 149b036-149b0b9 1340 149b0bb 1336->1340 1341 149b0be-149b0c7 1336->1341 1340->1341 1342 149b0c9 1341->1342 1343 149b0cc-149b0d5 1341->1343 1342->1343 1344 149b0d7-149b0fb CreateMutexW 1343->1344 1345 149b126-149b12b 1343->1345 1348 149b12d-149b132 1344->1348 1349 149b0fd-149b123 1344->1349 1345->1344 1348->1349
                                                                                              APIs
                                                                                              • CreateMutexW.KERNELBASE(?,?), ref: 0149B0DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateMutex
                                                                                              • String ID:
                                                                                              • API String ID: 1964310414-0
                                                                                              • Opcode ID: d150bebbe379a776d532ac266e4caa82abf0d0a1c50d3ec52744182c9a541d73
                                                                                              • Instruction ID: 3bf5c30c5ccbe7fbd7fd1136040b175c86c56fd13d65a65746d16a662f1ca063
                                                                                              • Opcode Fuzzy Hash: d150bebbe379a776d532ac266e4caa82abf0d0a1c50d3ec52744182c9a541d73
                                                                                              • Instruction Fuzzy Hash: 0A3181B55093809FEB12CB25DC45F66BFF8EF06214F09849AE944CB292D375E909CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1352 149a6ce-149a72b 1353 149a72e-149a786 OleGetClipboard 1352->1353 1355 149a78c-149a7a2 1353->1355
                                                                                              APIs
                                                                                              • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0149A77E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard
                                                                                              • String ID:
                                                                                              • API String ID: 220874293-0
                                                                                              • Opcode ID: 51e0828dd67091a732f099fb48b282a2d426ff380951249d6d8fdfe7c4e95d37
                                                                                              • Instruction ID: 36b9c4fe280d4d7720ba8d87e7dc04204d1f92cb3d926d099100e142dff4a767
                                                                                              • Opcode Fuzzy Hash: 51e0828dd67091a732f099fb48b282a2d426ff380951249d6d8fdfe7c4e95d37
                                                                                              • Instruction Fuzzy Hash: C031807104E3C06FD3138B259C61B61BFB4EF47610F0A80DBE884CB6A3D2296919D7B2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149AE77 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1356 149ae77-149af05 1360 149af49-149af4e 1356->1360 1361 149af07-149af27 WriteFile 1356->1361 1360->1361 1364 149af29-149af46 1361->1364 1365 149af50-149af55 1361->1365 1365->1364
                                                                                              APIs
                                                                                              • WriteFile.KERNELBASE(?,00000E24,EF1360C4,00000000,00000000,00000000,00000000), ref: 0149AF0D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3934441357-0
                                                                                              • Opcode ID: b7b0471b082130703b270f9af93a1132d1452b4caa8d656b9f37b409da46de8f
                                                                                              • Instruction ID: 564a96aa5dbf1a8a1fe255ea4cc80180b6388f5d11e0d201b76e363621c84a76
                                                                                              • Opcode Fuzzy Hash: b7b0471b082130703b270f9af93a1132d1452b4caa8d656b9f37b409da46de8f
                                                                                              • Instruction Fuzzy Hash: 982194B6409380AFEB22CF11DC44F56BFB8EF46314F09849AE9449F1A2D275A509CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1368 149aaa6-149aafe 1371 149ab00 1368->1371 1372 149ab03-149ab0f 1368->1372 1371->1372 1373 149ab11 1372->1373 1374 149ab14-149ab1d 1372->1374 1373->1374 1375 149ab1f-149ab27 CreateFileW 1374->1375 1376 149ab6e-149ab73 1374->1376 1378 149ab2d-149ab43 1375->1378 1376->1375 1379 149ab75-149ab7a 1378->1379 1380 149ab45-149ab6b 1378->1380 1379->1380
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0149AB25
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: e459f445a181e24708629718a026c162b5c52133fa99a3fcc2ba788535ff5773
                                                                                              • Instruction ID: fcd793ccde5f07e3b13ec3092d7382ae2dee15fb19f498dd550adbe9ef0e3847
                                                                                              • Opcode Fuzzy Hash: e459f445a181e24708629718a026c162b5c52133fa99a3fcc2ba788535ff5773
                                                                                              • Instruction Fuzzy Hash: 4C219075504240AFEB21CF65DC45F66FBE8EF08624F18886EEA458B791D375E808CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1383 149a9bf-149aa3c 1388 149aa3e-149aa51 SetErrorMode 1383->1388 1389 149aa67-149aa6c 1383->1389 1390 149aa6e-149aa73 1388->1390 1391 149aa53-149aa66 1388->1391 1389->1388 1390->1391
                                                                                              APIs
                                                                                              • SetErrorMode.KERNELBASE(?), ref: 0149AA44
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode
                                                                                              • String ID:
                                                                                              • API String ID: 2340568224-0
                                                                                              • Opcode ID: 9dc96f1809cc348ce2974489e01f3c1de7d11a7940a2f04cbc7ad4b5d45462ef
                                                                                              • Instruction ID: b3ca48230e862f705862a1adc7fb4c7fbba81e6d8d78a188fca652e788f1fe84
                                                                                              • Opcode Fuzzy Hash: 9dc96f1809cc348ce2974489e01f3c1de7d11a7940a2f04cbc7ad4b5d45462ef
                                                                                              • Instruction Fuzzy Hash: 17214A6540E3C09FDB138B259C64A52BFB4AF57624F0E80DBD9848F6A3D269580CC772
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1394 149ac37-149acb5 1398 149acea-149acef 1394->1398 1399 149acb7-149acca GetFileType 1394->1399 1398->1399 1400 149accc-149ace9 1399->1400 1401 149acf1-149acf6 1399->1401 1401->1400
                                                                                              APIs
                                                                                              • GetFileType.KERNELBASE(?,00000E24,EF1360C4,00000000,00000000,00000000,00000000), ref: 0149ACBD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileType
                                                                                              • String ID:
                                                                                              • API String ID: 3081899298-0
                                                                                              • Opcode ID: ac649198dbe937cf5065e958186b75b1bfaf129159122e8cf87995486d66d3a8
                                                                                              • Instruction ID: 14c0abef98913aee1c238fc944da5e7ebf8cd608b2b66fa9ac698b4148433411
                                                                                              • Opcode Fuzzy Hash: ac649198dbe937cf5065e958186b75b1bfaf129159122e8cf87995486d66d3a8
                                                                                              • Instruction Fuzzy Hash: FD21D5B54093C06FE7128B11DC45FA2BFB8EF46324F1980DBEA858F293D264A909C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149B06A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1405 149b06a-149b0b9 1408 149b0bb 1405->1408 1409 149b0be-149b0c7 1405->1409 1408->1409 1410 149b0c9 1409->1410 1411 149b0cc-149b0d5 1409->1411 1410->1411 1412 149b0d7-149b0df CreateMutexW 1411->1412 1413 149b126-149b12b 1411->1413 1414 149b0e5-149b0fb 1412->1414 1413->1412 1416 149b12d-149b132 1414->1416 1417 149b0fd-149b123 1414->1417 1416->1417
                                                                                              APIs
                                                                                              • CreateMutexW.KERNELBASE(?,?), ref: 0149B0DD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateMutex
                                                                                              • String ID:
                                                                                              • API String ID: 1964310414-0
                                                                                              • Opcode ID: 2d7569f5a194a9544b3e72fd6ce089a69fba3f18208aba0aba906a843a51116c
                                                                                              • Instruction ID: dcb57635dfaa6e00b8d29f07ef794a029bf40f1fda7e859aa4eb70a6549d6ef7
                                                                                              • Opcode Fuzzy Hash: 2d7569f5a194a9544b3e72fd6ce089a69fba3f18208aba0aba906a843a51116c
                                                                                              • Instruction Fuzzy Hash: C221C2B55042409FEB20CF25DC45F66FBE8EF04224F08C46AEA448B391D375E804CB75
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149AB7C Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1420 149ab7c-149abe8 1422 149ac29-149ac2e 1420->1422 1423 149abea-149abf2 FindCloseChangeNotification 1420->1423 1422->1423 1425 149abf8-149ac0a 1423->1425 1426 149ac0c-149ac28 1425->1426 1427 149ac30-149ac35 1425->1427 1427->1426
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0149ABF0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: 43a4d4dfdff84752fcf3646674c8e8fbea3f3962ffc55f128e72889e7b489029
                                                                                              • Instruction ID: 05ff73f0f8333e4aa39584f93c3a172885b2c37338936b5161364f813581556f
                                                                                              • Opcode Fuzzy Hash: 43a4d4dfdff84752fcf3646674c8e8fbea3f3962ffc55f128e72889e7b489029
                                                                                              • Instruction Fuzzy Hash: CC2192755093C09FDB138B25DC95652BFB8AF07220F0984DBDD858F6A3D2659908C762
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149A61E Relevance: 1.6, APIs: 1, Instructions: 65comCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1429 149a61e-149a688 1431 149a68a-149a692 OleInitialize 1429->1431 1432 149a6c0-149a6c5 1429->1432 1434 149a698-149a6aa 1431->1434 1432->1431 1435 149a6ac-149a6bf 1434->1435 1436 149a6c7-149a6cc 1434->1436 1436->1435
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: Initialize
                                                                                              • String ID:
                                                                                              • API String ID: 2538663250-0
                                                                                              • Opcode ID: 219bcaeb4d13118e232eb0cd54bf127f95a1caf0df907fa195deba4fb0448d85
                                                                                              • Instruction ID: 79c75c80b7e3f983bbc478bcfd4c998368d80054adacb09584743d300e23463c
                                                                                              • Opcode Fuzzy Hash: 219bcaeb4d13118e232eb0cd54bf127f95a1caf0df907fa195deba4fb0448d85
                                                                                              • Instruction Fuzzy Hash: 84215B7140D3C05FDB138B259C94652BFB4DF47220F0984DBD9848F2A3D2699908C7B2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149A5DE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 6569099144a1da0452952fd0035f91a455c51e5c829aefc622ae8bd848e9a77e
                                                                                              • Instruction ID: 1c2706a68d4eb54c5c3748562f0808e4ab1c8f652233738c8acf119a0def2736
                                                                                              • Opcode Fuzzy Hash: 6569099144a1da0452952fd0035f91a455c51e5c829aefc622ae8bd848e9a77e
                                                                                              • Instruction Fuzzy Hash: CD117271409380AFDB228F55DC44A62FFF4EF4A210F0988DEE9858B562D276A818DB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149AEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteFile.KERNELBASE(?,00000E24,EF1360C4,00000000,00000000,00000000,00000000), ref: 0149AF0D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3934441357-0
                                                                                              • Opcode ID: 56166391f56f21ee13822f45b0ca6740c9d2ca1c9b3442beeebad9799fdc9d36
                                                                                              • Instruction ID: d35731b087e2c5fc57cabad81236004062175231f0c2f40f70917392394a4fd7
                                                                                              • Opcode Fuzzy Hash: 56166391f56f21ee13822f45b0ca6740c9d2ca1c9b3442beeebad9799fdc9d36
                                                                                              • Instruction Fuzzy Hash: 9411BF76404200AFEB21CF55DC84FA6FBE8EF04324F18C4AAEA458B695D375E508CBB5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149B424 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 0149B480
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExecuteShell
                                                                                              • String ID:
                                                                                              • API String ID: 587946157-0
                                                                                              • Opcode ID: fb261be0018f0fdd6b8d57804b1046b575a68dc07e5c1dfdabfbdbd0391261b3
                                                                                              • Instruction ID: caae126a3846f0494da0566daf13ab39d7158f0fbca73404ff715e90e69fe291
                                                                                              • Opcode Fuzzy Hash: fb261be0018f0fdd6b8d57804b1046b575a68dc07e5c1dfdabfbdbd0391261b3
                                                                                              • Instruction Fuzzy Hash: A1118E755093809FDB12CF25DC84B52BFA8DF06220F0984EBED45CF262D275E808DB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileType.KERNELBASE(?,00000E24,EF1360C4,00000000,00000000,00000000,00000000), ref: 0149ACBD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileType
                                                                                              • String ID:
                                                                                              • API String ID: 3081899298-0
                                                                                              • Opcode ID: bf6ce8edc6c18f74d51fb5cb597338d1479ce7f9ce14748b45b914a91e886378
                                                                                              • Instruction ID: 22f1d683612d8d5cbf53d5677d081cd45a8e1edfa5080b586b56ecdcaa9113e4
                                                                                              • Opcode Fuzzy Hash: bf6ce8edc6c18f74d51fb5cb597338d1479ce7f9ce14748b45b914a91e886378
                                                                                              • Instruction Fuzzy Hash: 5D01D275504244AFEB21CB05DC89FB6FBA8DF04624F18C0AAEE058F391D374E908CAB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149B446 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 0149B480
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExecuteShell
                                                                                              • String ID:
                                                                                              • API String ID: 587946157-0
                                                                                              • Opcode ID: 50e168e61d5a5fb97c15e08f5b4c5ebc252c12abf3cb90efd03f199bf258fabd
                                                                                              • Instruction ID: 1c8103af28ad453bda0d2ac2be9f9e9c73b3436610221cf3effb282fffe8c3e8
                                                                                              • Opcode Fuzzy Hash: 50e168e61d5a5fb97c15e08f5b4c5ebc252c12abf3cb90efd03f199bf258fabd
                                                                                              • Instruction Fuzzy Hash: E7012D755042448FDB10CF1AE985BA6BBD4EF44620F08C4ABDD498B752D275E408DA61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149A5DE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 1ba1db34ded6e34477f0856eed04471fc7bc996d07d244e1ee00d96ff9ead27b
                                                                                              • Instruction ID: 4e9c9496741153b6f106535ed62e2f921c6c704730ef2f470ee72b74865e3f23
                                                                                              • Opcode Fuzzy Hash: 1ba1db34ded6e34477f0856eed04471fc7bc996d07d244e1ee00d96ff9ead27b
                                                                                              • Instruction Fuzzy Hash: 07015B764006409FDF218F55D844B56FFE0EF48220F18C99AEE894B662D376E418DFA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0149A77E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard
                                                                                              • String ID:
                                                                                              • API String ID: 220874293-0
                                                                                              • Opcode ID: a0f0056d9ceb8223e049b55dd2109c647469e6abcb93d3ce9c3f368c20c064f4
                                                                                              • Instruction ID: 0ee4896c0ff8ad65eeec664bdf609701b9cc8d7f1053ee1a3b002bb24aa4f2b9
                                                                                              • Opcode Fuzzy Hash: a0f0056d9ceb8223e049b55dd2109c647469e6abcb93d3ce9c3f368c20c064f4
                                                                                              • Instruction Fuzzy Hash: B501A271500200ABD210DF16CC46F26FBE8FB88A20F148159ED085B741E775F955CBE5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149ABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0149ABF0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: 2dfbd28c6d309ab3cb5aa424b878acff420428f7a27671b430fbd220f59ca16a
                                                                                              • Instruction ID: 598066a4eb0a97792d0b74d3faae34dfc6c3565afcf774cc34a1e15074a71ad6
                                                                                              • Opcode Fuzzy Hash: 2dfbd28c6d309ab3cb5aa424b878acff420428f7a27671b430fbd220f59ca16a
                                                                                              • Instruction Fuzzy Hash: D7018F759042449FDF10CF1AE8857A6FBE4EF04224F18C4ABDD098F752D275E408CAA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149A65E Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: Initialize
                                                                                              • String ID:
                                                                                              • API String ID: 2538663250-0
                                                                                              • Opcode ID: 276ce87d14c07278892db31109ad128b8fbe0409041372c89ccee92fbe92c177
                                                                                              • Instruction ID: 9295b0258c415c9138f70da0d0b35fca4348c623822fed2f816bcc19b53a12f8
                                                                                              • Opcode Fuzzy Hash: 276ce87d14c07278892db31109ad128b8fbe0409041372c89ccee92fbe92c177
                                                                                              • Instruction Fuzzy Hash: E4018B758002409FDB10CF1AD884766FBA4EF44220F19C4AADD498F762D279A808CAA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0149AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNELBASE(?), ref: 0149AA44
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256101007.000000000149A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_149a000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode
                                                                                              • String ID:
                                                                                              • API String ID: 2340568224-0
                                                                                              • Opcode ID: 77e919933f19a1a81e1dc42c0f9e82ebeae14a82482960021a54625df7d2862e
                                                                                              • Instruction ID: 47ace33ca7ee6219eeb5b16310884d801dc9040b215f1d2dd138be7d99bbb9d6
                                                                                              • Opcode Fuzzy Hash: 77e919933f19a1a81e1dc42c0f9e82ebeae14a82482960021a54625df7d2862e
                                                                                              • Instruction Fuzzy Hash: 4EF08C358002449FDB208F05D985B66FFE0EF04624F19C09ADD494B762D279A508CEA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 057539BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 2jl
                                                                                              • API String ID: 0-3618021078
                                                                                              • Opcode ID: c23bd609c1f423dfe87e92876323f02170bb14da91814a14abc165d611b8d4be
                                                                                              • Instruction ID: 40cd3e914acfbeaf721e119790d31e2544f174f2aa49c9d0f34486e51bae024d
                                                                                              • Opcode Fuzzy Hash: c23bd609c1f423dfe87e92876323f02170bb14da91814a14abc165d611b8d4be
                                                                                              • Instruction Fuzzy Hash: 1A813630A002588FDB14DFB4C954BECB7B2BF89308F0045AAD50AAB2A4DB759D89DF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05753B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 2jl
                                                                                              • API String ID: 0-3618021078
                                                                                              • Opcode ID: 38a09c626b4c8dd42934ced689dcb99adc9c6bf71f1de916afcb720bb5f0f478
                                                                                              • Instruction ID: ed594548482c99a26dfc350078fef649eebadf737731b5c7e0016b8c8e80bd2e
                                                                                              • Opcode Fuzzy Hash: 38a09c626b4c8dd42934ced689dcb99adc9c6bf71f1de916afcb720bb5f0f478
                                                                                              • Instruction Fuzzy Hash: 36415770A002188FDB14DFB4C854BECB7B2BF89308F4045AAD409AB6A4DB745E88DF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05753520 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl
                                                                                              • API String ID: 0-1360559020
                                                                                              • Opcode ID: 6db0d41390520cf203727d90a00dca7bdd4b56ef26784bae114a58a0baa2a165
                                                                                              • Instruction ID: 89a602db9661aa66299a5914f718a1a22afaa9d22389a489a156292fb41260e7
                                                                                              • Opcode Fuzzy Hash: 6db0d41390520cf203727d90a00dca7bdd4b56ef26784bae114a58a0baa2a165
                                                                                              • Instruction Fuzzy Hash: F631F4307002019FCB04AB75D8557BE77A6EB88208F15843DD806A77A4EF7D9D0AA792
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 057536DF Relevance: .1, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 910948a7c9125b4670ab7681d0d51d59222f3e2b1dd7d139aaa4949fd936b3b1
                                                                                              • Instruction ID: 7da8308d74379e41aed5a9568ad9e6e8b2a60c4295af444695fe23dee032d0d2
                                                                                              • Opcode Fuzzy Hash: 910948a7c9125b4670ab7681d0d51d59222f3e2b1dd7d139aaa4949fd936b3b1
                                                                                              • Instruction Fuzzy Hash: 38318175B002459FEB20CF68C880FBA77E6FF89254F144869D906EB394D770ED019BA0
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 057536F0 Relevance: .1, Instructions: 88COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 42a70c67c241b4fe2c6bcf33ab506a06ec071319af49a719a800742892c6958d
                                                                                              • Instruction ID: 54d7b3f1e09a5ab854ab873e337bdb36ce36811029ea2ccd91100e69dc4d3ee0
                                                                                              • Opcode Fuzzy Hash: 42a70c67c241b4fe2c6bcf33ab506a06ec071319af49a719a800742892c6958d
                                                                                              • Instruction Fuzzy Hash: 7C218274B002059FEB10CF69C880F6A77E6FF89254F144869E506EB394DB70ED0187A4
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05750007 Relevance: .1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ba8be17a823dea1c669b9871d25a3d3c7be78e7b56fff0d42f6b54fba231f665
                                                                                              • Instruction ID: 596f85479ff7d7046dc9ed4d955044780fcd0af8e22b38252146628d081a8b7e
                                                                                              • Opcode Fuzzy Hash: ba8be17a823dea1c669b9871d25a3d3c7be78e7b56fff0d42f6b54fba231f665
                                                                                              • Instruction Fuzzy Hash: 5F11BC6580E3C14FC7038B7098686917FB1AA03224B4E80DBD884CF1A3E2AC484AE762
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05753441 Relevance: .0, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 52fb601c8362e438cafac5018522fe120f87f870d6d11718e179a65e5db4ac78
                                                                                              • Instruction ID: 7ec28f54cae842611a47fb548fc8fdf5adb3d44225df563acf0a9a539b26798a
                                                                                              • Opcode Fuzzy Hash: 52fb601c8362e438cafac5018522fe120f87f870d6d11718e179a65e5db4ac78
                                                                                              • Instruction Fuzzy Hash: 73019670A06242DFCB04EF74D0D884CBBE1FF94204709895EE4458B366DF75AC09AB92
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 014405E0 Relevance: .0, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256058247.0000000001440000.00000040.00000020.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1440000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5b0fc3865b911048f3f7624be572d2cce3a5c174b9ad7e7746cc3ffbf560d3be
                                                                                              • Instruction ID: 67bf220f3a3caeb886e03423dbe4747e23e4ba81a7dfd4a07b5f95e32e05dd91
                                                                                              • Opcode Fuzzy Hash: 5b0fc3865b911048f3f7624be572d2cce3a5c174b9ad7e7746cc3ffbf560d3be
                                                                                              • Instruction Fuzzy Hash: EAF086B65097846FD7118F05EC41863FFF8EF86620709849FFD498B652D225A918CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 057500A8 Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 072f9ffcad5af6d2c406154f6a0affb4d638dba43c5d6e5f65645411d6071b4c
                                                                                              • Instruction ID: 5af797f35d56caf38bd36258289cb2087368955dca6b9efc03e3a19b3f617e47
                                                                                              • Opcode Fuzzy Hash: 072f9ffcad5af6d2c406154f6a0affb4d638dba43c5d6e5f65645411d6071b4c
                                                                                              • Instruction Fuzzy Hash: 8BF04C72A04304ABDB04DFB0CC9179E7B63EB82720F1081AED5459B2D1EA719C00C790
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 01440606 Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256058247.0000000001440000.00000040.00000020.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1440000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 03242ebfbd19df730a7c96e194c73b9368fec31c84926b8d7410127e6b40fa8a
                                                                                              • Instruction ID: ccaecfa79dfd57cdd3a57c8d1a44b246a4682108cffc5ec8cd3dcbfadaaf627d
                                                                                              • Opcode Fuzzy Hash: 03242ebfbd19df730a7c96e194c73b9368fec31c84926b8d7410127e6b40fa8a
                                                                                              • Instruction Fuzzy Hash: EDE092B6A006045B9650CF0AEC41452F7D8EB88630708C07FDC0D8B701E676B508CAA5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 057536A8 Relevance: .0, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2e502d8676186b18a69686d19457ff2ab426bbd7f5bd2e8c998890873c65c795
                                                                                              • Instruction ID: 0164c19c8e6a74b29a15c4da833ce8a67841ba5a91d4d3b366445efcd8a9c90f
                                                                                              • Opcode Fuzzy Hash: 2e502d8676186b18a69686d19457ff2ab426bbd7f5bd2e8c998890873c65c795
                                                                                              • Instruction Fuzzy Hash: 0DE04F315163448FC71A6B74A42945C3771EB4725838408FEC8078B373EA7A984BDB40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 014923F4 Relevance: .0, Instructions: 15COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256087096.0000000001492000.00000040.00000800.00020000.00000000.sdmp, Offset: 01492000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1492000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cc8a80022605c701515ba9d11258420fe0d8a35b5ee1a126c14907d3600f7ea6
                                                                                              • Instruction ID: 4ac3a8c4c44c11e1b5b9859719ae9f66dd755c9f8324145ddfabf71b8db87a9e
                                                                                              • Opcode Fuzzy Hash: cc8a80022605c701515ba9d11258420fe0d8a35b5ee1a126c14907d3600f7ea6
                                                                                              • Instruction Fuzzy Hash: BCD05E792096915FF7169E1CC1A4F963FE4AB61718F4A44FAA8408B773C7A8D581D600
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 014923BC Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1256087096.0000000001492000.00000040.00000800.00020000.00000000.sdmp, Offset: 01492000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1492000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dce76ef74f303cc493627c955fd352d44b049df4ab2984fa264d683de9512b72
                                                                                              • Instruction ID: b1d8999b03d82e6c8b9c967d052333b05200c6a4a74d14bcce40bdd4df57f391
                                                                                              • Opcode Fuzzy Hash: dce76ef74f303cc493627c955fd352d44b049df4ab2984fa264d683de9512b72
                                                                                              • Instruction Fuzzy Hash: 3DD05E342442815BEB25DE1CC2D8F5A3BD4AB40B14F0684E9AC108B372C7B8D9C0CA00
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Non-executed Functions

                                                                                              Function 057544F1 Relevance: 12.9, Strings: 9, Instructions: 1624COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-3269062517
                                                                                              • Opcode ID: 821f220b48d99907eb6f3af5490390ae695c331fee248c578235923ce1f5156e
                                                                                              • Instruction ID: f3225bc9acc1133de86024e1737ab7472a6ac6eb883a850fca9ec60a7048ae80
                                                                                              • Opcode Fuzzy Hash: 821f220b48d99907eb6f3af5490390ae695c331fee248c578235923ce1f5156e
                                                                                              • Instruction Fuzzy Hash: DD032774A05228CFDB25DF20D8A4BA9B7B2FB89304F0081EAD90967390DF355E89DF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05754544 Relevance: 12.9, Strings: 9, Instructions: 1618COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-3269062517
                                                                                              • Opcode ID: 3aa19fb0b88941d5b38acd7636c174edcad6648fd7b3cc3501fc30c4ff1008a1
                                                                                              • Instruction ID: 09e5cee2c8ee71afede6098f44d2a6cd652f055d151d0618f397763bc2ecde9b
                                                                                              • Opcode Fuzzy Hash: 3aa19fb0b88941d5b38acd7636c174edcad6648fd7b3cc3501fc30c4ff1008a1
                                                                                              • Instruction Fuzzy Hash: 82032774A05228CFDB25DF20D8A4BA9B7B2FB89304F1081EAD90967390DF355E89DF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05754630 Relevance: 11.6, Strings: 8, Instructions: 1579COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-74479145
                                                                                              • Opcode ID: 905d987c957e368df6a9aae838f6b28dd7de4001d15ba824de19f0c9327488db
                                                                                              • Instruction ID: 6c4960ed3d17bf859ec3fe01a796b9caf14a4002c4e81be1d172783370743ea4
                                                                                              • Opcode Fuzzy Hash: 905d987c957e368df6a9aae838f6b28dd7de4001d15ba824de19f0c9327488db
                                                                                              • Instruction Fuzzy Hash: 20032774A05228CFDB25DF20D8A4BA9B7B2FB89304F1081EAD90967390DF355E89DF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0575470F Relevance: 11.5, Strings: 8, Instructions: 1544COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-74479145
                                                                                              • Opcode ID: f7887ff7ce9b31c64fe65289d06c97a07df0de2c7d8c345cacf5e1d9b9436571
                                                                                              • Instruction ID: b0a89acc2ed13098cecbc5aa189e648dd440d1945b74e695ff3545759a947481
                                                                                              • Opcode Fuzzy Hash: f7887ff7ce9b31c64fe65289d06c97a07df0de2c7d8c345cacf5e1d9b9436571
                                                                                              • Instruction Fuzzy Hash: BAF22674A05228CFDB25DF20D8A4BA9B7B2FB89304F0081EAD90967390DF355E89DF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 057547D4 Relevance: 11.5, Strings: 8, Instructions: 1513COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-74479145
                                                                                              • Opcode ID: f9165239da4775e5ba1505d28308725e3fc6d2e38083f70e1ef72ef6841a8ab0
                                                                                              • Instruction ID: 206c06176af54c5a85c4638dc86cc233035541830605c06abe00cd4ace3dcebb
                                                                                              • Opcode Fuzzy Hash: f9165239da4775e5ba1505d28308725e3fc6d2e38083f70e1ef72ef6841a8ab0
                                                                                              • Instruction Fuzzy Hash: 2CF22774A05228CFDB25DF20D8A4BA9B7B2FB89304F0081EAD90967390DF355E89DF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05754936 Relevance: 11.5, Strings: 8, Instructions: 1456COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-74479145
                                                                                              • Opcode ID: 167178093a0aa24d15368786f7e529650d7fb8f84e28296a0bcea2a2476895a3
                                                                                              • Instruction ID: 093629a8cca37ae1eaabcd3684224cad9a01dc015c205967dbd18ccce37889f7
                                                                                              • Opcode Fuzzy Hash: 167178093a0aa24d15368786f7e529650d7fb8f84e28296a0bcea2a2476895a3
                                                                                              • Instruction Fuzzy Hash: A0F22774A05228CFDB25DF20D8A4BA9B7B2FB89304F0081EAD90967394DF355E89DF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0575499D Relevance: 11.4, Strings: 8, Instructions: 1447COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-74479145
                                                                                              • Opcode ID: 1c9ecf5125b990791080381691822a09585f6b332668cfbbad8acb96564ce560
                                                                                              • Instruction ID: e19df8e4d63782a583cf513fd550b214aee5e11fcc2685388a5691506d6ea531
                                                                                              • Opcode Fuzzy Hash: 1c9ecf5125b990791080381691822a09585f6b332668cfbbad8acb96564ce560
                                                                                              • Instruction Fuzzy Hash: 1AF22774A05228CFDB25DF20D8A4BA9B7B2FB89304F0081EAD90967390DF355E89DF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 057549F9 Relevance: 11.4, Strings: 8, Instructions: 1440COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-74479145
                                                                                              • Opcode ID: 96eac182b449ac60f1b2fc9344f6cbc64ec615e547454fb0c7e1ea9d879a6a77
                                                                                              • Instruction ID: 7fc748d01651e93d2c572ed2374b5dd044170d122a1d30e339637e31a018b9f2
                                                                                              • Opcode Fuzzy Hash: 96eac182b449ac60f1b2fc9344f6cbc64ec615e547454fb0c7e1ea9d879a6a77
                                                                                              • Instruction Fuzzy Hash: 6CF22774A05228CFDB25DF20D8A4BA9B7B2FB89304F0081EAD90967390DF355E89DF55
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05754B5B Relevance: 11.4, Strings: 8, Instructions: 1383COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-74479145
                                                                                              • Opcode ID: c0e6005df9da774453829a4b6a87795337bee0988d14a6f047572dac68b91005
                                                                                              • Instruction ID: 5259960ab1a43c65d52fe1f409dc7ac3a75530504d1d9c9a03819c89642a7a9c
                                                                                              • Opcode Fuzzy Hash: c0e6005df9da774453829a4b6a87795337bee0988d14a6f047572dac68b91005
                                                                                              • Instruction Fuzzy Hash: AFE21774A05228CFDB25DF20D8A4BA9B7B2FB89304F1081EAD90967390DF355E89DF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05754C8F Relevance: 10.1, Strings: 7, Instructions: 1362COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-3959443473
                                                                                              • Opcode ID: 300bc68e0487168a65f771845a17399ad8abc19b06c32f9027191bab1c663491
                                                                                              • Instruction ID: 766fae6a913c9ab912699101151f14a24adb93c1509521c1bcea9dc8646ef53b
                                                                                              • Opcode Fuzzy Hash: 300bc68e0487168a65f771845a17399ad8abc19b06c32f9027191bab1c663491
                                                                                              • Instruction Fuzzy Hash: 24E21874A05228CFDB25DF20D8A4BA9B7B2FB89304F1081EAD90967390DF355E89DF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05754F2F Relevance: 6.2, Strings: 4, Instructions: 1245COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-1381879308
                                                                                              • Opcode ID: 26c5bb655539b6bd2cf9c9fd943270a11993a2556c5851872f0c6bbdaa478240
                                                                                              • Instruction ID: 331ca39368f84cd3319fe466defe17df96c1c5ebd9504e162ff8e7406cb8f357
                                                                                              • Opcode Fuzzy Hash: 26c5bb655539b6bd2cf9c9fd943270a11993a2556c5851872f0c6bbdaa478240
                                                                                              • Instruction Fuzzy Hash: 3DD20674A05268CFDB25DF20D8A4BA9B7B1FB89304F1081EAE90967390DF355E89DF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05754F9D Relevance: 6.2, Strings: 4, Instructions: 1236COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-1381879308
                                                                                              • Opcode ID: 72eb1f6f12afd93e001c747e9aefdd4d9e7a69da62e2227afee794410e872449
                                                                                              • Instruction ID: db97fbfe7fd0e3941325b8a2e8cc7800af86aa21256e8f85a1e67c81a5510761
                                                                                              • Opcode Fuzzy Hash: 72eb1f6f12afd93e001c747e9aefdd4d9e7a69da62e2227afee794410e872449
                                                                                              • Instruction Fuzzy Hash: 11D20674A05268CFDB25DF20D8A4BA9B7B1FB89304F1081EAE90967390DF355E89DF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05755000 Relevance: 6.2, Strings: 4, Instructions: 1230COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-1381879308
                                                                                              • Opcode ID: c0a7382fe5ed227d541fb71360ced0e85dc850795cedb84a89ee0c91b680500f
                                                                                              • Instruction ID: e057c82cff393170f2bf00b152919e5335dcc80e84a507fb501009fb3d0d83a8
                                                                                              • Opcode Fuzzy Hash: c0a7382fe5ed227d541fb71360ced0e85dc850795cedb84a89ee0c91b680500f
                                                                                              • Instruction Fuzzy Hash: C0D20674A05228CFDB25DF20D8A4BA9B7B1FB89304F1081EAE90967390DF355E89DF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0575505D Relevance: 6.2, Strings: 4, Instructions: 1225COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-1381879308
                                                                                              • Opcode ID: ca76468330e6afb65e6583e01630a816c3e7f80297efe90bb4979d7fffc7429e
                                                                                              • Instruction ID: 006b234925baf2e2cfb018d3fd2326b43d90ad0f785a529f04757b31bf65872f
                                                                                              • Opcode Fuzzy Hash: ca76468330e6afb65e6583e01630a816c3e7f80297efe90bb4979d7fffc7429e
                                                                                              • Instruction Fuzzy Hash: F0D20674A05228CFDB25DF20D8A4BA9B7B1FB89304F1081EAE90967390DF355E89DF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 057550E3 Relevance: 6.2, Strings: 4, Instructions: 1210COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-1381879308
                                                                                              • Opcode ID: bba97ae57cda4808e7d9c9c35b6797e2838d2e280ab97b286a5592275c11e5bf
                                                                                              • Instruction ID: 42b7331605d675a652dfcb52357046f5aecd0de15f2664d71d7a28f513b956fb
                                                                                              • Opcode Fuzzy Hash: bba97ae57cda4808e7d9c9c35b6797e2838d2e280ab97b286a5592275c11e5bf
                                                                                              • Instruction Fuzzy Hash: 55D20774A05228CFDB25DF20D8A4BA9B7B1FB89304F1081EAE90967390DF355E89DF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0575536F Relevance: 6.1, Strings: 4, Instructions: 1071COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$\Ojl$2jl
                                                                                              • API String ID: 0-1381879308
                                                                                              • Opcode ID: 6004d42ba5a51938a703882de7af4a4ba804571444fa7d86d7da8ff6d538cfb3
                                                                                              • Instruction ID: 598f925dc466f4d8fed8b6d4b558ba33e1742375e5ca7827439864e6fb8446db
                                                                                              • Opcode Fuzzy Hash: 6004d42ba5a51938a703882de7af4a4ba804571444fa7d86d7da8ff6d538cfb3
                                                                                              • Instruction Fuzzy Hash: CDC21574A05228CFDB25DF20D8A4BA9B7B2FB89304F1091E9D90967390DF365E89DF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05755459 Relevance: 4.8, Strings: 3, Instructions: 1040COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1257261953.0000000005750000.00000040.00000800.00020000.00000000.sdmp, Offset: 05750000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5750000_U22p1GcCSb.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$\Ojl
                                                                                              • API String ID: 0-3276783887
                                                                                              • Opcode ID: 9641eea0dd33267a02f7345df0b4ab87f479087bcf9b2feffe1038a6160f0b99
                                                                                              • Instruction ID: eb93b21a791d7cd5db2a4bd1fe2e80d4143e288dda92fa1aaa87fbcf0371bc33
                                                                                              • Opcode Fuzzy Hash: 9641eea0dd33267a02f7345df0b4ab87f479087bcf9b2feffe1038a6160f0b99
                                                                                              • Instruction Fuzzy Hash: 65C21674A05228CFDB25DF20D8A4BA9B7B2FB89304F1091E9D90967390DF365E89DF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Execution Graph

                                                                                              Execution Coverage:41.6%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:6.2%
                                                                                              Total number of Nodes:112
                                                                                              Total number of Limit Nodes:7
                                                                                              execution_graph 20714 74b176 20716 74b1ae RegOpenKeyExW 20714->20716 20717 74b204 20716->20717 20718 74b372 20719 74b3a7 RegSetValueExW 20718->20719 20721 74b3f3 20719->20721 20782 48a19c2 20784 48a19fa ConvertStringSecurityDescriptorToSecurityDescriptorW 20782->20784 20785 48a1a3b 20784->20785 20786 48a0a42 20787 48a0a7a RegCreateKeyExW 20786->20787 20789 48a0aec 20787->20789 20722 74b27e 20723 74b2b3 RegQueryValueExW 20722->20723 20725 74b307 20723->20725 20726 48a3006 20727 48a302f select 20726->20727 20729 48a3064 20727->20729 20794 48a30da 20795 48a310f GetProcessWorkingSetSize 20794->20795 20797 48a313b 20795->20797 20798 74bc26 20800 74bc4f LookupPrivilegeValueW 20798->20800 20801 74bc76 20800->20801 20802 74aaa6 20803 74aade CreateFileW 20802->20803 20805 74ab2d 20803->20805 20806 74bda6 20807 74bdd5 AdjustTokenPrivileges 20806->20807 20809 74bdf7 20807->20809 20810 48a255e 20811 48a2599 LoadLibraryA 20810->20811 20813 48a25d6 20811->20813 20814 74bf22 20815 74bf57 NtQuerySystemInformation 20814->20815 20816 74bf82 20814->20816 20817 74bf6c 20815->20817 20816->20815 20818 48a20d2 20819 48a210d getaddrinfo 20818->20819 20821 48a217f 20819->20821 20730 74adee 20731 74ae23 WriteFile 20730->20731 20733 74ae55 20731->20733 20822 74a72e 20823 74a77e OleGetClipboard 20822->20823 20824 74a78c 20823->20824 20734 48a1596 20737 48a15ce WSASocketW 20734->20737 20736 48a160a 20737->20736 20738 48a1e16 20739 48a1e4b shutdown 20738->20739 20741 48a1e74 20739->20741 20742 74ac6a 20743 74ac9f GetFileType 20742->20743 20745 74accc 20743->20745 20829 74afaa 20830 74afe2 CreateMutexW 20829->20830 20832 74b025 20830->20832 20746 48a2f2a 20747 48a2f5f ioctlsocket 20746->20747 20749 48a2f8b 20747->20749 20837 74aa12 20838 74aa3e SetErrorMode 20837->20838 20839 74aa67 20837->20839 20840 74aa53 20838->20840 20839->20838 20750 74a65e 20751 74a6c0 20750->20751 20752 74a68a FindCloseChangeNotification 20750->20752 20751->20752 20753 74a698 20752->20753 20841 74b69e 20842 74b703 20841->20842 20843 74b6cd WaitForInputIdle 20841->20843 20842->20843 20844 74b6db 20843->20844 20845 48a1fe6 20846 48a201b GetProcessTimes 20845->20846 20848 48a204d 20846->20848 20754 74b45a 20756 74b495 SendMessageTimeoutA 20754->20756 20757 74b4dd 20756->20757 20849 74a59a 20850 74a610 20849->20850 20851 74a5d8 DuplicateHandle 20849->20851 20850->20851 20852 74a5e6 20851->20852 20758 74b746 20759 74b76f CopyFileW 20758->20759 20761 74b796 20759->20761 20856 74a186 20857 74a1f3 20856->20857 20858 74a1bb send 20856->20858 20857->20858 20859 74a1c9 20858->20859 20762 48a31be 20765 48a31f3 SetProcessWorkingSetSize 20762->20765 20764 48a321f 20765->20764 20860 74b982 20861 74b9ab SetFileAttributesW 20860->20861 20863 74b9c7 20861->20863 20766 48a22b2 20767 48a22e7 WSAConnect 20766->20767 20769 48a2306 20767->20769 20770 48a1032 20771 48a1067 GetExitCodeProcess 20770->20771 20773 48a1090 20771->20773 20864 48a1b72 20865 48a1baa MapViewOfFile 20864->20865 20867 48a1bf9 20865->20867 20774 74bace 20775 74bb2c 20774->20775 20776 74bafa FindClose 20774->20776 20775->20776 20777 74bb0f 20776->20777 20778 74b8ce 20780 74b8f4 DeleteFileW 20778->20780 20781 74b910 20780->20781

                                                                                              Executed Functions

                                                                                              Function 00EE4298 Relevance: 14.4, Strings: 10, Instructions: 1950COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$@$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-1673784574
                                                                                              • Opcode ID: 04dacc743da47445ba598de1b15fe7b79d67960e6d55843b8b1fdef653ea5d3f
                                                                                              • Instruction ID: 42727dbed4732dfd01b822be7a020bebc030c44efb87c123242931d00b0a8a55
                                                                                              • Opcode Fuzzy Hash: 04dacc743da47445ba598de1b15fe7b79d67960e6d55843b8b1fdef653ea5d3f
                                                                                              • Instruction Fuzzy Hash: D4235874A01268CFDB25EF21D8A4BEDB7B2BB89308F1091E9D409A7395CB355E84CF54
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE4291 Relevance: 14.2, Strings: 10, Instructions: 1745COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-3556841449
                                                                                              • Opcode ID: 564c1214aac93539578e8cecc92482eb29731ec8b23a9754f2413e45873f74e4
                                                                                              • Instruction ID: ff61c7b078c7bd51e9fc493a08e7fdc3e033d135e5f79e08e551fb7903fe1090
                                                                                              • Opcode Fuzzy Hash: 564c1214aac93539578e8cecc92482eb29731ec8b23a9754f2413e45873f74e4
                                                                                              • Instruction Fuzzy Hash: 96135774A01628CFDB25EF21D8A4BEDB7B2BB89308F1091E9D509673A5CB355E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE44F1 Relevance: 14.1, Strings: 10, Instructions: 1624COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-3556841449
                                                                                              • Opcode ID: 752af8242974522d81025b997d30bf1d6a4327ef2a8f9722b283d62839285232
                                                                                              • Instruction ID: 0323522e68b69fa0e875e82b740002affe783764f668125c93bbcc5199af8443
                                                                                              • Opcode Fuzzy Hash: 752af8242974522d81025b997d30bf1d6a4327ef2a8f9722b283d62839285232
                                                                                              • Instruction Fuzzy Hash: 38034774A01628CFDB25EF21D8A4BEDB7B2BB89308F1091E9D509673A5CB355E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE4544 Relevance: 14.1, Strings: 10, Instructions: 1618COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-3556841449
                                                                                              • Opcode ID: d7888ba002cd0d0959fbfd3b350244914a249124289cd3483499f83170d5dde2
                                                                                              • Instruction ID: 84ecd3037a2d4722c2e6faedfa7e1bdcefb6712f9327bbe4422dccd3409999e3
                                                                                              • Opcode Fuzzy Hash: d7888ba002cd0d0959fbfd3b350244914a249124289cd3483499f83170d5dde2
                                                                                              • Instruction Fuzzy Hash: 0A035674A01628CFDB25EF21D8A4BEDB7B2BB89308F1091E9D509673A5CB355E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE47D4 Relevance: 12.8, Strings: 9, Instructions: 1513COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-2866431145
                                                                                              • Opcode ID: 7bafdeb97b15ac0bd8190118d076640e46d3dceb2e5dfe007e94e2b64f81d01a
                                                                                              • Instruction ID: c6c0aa596cc1bb83daadfa7ce8810aa5fe8c2f2af6d113d8a8ff22a9c7a8524e
                                                                                              • Opcode Fuzzy Hash: 7bafdeb97b15ac0bd8190118d076640e46d3dceb2e5dfe007e94e2b64f81d01a
                                                                                              • Instruction Fuzzy Hash: CAF25774A01668CFDB25EF21D8A4BEDB7B2BB89308F1091E9D409673A5CB355E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE499D Relevance: 12.7, Strings: 9, Instructions: 1447COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 4190 ee499d-ee49ea 4197 ee49ec-ee49f7 4190->4197 4198 ee4a32-ee4a46 4190->4198 4197->4198 4199 ee4a4c-ee4b51 4198->4199 4200 ee4b94-ee4ba8 4198->4200 4399 ee4b59 4199->4399 4202 ee4bae-ee4bc2 4200->4202 4203 ee4cd4-ee4ce8 4200->4203 4206 ee4bc4-ee4bcb 4202->4206 4207 ee4bd0-ee4be4 4202->4207 4204 ee4cee-ee4f22 4203->4204 4205 ee4f74-ee4f88 4203->4205 4656 ee4f2d 4204->4656 4209 ee4f8a-ee4f91 4205->4209 4210 ee4fe2-ee4ff6 4205->4210 4211 ee4c48-ee4c5c 4206->4211 4212 ee4bef-ee4c03 4207->4212 4213 ee4be6-ee4bed 4207->4213 4237 ee4f9b 4209->4237 4218 ee4ff8 4210->4218 4219 ee5045-ee5059 4210->4219 4220 ee4c5e-ee4c74 4211->4220 4221 ee4c76-ee4c82 4211->4221 4215 ee4c0e-ee4c22 4212->4215 4216 ee4c05-ee4c0c 4212->4216 4213->4211 4222 ee4c2d-ee4c41 4215->4222 4223 ee4c24-ee4c2b 4215->4223 4216->4211 4664 ee4ff8 call 730606 4218->4664 4665 ee4ff8 call ee7310 4218->4665 4666 ee4ff8 call ee7461 4218->4666 4667 ee4ff8 call 7305ec 4218->4667 4226 ee505b 4219->4226 4227 ee50a2-ee50b6 4219->4227 4225 ee4c8d 4220->4225 4221->4225 4222->4211 4231 ee4c43-ee4c45 4222->4231 4223->4211 4225->4203 4226->4227 4228 ee512d-ee5141 4227->4228 4229 ee50b8-ee50e1 4227->4229 4235 ee5147-ee5363 4228->4235 4236 ee53b4-ee53c8 4228->4236 4229->4228 4231->4211 4233 ee4ffe 4233->4219 4603 ee5367 4235->4603 4604 ee5365 4235->4604 4241 ee549e-ee54b2 4236->4241 4242 ee53ce-ee5457 4236->4242 4237->4210 4244 ee566f-ee5683 4241->4244 4245 ee54b8-ee55e7 4241->4245 4242->4241 4246 ee5689-ee5794 4244->4246 4247 ee57e6-ee57fa 4244->4247 4572 ee55f2-ee5628 4245->4572 4520 ee579f 4246->4520 4252 ee595d-ee5971 4247->4252 4253 ee5800-ee590b 4247->4253 4260 ee5977-ee5a82 4252->4260 4261 ee5ad4-ee5ae8 4252->4261 4537 ee5916 4253->4537 4545 ee5a8d 4260->4545 4265 ee5aee-ee5bf9 4261->4265 4266 ee5c4b-ee5c5f 4261->4266 4558 ee5c04 4265->4558 4271 ee5c65-ee5d70 4266->4271 4272 ee5dc2-ee5dd6 4266->4272 4566 ee5d7b 4271->4566 4277 ee5ddc-ee5ee7 4272->4277 4278 ee5f39-ee5f4d 4272->4278 4579 ee5ef2 4277->4579 4283 ee5f53-ee6069 4278->4283 4284 ee60b0-ee60c4 4278->4284 4283->4284 4294 ee60ca-ee61d5 4284->4294 4295 ee6227-ee623b 4284->4295 4600 ee61e0 4294->4600 4303 ee639e-ee63b2 4295->4303 4304 ee6241-ee634c 4295->4304 4310 ee63b8-ee63fd call ee4278 4303->4310 4311 ee6536-ee654a 4303->4311 4608 ee6357 4304->4608 4430 ee64bd-ee64df 4310->4430 4315 ee668d-ee66a1 4311->4315 4316 ee6550-ee656f 4311->4316 4327 ee67ee-ee6802 4315->4327 4328 ee66a7-ee67a7 4315->4328 4346 ee6614-ee6636 4316->4346 4335 ee694f-ee6963 4327->4335 4336 ee6808-ee6908 4327->4336 4328->4327 4350 ee6969-ee6a69 4335->4350 4351 ee6ab0-ee6ada 4335->4351 4336->4335 4359 ee663c 4346->4359 4360 ee6574-ee6583 4346->4360 4350->4351 4371 ee6b9a-ee6bae 4351->4371 4372 ee6ae0-ee6b53 4351->4372 4359->4315 4368 ee663e 4360->4368 4369 ee6589-ee658d 4360->4369 4401 ee6643-ee668b 4368->4401 4393 ee6598-ee65bc 4369->4393 4385 ee6c8b-ee6c9f 4371->4385 4386 ee6bb4-ee6c0b 4371->4386 4372->4371 4394 ee6de5-ee6df9 4385->4394 4395 ee6ca5-ee6d97 4385->4395 4509 ee6c12-ee6c44 4386->4509 4464 ee65be-ee65f8 4393->4464 4465 ee6603-ee660c 4393->4465 4406 ee6dff-ee6e4f 4394->4406 4407 ee705c-ee7070 4394->4407 4635 ee6d9e 4395->4635 4399->4200 4401->4315 4521 ee6ebd-ee6ee8 4406->4521 4522 ee6e51-ee6e77 4406->4522 4416 ee7158-ee715f 4407->4416 4417 ee7076-ee7111 call ee4278 * 2 4407->4417 4417->4416 4444 ee64e5 4430->4444 4445 ee6402-ee6411 4430->4445 4444->4311 4460 ee64e7 4445->4460 4461 ee6417-ee6477 4445->4461 4485 ee64ec-ee6534 4460->4485 4577 ee6481-ee64b5 4461->4577 4464->4465 4465->4401 4480 ee660e 4465->4480 4480->4346 4485->4311 4509->4385 4520->4247 4595 ee6eee-ee6fc1 4521->4595 4596 ee6fc6-ee7057 4521->4596 4598 ee6eb8 4522->4598 4599 ee6e79-ee6e99 4522->4599 4537->4252 4545->4261 4558->4266 4566->4272 4572->4244 4577->4485 4597 ee64b7 4577->4597 4579->4278 4595->4407 4596->4407 4597->4430 4598->4407 4599->4598 4600->4295 4605 ee536d 4603->4605 4668 ee5367 call ee74e0 4603->4668 4669 ee5367 call ee7501 4603->4669 4604->4605 4605->4236 4608->4303 4635->4394 4656->4205 4664->4233 4665->4233 4666->4233 4667->4233 4668->4605 4669->4605
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-2866431145
                                                                                              • Opcode ID: cd3396e9d36145542c7dfdb0a236ec17d3d633a5babba77511ad1b3b75c79865
                                                                                              • Instruction ID: b592c5b0b0341e7505897b66f14d2bd55531ae68fa30058a01fb08d0355c30fe
                                                                                              • Opcode Fuzzy Hash: cd3396e9d36145542c7dfdb0a236ec17d3d633a5babba77511ad1b3b75c79865
                                                                                              • Instruction Fuzzy Hash: 87F26774A01668CFDB25EF21D8A4BEDB7B2BB89308F1091E9D409673A5CB355E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE49F9 Relevance: 12.7, Strings: 9, Instructions: 1440COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 4670 ee49f9-ee4a46 4677 ee4a4c-ee4b51 4670->4677 4678 ee4b94-ee4ba8 4670->4678 4876 ee4b59 4677->4876 4679 ee4bae-ee4bc2 4678->4679 4680 ee4cd4-ee4ce8 4678->4680 4683 ee4bc4-ee4bcb 4679->4683 4684 ee4bd0-ee4be4 4679->4684 4681 ee4cee-ee4f22 4680->4681 4682 ee4f74-ee4f88 4680->4682 5133 ee4f2d 4681->5133 4686 ee4f8a-ee4f91 4682->4686 4687 ee4fe2-ee4ff6 4682->4687 4688 ee4c48-ee4c5c 4683->4688 4689 ee4bef-ee4c03 4684->4689 4690 ee4be6-ee4bed 4684->4690 4714 ee4f9b 4686->4714 4695 ee4ff8 4687->4695 4696 ee5045-ee5059 4687->4696 4697 ee4c5e-ee4c74 4688->4697 4698 ee4c76-ee4c82 4688->4698 4692 ee4c0e-ee4c22 4689->4692 4693 ee4c05-ee4c0c 4689->4693 4690->4688 4699 ee4c2d-ee4c41 4692->4699 4700 ee4c24-ee4c2b 4692->4700 4693->4688 5141 ee4ff8 call 730606 4695->5141 5142 ee4ff8 call ee7310 4695->5142 5143 ee4ff8 call ee7461 4695->5143 5144 ee4ff8 call 7305ec 4695->5144 4703 ee505b 4696->4703 4704 ee50a2-ee50b6 4696->4704 4702 ee4c8d 4697->4702 4698->4702 4699->4688 4708 ee4c43-ee4c45 4699->4708 4700->4688 4702->4680 4703->4704 4705 ee512d-ee5141 4704->4705 4706 ee50b8-ee50e1 4704->4706 4712 ee5147-ee5363 4705->4712 4713 ee53b4-ee53c8 4705->4713 4706->4705 4708->4688 4710 ee4ffe 4710->4696 5080 ee5367 4712->5080 5081 ee5365 4712->5081 4718 ee549e-ee54b2 4713->4718 4719 ee53ce-ee5457 4713->4719 4714->4687 4721 ee566f-ee5683 4718->4721 4722 ee54b8-ee55e7 4718->4722 4719->4718 4723 ee5689-ee5794 4721->4723 4724 ee57e6-ee57fa 4721->4724 5049 ee55f2-ee5628 4722->5049 4997 ee579f 4723->4997 4729 ee595d-ee5971 4724->4729 4730 ee5800-ee590b 4724->4730 4737 ee5977-ee5a82 4729->4737 4738 ee5ad4-ee5ae8 4729->4738 5014 ee5916 4730->5014 5022 ee5a8d 4737->5022 4742 ee5aee-ee5bf9 4738->4742 4743 ee5c4b-ee5c5f 4738->4743 5035 ee5c04 4742->5035 4748 ee5c65-ee5d70 4743->4748 4749 ee5dc2-ee5dd6 4743->4749 5043 ee5d7b 4748->5043 4754 ee5ddc-ee5ee7 4749->4754 4755 ee5f39-ee5f4d 4749->4755 5056 ee5ef2 4754->5056 4760 ee5f53-ee6069 4755->4760 4761 ee60b0-ee60c4 4755->4761 4760->4761 4771 ee60ca-ee61d5 4761->4771 4772 ee6227-ee623b 4761->4772 5077 ee61e0 4771->5077 4780 ee639e-ee63b2 4772->4780 4781 ee6241-ee634c 4772->4781 4787 ee63b8-ee63fd call ee4278 4780->4787 4788 ee6536-ee654a 4780->4788 5085 ee6357 4781->5085 4907 ee64bd-ee64df 4787->4907 4792 ee668d-ee66a1 4788->4792 4793 ee6550-ee656f 4788->4793 4804 ee67ee-ee6802 4792->4804 4805 ee66a7-ee67a7 4792->4805 4823 ee6614-ee6636 4793->4823 4812 ee694f-ee6963 4804->4812 4813 ee6808-ee6908 4804->4813 4805->4804 4827 ee6969-ee6a69 4812->4827 4828 ee6ab0-ee6ada 4812->4828 4813->4812 4836 ee663c 4823->4836 4837 ee6574-ee6583 4823->4837 4827->4828 4848 ee6b9a-ee6bae 4828->4848 4849 ee6ae0-ee6b53 4828->4849 4836->4792 4845 ee663e 4837->4845 4846 ee6589-ee658d 4837->4846 4878 ee6643-ee668b 4845->4878 4870 ee6598-ee65bc 4846->4870 4862 ee6c8b-ee6c9f 4848->4862 4863 ee6bb4-ee6c0b 4848->4863 4849->4848 4871 ee6de5-ee6df9 4862->4871 4872 ee6ca5-ee6d97 4862->4872 4986 ee6c12-ee6c44 4863->4986 4941 ee65be-ee65f8 4870->4941 4942 ee6603-ee660c 4870->4942 4883 ee6dff-ee6e4f 4871->4883 4884 ee705c-ee7070 4871->4884 5112 ee6d9e 4872->5112 4876->4678 4878->4792 4998 ee6ebd-ee6ee8 4883->4998 4999 ee6e51-ee6e77 4883->4999 4893 ee7158-ee715f 4884->4893 4894 ee7076-ee7111 call ee4278 * 2 4884->4894 4894->4893 4921 ee64e5 4907->4921 4922 ee6402-ee6411 4907->4922 4921->4788 4937 ee64e7 4922->4937 4938 ee6417-ee6477 4922->4938 4962 ee64ec-ee6534 4937->4962 5054 ee6481-ee64b5 4938->5054 4941->4942 4942->4878 4957 ee660e 4942->4957 4957->4823 4962->4788 4986->4862 4997->4724 5072 ee6eee-ee6fc1 4998->5072 5073 ee6fc6-ee7057 4998->5073 5075 ee6eb8 4999->5075 5076 ee6e79-ee6e99 4999->5076 5014->4729 5022->4738 5035->4743 5043->4749 5049->4721 5054->4962 5074 ee64b7 5054->5074 5056->4755 5072->4884 5073->4884 5074->4907 5075->4884 5076->5075 5077->4772 5082 ee536d 5080->5082 5145 ee5367 call ee74e0 5080->5145 5146 ee5367 call ee7501 5080->5146 5081->5082 5082->4713 5085->4780 5112->4871 5133->4682 5141->4710 5142->4710 5143->4710 5144->4710 5145->5082 5146->5082
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-2866431145
                                                                                              • Opcode ID: 509ed83be19a46a588f185ec7c1e1009439c5a9f4bc162ed5fef4a46750bc3a2
                                                                                              • Instruction ID: 18b431f95259db6fca1a868a30085b7a4414a364d52f39d74e52e8603c639100
                                                                                              • Opcode Fuzzy Hash: 509ed83be19a46a588f185ec7c1e1009439c5a9f4bc162ed5fef4a46750bc3a2
                                                                                              • Instruction Fuzzy Hash: 99F26774A01668CFDB25EF21D8A4BEDB7B2BB89308F1091E9D409673A5CB355E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE4B5B Relevance: 12.6, Strings: 9, Instructions: 1383COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 5147 ee4b5b-ee4ba8 5154 ee4bae-ee4bc2 5147->5154 5155 ee4cd4-ee4ce8 5147->5155 5158 ee4bc4-ee4bcb 5154->5158 5159 ee4bd0-ee4be4 5154->5159 5156 ee4cee-ee4f22 5155->5156 5157 ee4f74-ee4f88 5155->5157 5594 ee4f2d 5156->5594 5160 ee4f8a-ee4f91 5157->5160 5161 ee4fe2-ee4ff6 5157->5161 5162 ee4c48-ee4c5c 5158->5162 5163 ee4bef-ee4c03 5159->5163 5164 ee4be6-ee4bed 5159->5164 5186 ee4f9b 5160->5186 5168 ee4ff8 5161->5168 5169 ee5045-ee5059 5161->5169 5170 ee4c5e-ee4c74 5162->5170 5171 ee4c76-ee4c82 5162->5171 5165 ee4c0e-ee4c22 5163->5165 5166 ee4c05-ee4c0c 5163->5166 5164->5162 5172 ee4c2d-ee4c41 5165->5172 5173 ee4c24-ee4c2b 5165->5173 5166->5162 5602 ee4ff8 call 730606 5168->5602 5603 ee4ff8 call ee7310 5168->5603 5604 ee4ff8 call ee7461 5168->5604 5605 ee4ff8 call 7305ec 5168->5605 5176 ee505b 5169->5176 5177 ee50a2-ee50b6 5169->5177 5175 ee4c8d 5170->5175 5171->5175 5172->5162 5180 ee4c43-ee4c45 5172->5180 5173->5162 5175->5155 5176->5177 5178 ee512d-ee5141 5177->5178 5179 ee50b8-ee50e1 5177->5179 5184 ee5147-ee5363 5178->5184 5185 ee53b4-ee53c8 5178->5185 5179->5178 5180->5162 5182 ee4ffe 5182->5169 5541 ee5367 5184->5541 5542 ee5365 5184->5542 5189 ee549e-ee54b2 5185->5189 5190 ee53ce-ee5457 5185->5190 5186->5161 5192 ee566f-ee5683 5189->5192 5193 ee54b8-ee55e7 5189->5193 5190->5189 5194 ee5689-ee5794 5192->5194 5195 ee57e6-ee57fa 5192->5195 5510 ee55f2-ee5628 5193->5510 5458 ee579f 5194->5458 5199 ee595d-ee5971 5195->5199 5200 ee5800-ee590b 5195->5200 5206 ee5977-ee5a82 5199->5206 5207 ee5ad4-ee5ae8 5199->5207 5475 ee5916 5200->5475 5483 ee5a8d 5206->5483 5211 ee5aee-ee5bf9 5207->5211 5212 ee5c4b-ee5c5f 5207->5212 5496 ee5c04 5211->5496 5217 ee5c65-ee5d70 5212->5217 5218 ee5dc2-ee5dd6 5212->5218 5504 ee5d7b 5217->5504 5222 ee5ddc-ee5ee7 5218->5222 5223 ee5f39-ee5f4d 5218->5223 5517 ee5ef2 5222->5517 5228 ee5f53-ee6069 5223->5228 5229 ee60b0-ee60c4 5223->5229 5228->5229 5237 ee60ca-ee61d5 5229->5237 5238 ee6227-ee623b 5229->5238 5538 ee61e0 5237->5538 5246 ee639e-ee63b2 5238->5246 5247 ee6241-ee634c 5238->5247 5253 ee63b8-ee63fd call ee4278 5246->5253 5254 ee6536-ee654a 5246->5254 5546 ee6357 5247->5546 5368 ee64bd-ee64df 5253->5368 5258 ee668d-ee66a1 5254->5258 5259 ee6550-ee656f 5254->5259 5269 ee67ee-ee6802 5258->5269 5270 ee66a7-ee67a7 5258->5270 5287 ee6614-ee6636 5259->5287 5277 ee694f-ee6963 5269->5277 5278 ee6808-ee6908 5269->5278 5270->5269 5291 ee6969-ee6a69 5277->5291 5292 ee6ab0-ee6ada 5277->5292 5278->5277 5300 ee663c 5287->5300 5301 ee6574-ee6583 5287->5301 5291->5292 5311 ee6b9a-ee6bae 5292->5311 5312 ee6ae0-ee6b53 5292->5312 5300->5258 5308 ee663e 5301->5308 5309 ee6589-ee658d 5301->5309 5339 ee6643-ee668b 5308->5339 5332 ee6598-ee65bc 5309->5332 5324 ee6c8b-ee6c9f 5311->5324 5325 ee6bb4-ee6c0b 5311->5325 5312->5311 5333 ee6de5-ee6df9 5324->5333 5334 ee6ca5-ee6d97 5324->5334 5447 ee6c12-ee6c44 5325->5447 5402 ee65be-ee65f8 5332->5402 5403 ee6603-ee660c 5332->5403 5344 ee6dff-ee6e4f 5333->5344 5345 ee705c-ee7070 5333->5345 5573 ee6d9e 5334->5573 5339->5258 5459 ee6ebd-ee6ee8 5344->5459 5460 ee6e51-ee6e77 5344->5460 5354 ee7158-ee715f 5345->5354 5355 ee7076-ee7111 call ee4278 * 2 5345->5355 5355->5354 5382 ee64e5 5368->5382 5383 ee6402-ee6411 5368->5383 5382->5254 5398 ee64e7 5383->5398 5399 ee6417-ee6477 5383->5399 5423 ee64ec-ee6534 5398->5423 5515 ee6481-ee64b5 5399->5515 5402->5403 5403->5339 5418 ee660e 5403->5418 5418->5287 5423->5254 5447->5324 5458->5195 5533 ee6eee-ee6fc1 5459->5533 5534 ee6fc6-ee7057 5459->5534 5536 ee6eb8 5460->5536 5537 ee6e79-ee6e99 5460->5537 5475->5199 5483->5207 5496->5212 5504->5218 5510->5192 5515->5423 5535 ee64b7 5515->5535 5517->5223 5533->5345 5534->5345 5535->5368 5536->5345 5537->5536 5538->5238 5543 ee536d 5541->5543 5606 ee5367 call ee74e0 5541->5606 5607 ee5367 call ee7501 5541->5607 5542->5543 5543->5185 5546->5246 5573->5333 5594->5157 5602->5182 5603->5182 5604->5182 5605->5182 5606->5543 5607->5543
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $:@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-2866431145
                                                                                              • Opcode ID: d7ab42e49f071a9d5e9e6aee88781a7f13a898d2ee83873e2dfde6cbae195dc8
                                                                                              • Instruction ID: 09bd04b024e76d2444934f4349ed89d503c19feac75857c1e25bcc0f6ef9bc05
                                                                                              • Opcode Fuzzy Hash: d7ab42e49f071a9d5e9e6aee88781a7f13a898d2ee83873e2dfde6cbae195dc8
                                                                                              • Instruction Fuzzy Hash: 60E26874A01668CFDB25EF21D8A4BEDB7B2BB89308F1091E9D409673A5CB355E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE4C8F Relevance: 11.4, Strings: 8, Instructions: 1362COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 5608 ee4c8f-ee4ce8 5615 ee4cee-ee4f22 5608->5615 5616 ee4f74-ee4f88 5608->5616 6039 ee4f2d 5615->6039 5617 ee4f8a-ee4f91 5616->5617 5618 ee4fe2-ee4ff6 5616->5618 5631 ee4f9b 5617->5631 5620 ee4ff8 5618->5620 5621 ee5045-ee5059 5618->5621 6047 ee4ff8 call 730606 5620->6047 6048 ee4ff8 call ee7310 5620->6048 6049 ee4ff8 call ee7461 5620->6049 6050 ee4ff8 call 7305ec 5620->6050 5623 ee505b 5621->5623 5624 ee50a2-ee50b6 5621->5624 5623->5624 5625 ee512d-ee5141 5624->5625 5626 ee50b8-ee50e1 5624->5626 5629 ee5147-ee5363 5625->5629 5630 ee53b4-ee53c8 5625->5630 5626->5625 5628 ee4ffe 5628->5621 5986 ee5367 5629->5986 5987 ee5365 5629->5987 5634 ee549e-ee54b2 5630->5634 5635 ee53ce-ee5457 5630->5635 5631->5618 5637 ee566f-ee5683 5634->5637 5638 ee54b8-ee55e7 5634->5638 5635->5634 5639 ee5689-ee5794 5637->5639 5640 ee57e6-ee57fa 5637->5640 5955 ee55f2-ee5628 5638->5955 5903 ee579f 5639->5903 5644 ee595d-ee5971 5640->5644 5645 ee5800-ee590b 5640->5645 5651 ee5977-ee5a82 5644->5651 5652 ee5ad4-ee5ae8 5644->5652 5920 ee5916 5645->5920 5928 ee5a8d 5651->5928 5656 ee5aee-ee5bf9 5652->5656 5657 ee5c4b-ee5c5f 5652->5657 5941 ee5c04 5656->5941 5662 ee5c65-ee5d70 5657->5662 5663 ee5dc2-ee5dd6 5657->5663 5949 ee5d7b 5662->5949 5667 ee5ddc-ee5ee7 5663->5667 5668 ee5f39-ee5f4d 5663->5668 5962 ee5ef2 5667->5962 5673 ee5f53-ee6069 5668->5673 5674 ee60b0-ee60c4 5668->5674 5673->5674 5682 ee60ca-ee61d5 5674->5682 5683 ee6227-ee623b 5674->5683 5983 ee61e0 5682->5983 5691 ee639e-ee63b2 5683->5691 5692 ee6241-ee634c 5683->5692 5698 ee63b8-ee63fd call ee4278 5691->5698 5699 ee6536-ee654a 5691->5699 5991 ee6357 5692->5991 5813 ee64bd-ee64df 5698->5813 5703 ee668d-ee66a1 5699->5703 5704 ee6550-ee656f 5699->5704 5714 ee67ee-ee6802 5703->5714 5715 ee66a7-ee67a7 5703->5715 5732 ee6614-ee6636 5704->5732 5722 ee694f-ee6963 5714->5722 5723 ee6808-ee6908 5714->5723 5715->5714 5736 ee6969-ee6a69 5722->5736 5737 ee6ab0-ee6ada 5722->5737 5723->5722 5745 ee663c 5732->5745 5746 ee6574-ee6583 5732->5746 5736->5737 5756 ee6b9a-ee6bae 5737->5756 5757 ee6ae0-ee6b53 5737->5757 5745->5703 5753 ee663e 5746->5753 5754 ee6589-ee658d 5746->5754 5784 ee6643-ee668b 5753->5784 5777 ee6598-ee65bc 5754->5777 5769 ee6c8b-ee6c9f 5756->5769 5770 ee6bb4-ee6c0b 5756->5770 5757->5756 5778 ee6de5-ee6df9 5769->5778 5779 ee6ca5-ee6d97 5769->5779 5892 ee6c12-ee6c44 5770->5892 5847 ee65be-ee65f8 5777->5847 5848 ee6603-ee660c 5777->5848 5789 ee6dff-ee6e4f 5778->5789 5790 ee705c-ee7070 5778->5790 6018 ee6d9e 5779->6018 5784->5703 5904 ee6ebd-ee6ee8 5789->5904 5905 ee6e51-ee6e77 5789->5905 5799 ee7158-ee715f 5790->5799 5800 ee7076-ee7111 call ee4278 * 2 5790->5800 5800->5799 5827 ee64e5 5813->5827 5828 ee6402-ee6411 5813->5828 5827->5699 5843 ee64e7 5828->5843 5844 ee6417-ee6477 5828->5844 5868 ee64ec-ee6534 5843->5868 5960 ee6481-ee64b5 5844->5960 5847->5848 5848->5784 5863 ee660e 5848->5863 5863->5732 5868->5699 5892->5769 5903->5640 5978 ee6eee-ee6fc1 5904->5978 5979 ee6fc6-ee7057 5904->5979 5981 ee6eb8 5905->5981 5982 ee6e79-ee6e99 5905->5982 5920->5644 5928->5652 5941->5657 5949->5663 5955->5637 5960->5868 5980 ee64b7 5960->5980 5962->5668 5978->5790 5979->5790 5980->5813 5981->5790 5982->5981 5983->5683 5988 ee536d 5986->5988 6051 ee5367 call ee74e0 5986->6051 6052 ee5367 call ee7501 5986->6052 5987->5988 5988->5630 5991->5691 6018->5778 6039->5616 6047->5628 6048->5628 6049->5628 6050->5628 6051->5988 6052->5988
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$:@Cl$:@Cl$:@Cl$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-577486089
                                                                                              • Opcode ID: 68ef42d7891026783b7bb9437584cc3f016c1eee6a01efde226e9b32d9c91315
                                                                                              • Instruction ID: dc0e00f73c7e39bd2f75fc99f27f15c6d5baecca757948d9b299c3616eafea95
                                                                                              • Opcode Fuzzy Hash: 68ef42d7891026783b7bb9437584cc3f016c1eee6a01efde226e9b32d9c91315
                                                                                              • Instruction Fuzzy Hash: 74E26874A01628CFDB25EF21D8A4BEDB7B2BB89308F1091E9D509673A5CB355E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE4F9D Relevance: 7.5, Strings: 5, Instructions: 1236COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 6464 ee4f9d-ee4ff6 6471 ee4ff8 6464->6471 6472 ee5045-ee5059 6464->6472 6867 ee4ff8 call 730606 6471->6867 6868 ee4ff8 call ee7310 6471->6868 6869 ee4ff8 call ee7461 6471->6869 6870 ee4ff8 call 7305ec 6471->6870 6473 ee505b 6472->6473 6474 ee50a2-ee50b6 6472->6474 6473->6474 6475 ee512d-ee5141 6474->6475 6476 ee50b8-ee50e1 6474->6476 6478 ee5147-ee5363 6475->6478 6479 ee53b4-ee53c8 6475->6479 6476->6475 6477 ee4ffe 6477->6472 6812 ee5367 6478->6812 6813 ee5365 6478->6813 6481 ee549e-ee54b2 6479->6481 6482 ee53ce-ee5457 6479->6482 6484 ee566f-ee5683 6481->6484 6485 ee54b8-ee55e7 6481->6485 6482->6481 6486 ee5689-ee5794 6484->6486 6487 ee57e6-ee57fa 6484->6487 6783 ee55f2-ee5628 6485->6783 6739 ee579f 6486->6739 6490 ee595d-ee5971 6487->6490 6491 ee5800-ee590b 6487->6491 6496 ee5977-ee5a82 6490->6496 6497 ee5ad4-ee5ae8 6490->6497 6750 ee5916 6491->6750 6760 ee5a8d 6496->6760 6501 ee5aee-ee5bf9 6497->6501 6502 ee5c4b-ee5c5f 6497->6502 6771 ee5c04 6501->6771 6507 ee5c65-ee5d70 6502->6507 6508 ee5dc2-ee5dd6 6502->6508 6781 ee5d7b 6507->6781 6511 ee5ddc-ee5ee7 6508->6511 6512 ee5f39-ee5f4d 6508->6512 6791 ee5ef2 6511->6791 6516 ee5f53-ee6069 6512->6516 6517 ee60b0-ee60c4 6512->6517 6516->6517 6525 ee60ca-ee61d5 6517->6525 6526 ee6227-ee623b 6517->6526 6816 ee61e0 6525->6816 6533 ee639e-ee63b2 6526->6533 6534 ee6241-ee634c 6526->6534 6540 ee63b8-ee63fd call ee4278 6533->6540 6541 ee6536-ee654a 6533->6541 6820 ee6357 6534->6820 6650 ee64bd-ee64df 6540->6650 6545 ee668d-ee66a1 6541->6545 6546 ee6550-ee656f 6541->6546 6555 ee67ee-ee6802 6545->6555 6556 ee66a7-ee67a7 6545->6556 6572 ee6614-ee6636 6546->6572 6563 ee694f-ee6963 6555->6563 6564 ee6808-ee6908 6555->6564 6556->6555 6576 ee6969-ee6a69 6563->6576 6577 ee6ab0-ee6ada 6563->6577 6564->6563 6585 ee663c 6572->6585 6586 ee6574-ee6583 6572->6586 6576->6577 6595 ee6b9a-ee6bae 6577->6595 6596 ee6ae0-ee6b53 6577->6596 6585->6545 6592 ee663e 6586->6592 6593 ee6589-ee658d 6586->6593 6622 ee6643-ee668b 6592->6622 6615 ee6598-ee65bc 6593->6615 6608 ee6c8b-ee6c9f 6595->6608 6609 ee6bb4-ee6c0b 6595->6609 6596->6595 6616 ee6de5-ee6df9 6608->6616 6617 ee6ca5-ee6d97 6608->6617 6722 ee6c12-ee6c44 6609->6722 6682 ee65be-ee65f8 6615->6682 6683 ee6603-ee660c 6615->6683 6627 ee6dff-ee6e4f 6616->6627 6628 ee705c-ee7070 6616->6628 6843 ee6d9e 6617->6843 6622->6545 6741 ee6ebd-ee6ee8 6627->6741 6742 ee6e51-ee6e77 6627->6742 6636 ee7158-ee715f 6628->6636 6637 ee7076-ee7111 call ee4278 * 2 6628->6637 6637->6636 6663 ee64e5 6650->6663 6664 ee6402-ee6411 6650->6664 6663->6541 6678 ee64e7 6664->6678 6679 ee6417-ee6477 6664->6679 6708 ee64ec-ee6534 6678->6708 6795 ee6481-ee64b5 6679->6795 6682->6683 6683->6622 6697 ee660e 6683->6697 6697->6572 6708->6541 6722->6608 6739->6487 6809 ee6eee-ee6fc1 6741->6809 6810 ee6fc6-ee7057 6741->6810 6814 ee6eb8 6742->6814 6815 ee6e79-ee6e99 6742->6815 6750->6490 6760->6497 6771->6502 6781->6508 6783->6484 6791->6512 6795->6708 6811 ee64b7 6795->6811 6809->6628 6810->6628 6811->6650 6817 ee536d 6812->6817 6865 ee5367 call ee74e0 6812->6865 6866 ee5367 call ee7501 6812->6866 6813->6817 6814->6628 6815->6814 6816->6526 6817->6479 6820->6533 6843->6616 6865->6817 6866->6817 6867->6477 6868->6477 6869->6477 6870->6477
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-1415125539
                                                                                              • Opcode ID: b0cfd07c314e108751342dac66b1682664de2d3a15c59f8e7f0f75ec0ad05596
                                                                                              • Instruction ID: 5b839d994f3dde957ece359992a92c7f32e6a866e8bd2fa78f07d8cc28e67579
                                                                                              • Opcode Fuzzy Hash: b0cfd07c314e108751342dac66b1682664de2d3a15c59f8e7f0f75ec0ad05596
                                                                                              • Instruction Fuzzy Hash: ADD24774A01668CFDB25EF21D8A4BEDB7B1BB89308F1091E9D409A73A5DB355E84CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE505D Relevance: 7.5, Strings: 5, Instructions: 1225COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 7271 ee505d-ee50b6 7278 ee512d-ee5141 7271->7278 7279 ee50b8-ee50e1 7271->7279 7280 ee5147-ee5363 7278->7280 7281 ee53b4-ee53c8 7278->7281 7279->7278 7614 ee5367 7280->7614 7615 ee5365 7280->7615 7283 ee549e-ee54b2 7281->7283 7284 ee53ce-ee5457 7281->7284 7286 ee566f-ee5683 7283->7286 7287 ee54b8-ee55e7 7283->7287 7284->7283 7288 ee5689-ee5794 7286->7288 7289 ee57e6-ee57fa 7286->7289 7585 ee55f2-ee5628 7287->7585 7541 ee579f 7288->7541 7292 ee595d-ee5971 7289->7292 7293 ee5800-ee590b 7289->7293 7298 ee5977-ee5a82 7292->7298 7299 ee5ad4-ee5ae8 7292->7299 7552 ee5916 7293->7552 7562 ee5a8d 7298->7562 7303 ee5aee-ee5bf9 7299->7303 7304 ee5c4b-ee5c5f 7299->7304 7573 ee5c04 7303->7573 7309 ee5c65-ee5d70 7304->7309 7310 ee5dc2-ee5dd6 7304->7310 7583 ee5d7b 7309->7583 7313 ee5ddc-ee5ee7 7310->7313 7314 ee5f39-ee5f4d 7310->7314 7593 ee5ef2 7313->7593 7318 ee5f53-ee6069 7314->7318 7319 ee60b0-ee60c4 7314->7319 7318->7319 7327 ee60ca-ee61d5 7319->7327 7328 ee6227-ee623b 7319->7328 7618 ee61e0 7327->7618 7335 ee639e-ee63b2 7328->7335 7336 ee6241-ee634c 7328->7336 7342 ee63b8-ee63fd call ee4278 7335->7342 7343 ee6536-ee654a 7335->7343 7622 ee6357 7336->7622 7452 ee64bd-ee64df 7342->7452 7347 ee668d-ee66a1 7343->7347 7348 ee6550-ee656f 7343->7348 7357 ee67ee-ee6802 7347->7357 7358 ee66a7-ee67a7 7347->7358 7374 ee6614-ee6636 7348->7374 7365 ee694f-ee6963 7357->7365 7366 ee6808-ee6908 7357->7366 7358->7357 7378 ee6969-ee6a69 7365->7378 7379 ee6ab0-ee6ada 7365->7379 7366->7365 7387 ee663c 7374->7387 7388 ee6574-ee6583 7374->7388 7378->7379 7397 ee6b9a-ee6bae 7379->7397 7398 ee6ae0-ee6b53 7379->7398 7387->7347 7394 ee663e 7388->7394 7395 ee6589-ee658d 7388->7395 7424 ee6643-ee668b 7394->7424 7417 ee6598-ee65bc 7395->7417 7410 ee6c8b-ee6c9f 7397->7410 7411 ee6bb4-ee6c0b 7397->7411 7398->7397 7418 ee6de5-ee6df9 7410->7418 7419 ee6ca5-ee6d97 7410->7419 7524 ee6c12-ee6c44 7411->7524 7484 ee65be-ee65f8 7417->7484 7485 ee6603-ee660c 7417->7485 7429 ee6dff-ee6e4f 7418->7429 7430 ee705c-ee7070 7418->7430 7645 ee6d9e 7419->7645 7424->7347 7543 ee6ebd-ee6ee8 7429->7543 7544 ee6e51-ee6e77 7429->7544 7438 ee7158-ee715f 7430->7438 7439 ee7076-ee7111 call ee4278 * 2 7430->7439 7439->7438 7465 ee64e5 7452->7465 7466 ee6402-ee6411 7452->7466 7465->7343 7480 ee64e7 7466->7480 7481 ee6417-ee6477 7466->7481 7510 ee64ec-ee6534 7480->7510 7597 ee6481-ee64b5 7481->7597 7484->7485 7485->7424 7499 ee660e 7485->7499 7499->7374 7510->7343 7524->7410 7541->7289 7611 ee6eee-ee6fc1 7543->7611 7612 ee6fc6-ee7057 7543->7612 7616 ee6eb8 7544->7616 7617 ee6e79-ee6e99 7544->7617 7552->7292 7562->7299 7573->7304 7583->7310 7585->7286 7593->7314 7597->7510 7613 ee64b7 7597->7613 7611->7430 7612->7430 7613->7452 7619 ee536d 7614->7619 7667 ee5367 call ee74e0 7614->7667 7668 ee5367 call ee7501 7614->7668 7615->7619 7616->7430 7617->7616 7618->7328 7619->7281 7622->7335 7645->7418 7667->7619 7668->7619
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-1415125539
                                                                                              • Opcode ID: b0c34302426faf9fd781ebb0d3ad211451b1e30f6f7903115e56d19ddc3e4209
                                                                                              • Instruction ID: b7df049e2dc2af3817b67d0cc28dab823ad960a0bf54ee3216e24c01df824f9f
                                                                                              • Opcode Fuzzy Hash: b0c34302426faf9fd781ebb0d3ad211451b1e30f6f7903115e56d19ddc3e4209
                                                                                              • Instruction Fuzzy Hash: 3ED24774A01668CFDB25EF21D8A4BEDB7B1BB89308F1091E9D409A73A5DB315E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE50E3 Relevance: 7.5, Strings: 5, Instructions: 1210COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 7669 ee50e3-ee5141 7677 ee5147-ee5363 7669->7677 7678 ee53b4-ee53c8 7669->7678 8008 ee5367 7677->8008 8009 ee5365 7677->8009 7679 ee549e-ee54b2 7678->7679 7680 ee53ce-ee5457 7678->7680 7682 ee566f-ee5683 7679->7682 7683 ee54b8-ee55e7 7679->7683 7680->7679 7684 ee5689-ee5794 7682->7684 7685 ee57e6-ee57fa 7682->7685 7979 ee55f2-ee5628 7683->7979 7935 ee579f 7684->7935 7687 ee595d-ee5971 7685->7687 7688 ee5800-ee590b 7685->7688 7692 ee5977-ee5a82 7687->7692 7693 ee5ad4-ee5ae8 7687->7693 7946 ee5916 7688->7946 7956 ee5a8d 7692->7956 7697 ee5aee-ee5bf9 7693->7697 7698 ee5c4b-ee5c5f 7693->7698 7967 ee5c04 7697->7967 7703 ee5c65-ee5d70 7698->7703 7704 ee5dc2-ee5dd6 7698->7704 7977 ee5d7b 7703->7977 7707 ee5ddc-ee5ee7 7704->7707 7708 ee5f39-ee5f4d 7704->7708 7987 ee5ef2 7707->7987 7712 ee5f53-ee6069 7708->7712 7713 ee60b0-ee60c4 7708->7713 7712->7713 7721 ee60ca-ee61d5 7713->7721 7722 ee6227-ee623b 7713->7722 8012 ee61e0 7721->8012 7729 ee639e-ee63b2 7722->7729 7730 ee6241-ee634c 7722->7730 7736 ee63b8-ee63fd call ee4278 7729->7736 7737 ee6536-ee654a 7729->7737 8016 ee6357 7730->8016 7846 ee64bd-ee64df 7736->7846 7741 ee668d-ee66a1 7737->7741 7742 ee6550-ee656f 7737->7742 7751 ee67ee-ee6802 7741->7751 7752 ee66a7-ee67a7 7741->7752 7768 ee6614-ee6636 7742->7768 7759 ee694f-ee6963 7751->7759 7760 ee6808-ee6908 7751->7760 7752->7751 7772 ee6969-ee6a69 7759->7772 7773 ee6ab0-ee6ada 7759->7773 7760->7759 7781 ee663c 7768->7781 7782 ee6574-ee6583 7768->7782 7772->7773 7791 ee6b9a-ee6bae 7773->7791 7792 ee6ae0-ee6b53 7773->7792 7781->7741 7788 ee663e 7782->7788 7789 ee6589-ee658d 7782->7789 7818 ee6643-ee668b 7788->7818 7811 ee6598-ee65bc 7789->7811 7804 ee6c8b-ee6c9f 7791->7804 7805 ee6bb4-ee6c0b 7791->7805 7792->7791 7812 ee6de5-ee6df9 7804->7812 7813 ee6ca5-ee6d97 7804->7813 7918 ee6c12-ee6c44 7805->7918 7878 ee65be-ee65f8 7811->7878 7879 ee6603-ee660c 7811->7879 7823 ee6dff-ee6e4f 7812->7823 7824 ee705c-ee7070 7812->7824 8039 ee6d9e 7813->8039 7818->7741 7937 ee6ebd-ee6ee8 7823->7937 7938 ee6e51-ee6e77 7823->7938 7832 ee7158-ee715f 7824->7832 7833 ee7076-ee7111 call ee4278 * 2 7824->7833 7833->7832 7859 ee64e5 7846->7859 7860 ee6402-ee6411 7846->7860 7859->7737 7874 ee64e7 7860->7874 7875 ee6417-ee6477 7860->7875 7904 ee64ec-ee6534 7874->7904 7991 ee6481-ee64b5 7875->7991 7878->7879 7879->7818 7893 ee660e 7879->7893 7893->7768 7904->7737 7918->7804 7935->7685 8005 ee6eee-ee6fc1 7937->8005 8006 ee6fc6-ee7057 7937->8006 8010 ee6eb8 7938->8010 8011 ee6e79-ee6e99 7938->8011 7946->7687 7956->7693 7967->7698 7977->7704 7979->7682 7987->7708 7991->7904 8007 ee64b7 7991->8007 8005->7824 8006->7824 8007->7846 8013 ee536d 8008->8013 8061 ee5367 call ee74e0 8008->8061 8062 ee5367 call ee7501 8008->8062 8009->8013 8010->7824 8011->8010 8012->7722 8013->7678 8016->7729 8039->7812 8061->8013 8062->8013
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-1415125539
                                                                                              • Opcode ID: 232cc12b388810c3ad85f72cfb6eeaab284afa4658d874b09f1b10e2ee0eb4eb
                                                                                              • Instruction ID: d5c8397320f13a0f1f2b2c75cc6de74a2be75373e9a69886d65b7b25e850086e
                                                                                              • Opcode Fuzzy Hash: 232cc12b388810c3ad85f72cfb6eeaab284afa4658d874b09f1b10e2ee0eb4eb
                                                                                              • Instruction Fuzzy Hash: F1D24874A01668CFDB25EF21D8A4BEDB7B2BB89308F1091E9D409673A5DB315E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE536F Relevance: 7.3, Strings: 5, Instructions: 1071COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 8063 ee536f-ee53c8 8070 ee549e-ee54b2 8063->8070 8071 ee53ce-ee5457 8063->8071 8072 ee566f-ee5683 8070->8072 8073 ee54b8-ee55e7 8070->8073 8071->8070 8074 ee5689-ee5794 8072->8074 8075 ee57e6-ee57fa 8072->8075 8354 ee55f2-ee5628 8073->8354 8312 ee579f 8074->8312 8077 ee595d-ee5971 8075->8077 8078 ee5800-ee590b 8075->8078 8081 ee5977-ee5a82 8077->8081 8082 ee5ad4-ee5ae8 8077->8082 8322 ee5916 8078->8322 8332 ee5a8d 8081->8332 8085 ee5aee-ee5bf9 8082->8085 8086 ee5c4b-ee5c5f 8082->8086 8342 ee5c04 8085->8342 8091 ee5c65-ee5d70 8086->8091 8092 ee5dc2-ee5dd6 8086->8092 8352 ee5d7b 8091->8352 8095 ee5ddc-ee5ee7 8092->8095 8096 ee5f39-ee5f4d 8092->8096 8361 ee5ef2 8095->8361 8099 ee5f53-ee6069 8096->8099 8100 ee60b0-ee60c4 8096->8100 8099->8100 8107 ee60ca-ee61d5 8100->8107 8108 ee6227-ee623b 8100->8108 8383 ee61e0 8107->8383 8115 ee639e-ee63b2 8108->8115 8116 ee6241-ee634c 8108->8116 8122 ee63b8-ee63fd call ee4278 8115->8122 8123 ee6536-ee654a 8115->8123 8386 ee6357 8116->8386 8226 ee64bd-ee64df 8122->8226 8126 ee668d-ee66a1 8123->8126 8127 ee6550-ee656f 8123->8127 8135 ee67ee-ee6802 8126->8135 8136 ee66a7-ee67a7 8126->8136 8151 ee6614-ee6636 8127->8151 8143 ee694f-ee6963 8135->8143 8144 ee6808-ee6908 8135->8144 8136->8135 8155 ee6969-ee6a69 8143->8155 8156 ee6ab0-ee6ada 8143->8156 8144->8143 8164 ee663c 8151->8164 8165 ee6574-ee6583 8151->8165 8155->8156 8173 ee6b9a-ee6bae 8156->8173 8174 ee6ae0-ee6b53 8156->8174 8164->8126 8170 ee663e 8165->8170 8171 ee6589-ee658d 8165->8171 8199 ee6643-ee668b 8170->8199 8192 ee6598-ee65bc 8171->8192 8186 ee6c8b-ee6c9f 8173->8186 8187 ee6bb4-ee6c0b 8173->8187 8174->8173 8193 ee6de5-ee6df9 8186->8193 8194 ee6ca5-ee6d97 8186->8194 8295 ee6c12-ee6c44 8187->8295 8257 ee65be-ee65f8 8192->8257 8258 ee6603-ee660c 8192->8258 8204 ee6dff-ee6e4f 8193->8204 8205 ee705c-ee7070 8193->8205 8409 ee6d9e 8194->8409 8199->8126 8313 ee6ebd-ee6ee8 8204->8313 8314 ee6e51-ee6e77 8204->8314 8213 ee7158-ee715f 8205->8213 8214 ee7076-ee7111 call ee4278 * 2 8205->8214 8214->8213 8239 ee64e5 8226->8239 8240 ee6402-ee6411 8226->8240 8239->8123 8253 ee64e7 8240->8253 8254 ee6417-ee6477 8240->8254 8282 ee64ec-ee6534 8253->8282 8365 ee6481-ee64b5 8254->8365 8257->8258 8258->8199 8271 ee660e 8258->8271 8271->8151 8282->8123 8295->8186 8312->8075 8378 ee6eee-ee6fc1 8313->8378 8379 ee6fc6-ee7057 8313->8379 8381 ee6eb8 8314->8381 8382 ee6e79-ee6e99 8314->8382 8322->8077 8332->8082 8342->8086 8352->8092 8354->8072 8361->8096 8365->8282 8380 ee64b7 8365->8380 8378->8205 8379->8205 8380->8226 8381->8205 8382->8381 8383->8108 8386->8115 8409->8193
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$\Ojl$|tu$2jl
                                                                                              • API String ID: 0-1415125539
                                                                                              • Opcode ID: 37b5297e356bfad1fdf02f0c19c1d15ac360ce0d9e74fd96caf0c10e526faa34
                                                                                              • Instruction ID: 40701a3f7819d4269b07d9a44b2c0fe40194ee7ee7108afc6bbe8e0738e9ba17
                                                                                              • Opcode Fuzzy Hash: 37b5297e356bfad1fdf02f0c19c1d15ac360ce0d9e74fd96caf0c10e526faa34
                                                                                              • Instruction Fuzzy Hash: 31C20574A01628CFDB25EF20D8A4BEDB7B6BB89308F1091E9D50967795CB325E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE5459 Relevance: 4.8, Strings: 3, Instructions: 1040COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 8448 ee5459-ee54b2 8455 ee566f-ee5683 8448->8455 8456 ee54b8-ee55e7 8448->8456 8457 ee5689-ee5794 8455->8457 8458 ee57e6-ee57fa 8455->8458 8730 ee55f2-ee5628 8456->8730 8688 ee579f 8457->8688 8459 ee595d-ee5971 8458->8459 8460 ee5800-ee590b 8458->8460 8463 ee5977-ee5a82 8459->8463 8464 ee5ad4-ee5ae8 8459->8464 8698 ee5916 8460->8698 8708 ee5a8d 8463->8708 8466 ee5aee-ee5bf9 8464->8466 8467 ee5c4b-ee5c5f 8464->8467 8718 ee5c04 8466->8718 8471 ee5c65-ee5d70 8467->8471 8472 ee5dc2-ee5dd6 8467->8472 8728 ee5d7b 8471->8728 8475 ee5ddc-ee5ee7 8472->8475 8476 ee5f39-ee5f4d 8472->8476 8737 ee5ef2 8475->8737 8479 ee5f53-ee6069 8476->8479 8480 ee60b0-ee60c4 8476->8480 8479->8480 8486 ee60ca-ee61d5 8480->8486 8487 ee6227-ee623b 8480->8487 8759 ee61e0 8486->8759 8493 ee639e-ee63b2 8487->8493 8494 ee6241-ee634c 8487->8494 8500 ee63b8-ee63fd call ee4278 8493->8500 8501 ee6536-ee654a 8493->8501 8762 ee6357 8494->8762 8602 ee64bd-ee64df 8500->8602 8504 ee668d-ee66a1 8501->8504 8505 ee6550-ee656f 8501->8505 8512 ee67ee-ee6802 8504->8512 8513 ee66a7-ee67a7 8504->8513 8527 ee6614-ee6636 8505->8527 8520 ee694f-ee6963 8512->8520 8521 ee6808-ee6908 8512->8521 8513->8512 8531 ee6969-ee6a69 8520->8531 8532 ee6ab0-ee6ada 8520->8532 8521->8520 8540 ee663c 8527->8540 8541 ee6574-ee6583 8527->8541 8531->8532 8549 ee6b9a-ee6bae 8532->8549 8550 ee6ae0-ee6b53 8532->8550 8540->8504 8546 ee663e 8541->8546 8547 ee6589-ee658d 8541->8547 8575 ee6643-ee668b 8546->8575 8568 ee6598-ee65bc 8547->8568 8562 ee6c8b-ee6c9f 8549->8562 8563 ee6bb4-ee6c0b 8549->8563 8550->8549 8569 ee6de5-ee6df9 8562->8569 8570 ee6ca5-ee6d97 8562->8570 8671 ee6c12-ee6c44 8563->8671 8633 ee65be-ee65f8 8568->8633 8634 ee6603-ee660c 8568->8634 8580 ee6dff-ee6e4f 8569->8580 8581 ee705c-ee7070 8569->8581 8785 ee6d9e 8570->8785 8575->8504 8689 ee6ebd-ee6ee8 8580->8689 8690 ee6e51-ee6e77 8580->8690 8589 ee7158-ee715f 8581->8589 8590 ee7076-ee7111 call ee4278 * 2 8581->8590 8590->8589 8615 ee64e5 8602->8615 8616 ee6402-ee6411 8602->8616 8615->8501 8629 ee64e7 8616->8629 8630 ee6417-ee6477 8616->8630 8658 ee64ec-ee6534 8629->8658 8741 ee6481-ee64b5 8630->8741 8633->8634 8634->8575 8647 ee660e 8634->8647 8647->8527 8658->8501 8671->8562 8688->8458 8754 ee6eee-ee6fc1 8689->8754 8755 ee6fc6-ee7057 8689->8755 8757 ee6eb8 8690->8757 8758 ee6e79-ee6e99 8690->8758 8698->8459 8708->8464 8718->8467 8728->8472 8730->8455 8737->8476 8741->8658 8756 ee64b7 8741->8756 8754->8581 8755->8581 8756->8602 8757->8581 8758->8757 8759->8487 8762->8493 8785->8569
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl$\Ojl
                                                                                              • API String ID: 0-3276783887
                                                                                              • Opcode ID: 7aa050d9e0e76e31ce02763f7a4266b7de3979b2feca5f1bee57ea432511aa85
                                                                                              • Instruction ID: 5927bbfa8c861d9a03602bb3075479385fb4af923a97ee330c2b339c6bc01a4f
                                                                                              • Opcode Fuzzy Hash: 7aa050d9e0e76e31ce02763f7a4266b7de3979b2feca5f1bee57ea432511aa85
                                                                                              • Instruction Fuzzy Hash: ECC20474A01628CFDB25EF20D8A4BEDB7B6BB89308F1091E9D50967795CB325E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE75A8 Relevance: 2.0, Strings: 1, Instructions: 757COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 2jl
                                                                                              • API String ID: 0-3618021078
                                                                                              • Opcode ID: 819bd064015febd4dd040d2a6f6a5636314a992f65323532458b377eb46c3233
                                                                                              • Instruction ID: d7a235550f97737b5806ace1bf6f9fc3dc3155d729fe1bddb8dcd0950c00a025
                                                                                              • Opcode Fuzzy Hash: 819bd064015febd4dd040d2a6f6a5636314a992f65323532458b377eb46c3233
                                                                                              • Instruction Fuzzy Hash: 2A4266326097A9CBCB28DB32D84057CB3A2BF803597259575D491AB3D0EF39EC41CBA1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074BD6F Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0074BDEF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: AdjustPrivilegesToken
                                                                                              • String ID:
                                                                                              • API String ID: 2874748243-0
                                                                                              • Opcode ID: 44b8200a74e7996c6c39288d922ce8f96834402c89f540873bd0ae10b74bfadd
                                                                                              • Instruction ID: c22b50acd013b42376e576ee7971ceebdc894722065efaf1897026d9437f55e2
                                                                                              • Opcode Fuzzy Hash: 44b8200a74e7996c6c39288d922ce8f96834402c89f540873bd0ae10b74bfadd
                                                                                              • Instruction Fuzzy Hash: DF21AD755097809FDB228F25DC44B92BFB4EF06310F0984DAE9848B563D375E808DB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074BEF1 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • NtQuerySystemInformation.NTDLL ref: 0074BF5D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: InformationQuerySystem
                                                                                              • String ID:
                                                                                              • API String ID: 3562636166-0
                                                                                              • Opcode ID: 7a7986ea98ec00e2845cf97effc6cf72feee4ce0174f545c4534126fa03baf63
                                                                                              • Instruction ID: c6246121edc3f2e51fcaebddfe839f1b44689482e5b6d470c1fd0f270b4053fe
                                                                                              • Opcode Fuzzy Hash: 7a7986ea98ec00e2845cf97effc6cf72feee4ce0174f545c4534126fa03baf63
                                                                                              • Instruction Fuzzy Hash: B1118E714093C09FDB228B14DC45A52FFB4EF16314F0984DAE9844F563D369A91CCB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074BDA6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0074BDEF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: AdjustPrivilegesToken
                                                                                              • String ID:
                                                                                              • API String ID: 2874748243-0
                                                                                              • Opcode ID: 8a421cf1a782875d137ffebe3ed150f087d95623417fbb86c0d0b0b2991a6a52
                                                                                              • Instruction ID: 880a7c83c6ac03da3ee4838ae61d6ae8e1b7e0d2aee5a9cc117b707a40afb014
                                                                                              • Opcode Fuzzy Hash: 8a421cf1a782875d137ffebe3ed150f087d95623417fbb86c0d0b0b2991a6a52
                                                                                              • Instruction Fuzzy Hash: 081170755006009FDB20CF55D884BA6FBE4EF44720F08C4AAED458B651D379E858DF61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074BF22 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • NtQuerySystemInformation.NTDLL ref: 0074BF5D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: InformationQuerySystem
                                                                                              • String ID:
                                                                                              • API String ID: 3562636166-0
                                                                                              • Opcode ID: 4b81c0845643a458ff3b6702df138af706bbac0ba3731d3f0a52a0fcea0f0039
                                                                                              • Instruction ID: a6699a3ca15905d22b1a558e3e9083dc43ab6139b4223a21259be245b6870f2e
                                                                                              • Opcode Fuzzy Hash: 4b81c0845643a458ff3b6702df138af706bbac0ba3731d3f0a52a0fcea0f0039
                                                                                              • Instruction Fuzzy Hash: 37018B354006409FDB208F05DC84B61FBE0EF08720F08C09AED894BA62D379E818DFA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE36F0 Relevance: 5.1, Strings: 4, Instructions: 88COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 8431 ee36f0-ee370e 8432 ee3723-ee3735 8431->8432 8433 ee3710-ee3719 8431->8433 8435 ee3737-ee3752 8432->8435 8436 ee37a1-ee37af 8432->8436 8433->8432 8439 ee3767-ee3773 8435->8439 8440 ee3754-ee375d 8435->8440 8437 ee37c4-ee37d4 8436->8437 8438 ee37b1-ee37ba 8436->8438 8438->8437 8443 ee378c 8439->8443 8444 ee3775-ee378a 8439->8444 8440->8439 8445 ee378e 8443->8445 8444->8445 8447 ee3795-ee379a 8445->8447 8447->8436
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Nu$Nu$Nu$Nu
                                                                                              • API String ID: 0-2751682506
                                                                                              • Opcode ID: 5888e60691c8d6acd9bd81f4bd9a74d7809f00a3f35b70f46109f8b337b87b51
                                                                                              • Instruction ID: b041a8a98d321998ae507428ecaeabeab921809244acb18ecc0a6e2ac48d0f89
                                                                                              • Opcode Fuzzy Hash: 5888e60691c8d6acd9bd81f4bd9a74d7809f00a3f35b70f46109f8b337b87b51
                                                                                              • Instruction Fuzzy Hash: 6D2194747002499FEB10CB69C840BAB77E5FF89348F144429E505EB384D770ED008794
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE01E1 Relevance: 3.8, Strings: 3, Instructions: 42COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 8807 ee01e1-ee0200 8821 ee0202 call 730606 8807->8821 8822 ee0202 call 7305ec 8807->8822 8810 ee0208-ee0288 8821->8810 8822->8810
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: HQu$XRu$Pu
                                                                                              • API String ID: 0-3267648291
                                                                                              • Opcode ID: 90fc1810f226f52d56f8ae85eef4d9275acb4e321a2272e0d89782c80abb319a
                                                                                              • Instruction ID: 1a840d6a96d1299dc642aa8176d10f3521b52a4b718c805e239ad639c7173a38
                                                                                              • Opcode Fuzzy Hash: 90fc1810f226f52d56f8ae85eef4d9275acb4e321a2272e0d89782c80abb319a
                                                                                              • Instruction Fuzzy Hash: 2601613070A785CFCB00EB74D45849C7BE1EF84309B49886DE445CB266EBB99C499B42
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE80A1 Relevance: 3.7, Strings: 2, Instructions: 1243COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl
                                                                                              • API String ID: 0-977473982
                                                                                              • Opcode ID: c7b7b0526ee27229696ae3f8cddb33fb68b2025005c969d640099c79a8d7fa77
                                                                                              • Instruction ID: 41ec494cb4b84d9abe21e280027563d81e5b2bbadac7b5377549c1a74df64ffd
                                                                                              • Opcode Fuzzy Hash: c7b7b0526ee27229696ae3f8cddb33fb68b2025005c969d640099c79a8d7fa77
                                                                                              • Instruction Fuzzy Hash: 79C2AF34700A98CBDF119B76E9507B977F6AB88304F0490ABD809A3799CF759E44DF22
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE8185 Relevance: 3.6, Strings: 2, Instructions: 1075COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$:@Cl
                                                                                              • API String ID: 0-977473982
                                                                                              • Opcode ID: b0a2e36ccfc4bbd7beaed861dc92e2e116626d6d3f2fd62fed5d214205e109e3
                                                                                              • Instruction ID: ede6b7c6a8dd735af4f49d74ad2604a294c0ccde52e3355e36a3bae40c2717ad
                                                                                              • Opcode Fuzzy Hash: b0a2e36ccfc4bbd7beaed861dc92e2e116626d6d3f2fd62fed5d214205e109e3
                                                                                              • Instruction Fuzzy Hash: 6F92D5347006988BDF115BB6D8607BD77E7AB88308F14909BD849A3799CF758E44EF22
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE57A1 Relevance: 3.4, Strings: 2, Instructions: 906COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$\Ojl
                                                                                              • API String ID: 0-1796497847
                                                                                              • Opcode ID: 2315cbf2a9cf65bf23806f28bc1c28dbd852a3ba32f207b712c19968777aaf8c
                                                                                              • Instruction ID: 56058c2ace658561841e80b9722ba3488e55974ee0aaacb01e4eb4b24a269ae8
                                                                                              • Opcode Fuzzy Hash: 2315cbf2a9cf65bf23806f28bc1c28dbd852a3ba32f207b712c19968777aaf8c
                                                                                              • Instruction Fuzzy Hash: 97A21574A01628CFDB25EF20D8A4BEDB7B6BB89308F1091E9D50967795CB319E84CF44
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE5A8F Relevance: 3.3, Strings: 2, Instructions: 792COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$\Ojl
                                                                                              • API String ID: 0-1796497847
                                                                                              • Opcode ID: 3463a79fa739de6f273eb3f086f7b8c0dfe9e687a562df66cfd0c131161494a5
                                                                                              • Instruction ID: a6950608393b5e39498526797ea076f85deebeafb90d8fbf4726ff40c6370a48
                                                                                              • Opcode Fuzzy Hash: 3463a79fa739de6f273eb3f086f7b8c0dfe9e687a562df66cfd0c131161494a5
                                                                                              • Instruction Fuzzy Hash: CA921674A01668CFDB25EF20D864BEDB7B6BB89308F1091E9D90967395DB319E84CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE5D7D Relevance: 3.2, Strings: 2, Instructions: 678COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$\Ojl
                                                                                              • API String ID: 0-1796497847
                                                                                              • Opcode ID: 110816e400eaf06a0b78b7ce90a3237ce987bb6662bbc26cc9b23398a38a081c
                                                                                              • Instruction ID: a81f3e795347adead4737d4de11767cf8e352371ccb144c1677fb874c7b6d33a
                                                                                              • Opcode Fuzzy Hash: 110816e400eaf06a0b78b7ce90a3237ce987bb6662bbc26cc9b23398a38a081c
                                                                                              • Instruction Fuzzy Hash: 13722674A01668CFDB25EF20D954BE9B7B6FB89308F1091E9D909A7395CB319E84CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE5EF4 Relevance: 3.1, Strings: 2, Instructions: 621COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$\Ojl
                                                                                              • API String ID: 0-1796497847
                                                                                              • Opcode ID: f33fe1d0be7c9bd6e453c4b6d88accbf9a74cfd05a8ced307c0fa2c63926fc42
                                                                                              • Instruction ID: 0205b395b3d3c576f73dae1fc58866d2d46b504bb103720dc4c005c890d8f323
                                                                                              • Opcode Fuzzy Hash: f33fe1d0be7c9bd6e453c4b6d88accbf9a74cfd05a8ced307c0fa2c63926fc42
                                                                                              • Instruction Fuzzy Hash: 26622674A00668CFDB25EF20D994BEDB7B6BB89304F1091E9D909A7395DB319E84CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE606B Relevance: 3.1, Strings: 2, Instructions: 564COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$\Ojl
                                                                                              • API String ID: 0-1796497847
                                                                                              • Opcode ID: 6facb358caf43e59f7874067cf019efa9846ca6bae5120b3fb3520c603426f6b
                                                                                              • Instruction ID: 3137869debab2279031b4ef93d0e6c14f01bc720ff6b1274739daef1992393bf
                                                                                              • Opcode Fuzzy Hash: 6facb358caf43e59f7874067cf019efa9846ca6bae5120b3fb3520c603426f6b
                                                                                              • Instruction Fuzzy Hash: B1522674A01668CFDB25EF24D994BECB7B6BB89304F1091E9D909A7395DB319E84CF00
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE61E2 Relevance: 3.0, Strings: 2, Instructions: 507COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$\Ojl
                                                                                              • API String ID: 0-1796497847
                                                                                              • Opcode ID: 2de20d1a72db3ebc5b6b45ce7f02b13b3bb94af813c3a7cb0b45fd54bfbefaf5
                                                                                              • Instruction ID: 7f87da7dd2e865758a514c0294b77b765c7d4e6b52930b2875bd972ffb7a4bb8
                                                                                              • Opcode Fuzzy Hash: 2de20d1a72db3ebc5b6b45ce7f02b13b3bb94af813c3a7cb0b45fd54bfbefaf5
                                                                                              • Instruction Fuzzy Hash: 1D422774A01668CFDB25EF24D954BADB7B5BB89304F1091E9D909A7395DB31AE80CF00
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE6483 Relevance: 2.9, Strings: 2, Instructions: 427COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$\Ojl
                                                                                              • API String ID: 0-1796497847
                                                                                              • Opcode ID: 2f9c095c157212ec65d25940c5c3cfd2dee2fc67760f9a36941265b4a4b7f13d
                                                                                              • Instruction ID: ec38a23342dd704f422f2f3e5a77149de5f090cd8f7fefb77b6a027bfd0ef76c
                                                                                              • Opcode Fuzzy Hash: 2f9c095c157212ec65d25940c5c3cfd2dee2fc67760f9a36941265b4a4b7f13d
                                                                                              • Instruction Fuzzy Hash: A9223774A00668CFCB25EF34D994BA9B7B5FB89304F1091E9D909A7395DB35AE81CF00
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE67A9 Relevance: 2.8, Strings: 2, Instructions: 343COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$\Ojl
                                                                                              • API String ID: 0-1796497847
                                                                                              • Opcode ID: f70617caf18dd6fe20e417814b9a1680ddf0e99ffa7abbf9b454e813b4061259
                                                                                              • Instruction ID: 4d4d8e1a85678acbe93543965b77cb27e14ab20953a4fefb0973a7c5786709b6
                                                                                              • Opcode Fuzzy Hash: f70617caf18dd6fe20e417814b9a1680ddf0e99ffa7abbf9b454e813b4061259
                                                                                              • Instruction Fuzzy Hash: C5023774A00668CFCB25EF34D994BADB7B5BB89308F1091E9D909A7395DB359E81CF00
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE96B7 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$Ku
                                                                                              • API String ID: 0-4230133869
                                                                                              • Opcode ID: 9ff792361eba96125a7c851f17ee8f63d2ec34750f5d6af5c382b656b9908310
                                                                                              • Instruction ID: a7b1162a5145f82a4dd28e0b71beca3f256ced3ab56b589f51c57104fe3dcf65
                                                                                              • Opcode Fuzzy Hash: 9ff792361eba96125a7c851f17ee8f63d2ec34750f5d6af5c382b656b9908310
                                                                                              • Instruction Fuzzy Hash: EAA16D30A00604DFCB09EF75F854AAD77B6EFC8348B6194A9E806A77A9DF359C05CB40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE6A6B Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl$\Ojl
                                                                                              • API String ID: 0-1796497847
                                                                                              • Opcode ID: 7925aabe1ff5421c77f00348426fe8bb73cb3792d29995aecdfa272ab88485cb
                                                                                              • Instruction ID: fb1be6477be42bf4569060cb75db65dd3d3a0661ffd14d54d13dd303e37b710a
                                                                                              • Opcode Fuzzy Hash: 7925aabe1ff5421c77f00348426fe8bb73cb3792d29995aecdfa272ab88485cb
                                                                                              • Instruction Fuzzy Hash: 46B14870A01268CFDB29EB35D950BEDB7B2AF89308F5041E9D509AB394DB359E85CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE00B8 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 2jl$2jl
                                                                                              • API String ID: 0-1801541598
                                                                                              • Opcode ID: d761523da4cf2171d45aa435e936eeaa01ce872c72bb8ac4846d65d3c85ee35c
                                                                                              • Instruction ID: c690557e50b64f2d0cc713882d885427b25e21e58b63c38ddc65e7daa6244d22
                                                                                              • Opcode Fuzzy Hash: d761523da4cf2171d45aa435e936eeaa01ce872c72bb8ac4846d65d3c85ee35c
                                                                                              • Instruction Fuzzy Hash: EE31E0317043449FD705AB7498257AE3BAA9BC3318F5884AAD405CF7D2CFB99C09C7A6
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B126 Relevance: 1.6, APIs: 1, Instructions: 108registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0074B1F5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: 7b174c47cb83f148ad3d4da27674cca3dd70950e0d0a3979c7b12af4355d0d79
                                                                                              • Instruction ID: dc69b59631e03219ab1f2a13d31570662801fef53fa46839d247dc1e72f57523
                                                                                              • Opcode Fuzzy Hash: 7b174c47cb83f148ad3d4da27674cca3dd70950e0d0a3979c7b12af4355d0d79
                                                                                              • Instruction Fuzzy Hash: E1318F7240D3C46FE7238B608C54BA6BFB8AF17214F0984DBE9808B1A3D264A909C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0074AB25
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: 8fb1d5aad021fd555624fa3de9874744c956a6116458c40e44207cffaeadc3bb
                                                                                              • Instruction ID: 557378fdb6bba29d8426948c345063ff6a310688e02f8999bd267c93320fac53
                                                                                              • Opcode Fuzzy Hash: 8fb1d5aad021fd555624fa3de9874744c956a6116458c40e44207cffaeadc3bb
                                                                                              • Instruction Fuzzy Hash: 57318275509380AFE721CF25CC85F56BBF8EF05310F09849EE9458B252D365E808CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074AF76 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateMutexW.KERNELBASE(?,?), ref: 0074B01D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateMutex
                                                                                              • String ID:
                                                                                              • API String ID: 1964310414-0
                                                                                              • Opcode ID: c345dd2096eaddd4cd6dca34e07937a86c79551b3af022ee6bf84dfd6cb5b7bb
                                                                                              • Instruction ID: 4a574a031920e12cad5d0a63a49296bf6494944a492dbe4ca6eb967f6ccc8cf0
                                                                                              • Opcode Fuzzy Hash: c345dd2096eaddd4cd6dca34e07937a86c79551b3af022ee6bf84dfd6cb5b7bb
                                                                                              • Instruction Fuzzy Hash: 8B318175509380AFE711CB25DC85F56BFF8EF06314F09849AE944CB292D365E909CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B23D Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNELBASE(?,00000E24,B99B0101,00000000,00000000,00000000,00000000), ref: 0074B2F8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 1d2b4974dd8e9df596a1f6e97bd61e86873ac2a035bb5fe51a791524e2589300
                                                                                              • Instruction ID: 7cb80af5177d54b7379fbe6216e7d0b9d62a07430c0f75d302098b53d4d58db7
                                                                                              • Opcode Fuzzy Hash: 1d2b4974dd8e9df596a1f6e97bd61e86873ac2a035bb5fe51a791524e2589300
                                                                                              • Instruction Fuzzy Hash: DD3191761093849FE722CF21CC45FA6BFBCEF06724F09849AE9858B152D364E948CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0074A77E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard
                                                                                              • String ID:
                                                                                              • API String ID: 220874293-0
                                                                                              • Opcode ID: 9cc6b1ecb82c915963ce86c93a2dede817dadb62be4dea15da79ab7a9a9153b2
                                                                                              • Instruction ID: ceba26c05c32c5c11ef9a7bbb54519db0ebb6ec758a1517272476ed4d92fca2f
                                                                                              • Opcode Fuzzy Hash: 9cc6b1ecb82c915963ce86c93a2dede817dadb62be4dea15da79ab7a9a9153b2
                                                                                              • Instruction Fuzzy Hash: 2831717104D3C06FD3138B259C61B61BFB4EF47610F0A80DBD884CB5A3D2696919D7B2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE96C8 Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl
                                                                                              • API String ID: 0-1360559020
                                                                                              • Opcode ID: f529cbb7c473b74ec8d8c70adfbbed7d5a52f6834df893003bb2c4c189c1fd13
                                                                                              • Instruction ID: 0dcc61dee100a7d343f7b68ff0ac8e4ffdf4e30ec333f6c9f0095bde96481623
                                                                                              • Opcode Fuzzy Hash: f529cbb7c473b74ec8d8c70adfbbed7d5a52f6834df893003bb2c4c189c1fd13
                                                                                              • Instruction Fuzzy Hash: 77D15E30A00618DFCB09EFB5F854A9D77B6EF88348B2195A9D406A73A9DF359C05CF50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B42C Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageTimeoutA.USER32(?,00000E24), ref: 0074B4D5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendTimeout
                                                                                              • String ID:
                                                                                              • API String ID: 1599653421-0
                                                                                              • Opcode ID: 6d9f66b566760adc9d4e7b9e17526ccd0720de1aaa8b8c987b9f73b03632fe81
                                                                                              • Instruction ID: 3296b38aecce587fa5fd1ad0ec6fdde3555d7d502e16af76c3b25b5c32bbf920
                                                                                              • Opcode Fuzzy Hash: 6d9f66b566760adc9d4e7b9e17526ccd0720de1aaa8b8c987b9f73b03632fe81
                                                                                              • Instruction Fuzzy Hash: 0F21A575504780AFEB228F11DC44FA6FFB8EF46310F08849AEA844B562D375A919CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B34E Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegSetValueExW.KERNELBASE(?,00000E24,B99B0101,00000000,00000000,00000000,00000000), ref: 0074B3E4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: Value
                                                                                              • String ID:
                                                                                              • API String ID: 3702945584-0
                                                                                              • Opcode ID: 242bd46c0fc5661ed349194c7f0e2377398d63e45033f77bce71b36bff35971f
                                                                                              • Instruction ID: 6c9d4c8f2f69f6e2ca2a2bd5f5be8daf041b46eb91c884b6c9f2c97135dee637
                                                                                              • Opcode Fuzzy Hash: 242bd46c0fc5661ed349194c7f0e2377398d63e45033f77bce71b36bff35971f
                                                                                              • Instruction Fuzzy Hash: DB21A476508380AFE7228F15DC45F67BFB8EF46710F08849AE9858B252D364E848C771
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0074AB25
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateFile
                                                                                              • String ID:
                                                                                              • API String ID: 823142352-0
                                                                                              • Opcode ID: c339ea50f589887dcb404b70978edad70281c777829dd3d010195af5ce59394d
                                                                                              • Instruction ID: faba4324cd7d310675b3e1f3e65fb80f8b535d2e9babe1c6d0ba2577c1b6ec9b
                                                                                              • Opcode Fuzzy Hash: c339ea50f589887dcb404b70978edad70281c777829dd3d010195af5ce59394d
                                                                                              • Instruction Fuzzy Hash: C421A1B5544240AFEB21CF65DC85F66FBE9EF08720F08846EEA458B651D375E804CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B176 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0074B1F5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: Open
                                                                                              • String ID:
                                                                                              • API String ID: 71445658-0
                                                                                              • Opcode ID: ffdc7e8b81b0b09cd24da6c93d538fc559172558acd032f861e7c343a80b27e2
                                                                                              • Instruction ID: 982b432c7374d135c7a0ee177b0fe46dee6e969020c263e038d3fe76f67d7b82
                                                                                              • Opcode Fuzzy Hash: ffdc7e8b81b0b09cd24da6c93d538fc559172558acd032f861e7c343a80b27e2
                                                                                              • Instruction Fuzzy Hash: 9A21A172504204AFF7219F55DC84FABFBECEF08724F04845AEA458B651D374E9088A71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074ADCE Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteFile.KERNELBASE(?,00000E24,B99B0101,00000000,00000000,00000000,00000000), ref: 0074AE4D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3934441357-0
                                                                                              • Opcode ID: 0635437f653db0b9e3040c5e898d4ccbf56df9260d583d9f4cc9d3e68163f4ff
                                                                                              • Instruction ID: 5d9cc7cc2417f63c8102dddcf5f0b5f0df3da97866f3838ff649afa45ce6931f
                                                                                              • Opcode Fuzzy Hash: 0635437f653db0b9e3040c5e898d4ccbf56df9260d583d9f4cc9d3e68163f4ff
                                                                                              • Instruction Fuzzy Hash: 8E219F76404340AFEB22CF51DC44FA7BBA8EF45720F0584AAFA448B152D265A908CBB5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileType.KERNELBASE(?,00000E24,B99B0101,00000000,00000000,00000000,00000000), ref: 0074ACBD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileType
                                                                                              • String ID:
                                                                                              • API String ID: 3081899298-0
                                                                                              • Opcode ID: 4e9c3ce82efccd81375f8761557127eec8f818b78b98805b14806fec2d0a014b
                                                                                              • Instruction ID: e11da54ecb2c15e5cca620a37e5cd6586b769b4e3a604bc107f589228b5b81c0
                                                                                              • Opcode Fuzzy Hash: 4e9c3ce82efccd81375f8761557127eec8f818b78b98805b14806fec2d0a014b
                                                                                              • Instruction Fuzzy Hash: 572193B54097806FE7128B119C95BA2BFB8DF47724F0980DAE9848B193D268A909D772
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNELBASE(?), ref: 0074AA44
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode
                                                                                              • String ID:
                                                                                              • API String ID: 2340568224-0
                                                                                              • Opcode ID: b12ebb5768386894519228a369c7554cba642d777f4d7690a3b6ac2f5852e444
                                                                                              • Instruction ID: a937d84967ffd497c90008ecd781c9d965a80e64d8f1c48caf020c335327e742
                                                                                              • Opcode Fuzzy Hash: b12ebb5768386894519228a369c7554cba642d777f4d7690a3b6ac2f5852e444
                                                                                              • Instruction Fuzzy Hash: 0421486544E3C0AFDB138B259C64A51BFB4EF53624F0E80DBD9C48F5A3D2699848CB72
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074A140 Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: send
                                                                                              • String ID:
                                                                                              • API String ID: 2809346765-0
                                                                                              • Opcode ID: ecf5b3e431d316b2e387e88ea362c38a2b6855dbb924dcb39d6a70a58eb70305
                                                                                              • Instruction ID: 0c135cb5234a6c06208354d655f3e9f6932fe1a962029b865d251fbf0364e76f
                                                                                              • Opcode Fuzzy Hash: ecf5b3e431d316b2e387e88ea362c38a2b6855dbb924dcb39d6a70a58eb70305
                                                                                              • Instruction Fuzzy Hash: 2821A13140D3C0AFD7238B218C94B52BFB4EF07210F0984DBE9848F5A3D269A819D772
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074AFAA Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateMutexW.KERNELBASE(?,?), ref: 0074B01D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateMutex
                                                                                              • String ID:
                                                                                              • API String ID: 1964310414-0
                                                                                              • Opcode ID: 155e448813ca4fd2a1161a969b4d50f8247ae874ffbec57207b8ecefbbfe5cce
                                                                                              • Instruction ID: b268f35fef87065016bc54a5a05aff7eb87dfe3c43fdb9887173a7ccb66228b0
                                                                                              • Opcode Fuzzy Hash: 155e448813ca4fd2a1161a969b4d50f8247ae874ffbec57207b8ecefbbfe5cce
                                                                                              • Instruction Fuzzy Hash: 0D219275605240AFE720CF25DD85FA6FBE8EF04724F08846AE944CB651D379E904CB75
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074AB7C Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0074ABF0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: 5633a7d3a90b9c32f5d174991a0cec9ae99afefd237bcccfbf7df6dc56e60b65
                                                                                              • Instruction ID: e7223b43818bb4550440e9858df81069669144ee5b5e54bde7cd08fab23ed711
                                                                                              • Opcode Fuzzy Hash: 5633a7d3a90b9c32f5d174991a0cec9ae99afefd237bcccfbf7df6dc56e60b65
                                                                                              • Instruction Fuzzy Hash: 6521A4755093C09FDB128B25DC95752BFA8EF07320F0984DAED858F6A3D2699908C762
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B27E Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNELBASE(?,00000E24,B99B0101,00000000,00000000,00000000,00000000), ref: 0074B2F8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID:
                                                                                              • API String ID: 3660427363-0
                                                                                              • Opcode ID: 4d14e82cdc98fc4d71e38d54ae01d0ca210b99a551d7caf3b33db1d8e40fcf3d
                                                                                              • Instruction ID: 55fbf35c1301f2937acea96ac00b23fc9d759791070c4393888c24e2f5f0f0fc
                                                                                              • Opcode Fuzzy Hash: 4d14e82cdc98fc4d71e38d54ae01d0ca210b99a551d7caf3b33db1d8e40fcf3d
                                                                                              • Instruction Fuzzy Hash: C42190756002049FEB20CF16DC85F6AF7ECEF04720F08856AE9458B651D778ED48CA71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B719 Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CopyFileW.KERNELBASE(?,?,?), ref: 0074B78E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: CopyFile
                                                                                              • String ID:
                                                                                              • API String ID: 1304948518-0
                                                                                              • Opcode ID: a54b55e95ef1f1d3fc7583f7b33997a74e7ffb7b72c5b7c81dc1f3f195dc5e53
                                                                                              • Instruction ID: adf245d7c07bd8bb8767dcffb42438e944f44ab21fc0b4b373b451c8a4710b4f
                                                                                              • Opcode Fuzzy Hash: a54b55e95ef1f1d3fc7583f7b33997a74e7ffb7b72c5b7c81dc1f3f195dc5e53
                                                                                              • Instruction Fuzzy Hash: E9213B715093809FEB228F25DC54B52BFE8EF56610F08849AE985CB652D369E808DB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074BE3C Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0074BEA8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: 1f722ea38487c58dd6457b492a23aa09db4733cedcde06441fd465cdc8b9e27b
                                                                                              • Instruction ID: 4a313a01ccea61193b52d392e4891dc5ab64c0f327719282dc6e4aafa549ec9d
                                                                                              • Opcode Fuzzy Hash: 1f722ea38487c58dd6457b492a23aa09db4733cedcde06441fd465cdc8b9e27b
                                                                                              • Instruction Fuzzy Hash: DB21F0725093C05FDB02CB25DC94792BFB4AF43320F0D84DAE9848F663D269A808CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B897 Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNELBASE(?), ref: 0074B908
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteFile
                                                                                              • String ID:
                                                                                              • API String ID: 4033686569-0
                                                                                              • Opcode ID: b7c357e298cf9376b6ff3326151fa8f15ed7421f1e6f23f3e34beab0ae216819
                                                                                              • Instruction ID: 1dd69efc892a5427bf24bbb855e653dfd1790dcd6c4960fe7a5a848edaf7616a
                                                                                              • Opcode Fuzzy Hash: b7c357e298cf9376b6ff3326151fa8f15ed7421f1e6f23f3e34beab0ae216819
                                                                                              • Instruction Fuzzy Hash: DA21A1B65093809FDB12CB25DC44B52BFB8DF06314F0984DAED84CF193D269E908CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B45A Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SendMessageTimeoutA.USER32(?,00000E24), ref: 0074B4D5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessageSendTimeout
                                                                                              • String ID:
                                                                                              • API String ID: 1599653421-0
                                                                                              • Opcode ID: 243621f787ff2d2c78fb3120f5cf751446a853d975d7096f721011af55c72635
                                                                                              • Instruction ID: 919eb98cc8e3003ecd86ebbbc54c43faad65892ac44adb771c3957d92a2df4e0
                                                                                              • Opcode Fuzzy Hash: 243621f787ff2d2c78fb3120f5cf751446a853d975d7096f721011af55c72635
                                                                                              • Instruction Fuzzy Hash: 9521DF75400200AFEB218F11DC40F66FBA8EF44720F18849AFE454B691D379E918DBB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B372 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegSetValueExW.KERNELBASE(?,00000E24,B99B0101,00000000,00000000,00000000,00000000), ref: 0074B3E4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: Value
                                                                                              • String ID:
                                                                                              • API String ID: 3702945584-0
                                                                                              • Opcode ID: 1ff01fefa0660e9e136b3745ae514b6a2b703e5e22c6aedeb6a2a6a6d356ce90
                                                                                              • Instruction ID: 20cc02717ac81ea1f9a0a00b4c0fba4a7c915b52993f15c3872c1ae5626f24b4
                                                                                              • Opcode Fuzzy Hash: 1ff01fefa0660e9e136b3745ae514b6a2b703e5e22c6aedeb6a2a6a6d356ce90
                                                                                              • Instruction Fuzzy Hash: AB118176504600AFEB218E16DC45F66BBECEF44720F18C56AE9459B652D368E804CAB1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B94F Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFileAttributesW.KERNELBASE(?,?), ref: 0074B9BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: aea64d6f92a9ff435ec86c2f36fdc9751166893a45cfaa2c233c1aa4890c4fc8
                                                                                              • Instruction ID: 8b565a44b2c602e656a4669f45e96918856854f6d4d042f2a906261836b3a8c4
                                                                                              • Opcode Fuzzy Hash: aea64d6f92a9ff435ec86c2f36fdc9751166893a45cfaa2c233c1aa4890c4fc8
                                                                                              • Instruction Fuzzy Hash: 692181755093C09FDB128B25DC85B56BFE8EF46320F0984DAE985CF262D379E848CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074BC06 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0074BC6E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: LookupPrivilegeValue
                                                                                              • String ID:
                                                                                              • API String ID: 3899507212-0
                                                                                              • Opcode ID: 28b8232cc9dd80c45b2d2e90859cdb4d2af8ad744e923d1ee413dd160f748b7d
                                                                                              • Instruction ID: 92cf6ca040fa633c21ca4a5410ab0a204879f5734e287e5f6c9b7df928388c20
                                                                                              • Opcode Fuzzy Hash: 28b8232cc9dd80c45b2d2e90859cdb4d2af8ad744e923d1ee413dd160f748b7d
                                                                                              • Instruction Fuzzy Hash: DF1151715053809FDB21CF25DC85B62BFE8EF56620F0984AAED45CB652D379E804CB71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074A61E Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0074A690
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: 94c4c34bfbdeccb7c458c2b289279a925027a3b7161d5e97f081fafb5dc0ad19
                                                                                              • Instruction ID: 3d3dc95a309fc069c94f10f500006021913c7679f43ab9a8d4c79d5c2d93b3e9
                                                                                              • Opcode Fuzzy Hash: 94c4c34bfbdeccb7c458c2b289279a925027a3b7161d5e97f081fafb5dc0ad19
                                                                                              • Instruction Fuzzy Hash: 9F2138754093C09FDB128B259894792BFB4DF47220F0A84DBE9849F1A3D2699908DBB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0074A5DE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 36fbd7cd8d7e8deea68614e91320ba9e267af996f52b5276bfbb0c1e7f2e5e63
                                                                                              • Instruction ID: 50fee2bf995b817e93fdb89471a54e7512e5fe0b3c921f78c18a4654ca371ea3
                                                                                              • Opcode Fuzzy Hash: 36fbd7cd8d7e8deea68614e91320ba9e267af996f52b5276bfbb0c1e7f2e5e63
                                                                                              • Instruction Fuzzy Hash: CA117571449380AFDB228F55DC44A52FFF4EF46310F0988DAE9858B562D376A818DB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074ADEE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteFile.KERNELBASE(?,00000E24,B99B0101,00000000,00000000,00000000,00000000), ref: 0074AE4D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3934441357-0
                                                                                              • Opcode ID: 4165c876cc75a20697c2659f9070cb831b24821ba5b4d40ddd88229e7c9fc93d
                                                                                              • Instruction ID: b4d3284dc9fdaaf3a5c4c5c23f70245885eb7ac567ed13c174e741bacb176740
                                                                                              • Opcode Fuzzy Hash: 4165c876cc75a20697c2659f9070cb831b24821ba5b4d40ddd88229e7c9fc93d
                                                                                              • Instruction Fuzzy Hash: 7C11B275404200AFEB21CF51DC45FA6FBA8EF44724F14C46AEA458B651D379A4048BB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B746 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CopyFileW.KERNELBASE(?,?,?), ref: 0074B78E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: CopyFile
                                                                                              • String ID:
                                                                                              • API String ID: 1304948518-0
                                                                                              • Opcode ID: c4e46fe4a6fea5d7f621dbb430ecfc56b2e0c6f321cd494b804bf4779b6ff180
                                                                                              • Instruction ID: 39bd2fa9eec306c0fb0fd9168127af957614e5ed3d7dbd6da1139cd00de9f0ab
                                                                                              • Opcode Fuzzy Hash: c4e46fe4a6fea5d7f621dbb430ecfc56b2e0c6f321cd494b804bf4779b6ff180
                                                                                              • Instruction Fuzzy Hash: 85118E756002409FEB61CF2AD885B56FBE8EF55720F08C4ABED49CB642D379E804CB61
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074BC26 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0074BC6E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: LookupPrivilegeValue
                                                                                              • String ID:
                                                                                              • API String ID: 3899507212-0
                                                                                              • Opcode ID: c4e46fe4a6fea5d7f621dbb430ecfc56b2e0c6f321cd494b804bf4779b6ff180
                                                                                              • Instruction ID: 3ee0c722f928a8be873dbed7702f7f860d7bbfe1da199e2da6cf925e07b7736d
                                                                                              • Opcode Fuzzy Hash: c4e46fe4a6fea5d7f621dbb430ecfc56b2e0c6f321cd494b804bf4779b6ff180
                                                                                              • Instruction Fuzzy Hash: 2B117C756002008FEB10CF2AD8C5B66BBE8EF54320F0884AAED49CB651D779E804CA71
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetFileType.KERNELBASE(?,00000E24,B99B0101,00000000,00000000,00000000,00000000), ref: 0074ACBD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileType
                                                                                              • String ID:
                                                                                              • API String ID: 3081899298-0
                                                                                              • Opcode ID: 20462aaaddd031a936085164ae0f219e634625e0f801875692e1b7b7ee681615
                                                                                              • Instruction ID: dc091758d25911ebd4e0a8b900642264bdd17277a38cff1a712312f8af884b66
                                                                                              • Opcode Fuzzy Hash: 20462aaaddd031a936085164ae0f219e634625e0f801875692e1b7b7ee681615
                                                                                              • Instruction Fuzzy Hash: E201D675544200AFE710CB05DC85FB6F798DF44724F18C09AEE048B641D378E948CAB2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074BAAC Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseFind
                                                                                              • String ID:
                                                                                              • API String ID: 1863332320-0
                                                                                              • Opcode ID: bddfd1b718b21121a59b51d14b587817375f91f69f508171b5c0440383eab4da
                                                                                              • Instruction ID: eb37206fc39e4c8a3d95c8b1be3ddbcf05def9bf9f6c93530da26c41928bd022
                                                                                              • Opcode Fuzzy Hash: bddfd1b718b21121a59b51d14b587817375f91f69f508171b5c0440383eab4da
                                                                                              • Instruction Fuzzy Hash: 1211A1755093C09FDB128B25DC84B52FFB4DF47220F0980DBED858F6A2D279A908CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B67C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForInputIdle.USER32(?,?), ref: 0074B6D3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: IdleInputWait
                                                                                              • String ID:
                                                                                              • API String ID: 2200289081-0
                                                                                              • Opcode ID: cb835d51a9ffb4019c126d4d9d0972c85f6aa6faf4e9775cf61b236d0307fc6e
                                                                                              • Instruction ID: e4c69003bad4fe887d8bd83471fc3e4c197cea184775ace81365a4d6a005eb29
                                                                                              • Opcode Fuzzy Hash: cb835d51a9ffb4019c126d4d9d0972c85f6aa6faf4e9775cf61b236d0307fc6e
                                                                                              • Instruction Fuzzy Hash: C9115E754093809FDB12CF55DC85B52BFE4EF46320F09849BED458F262D379A848CB62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B982 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetFileAttributesW.KERNELBASE(?,?), ref: 0074B9BF
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: AttributesFile
                                                                                              • String ID:
                                                                                              • API String ID: 3188754299-0
                                                                                              • Opcode ID: b85fea25dec4ea15c3112baa1aacefa3684d94dd9bf72796ec557fe918af04ed
                                                                                              • Instruction ID: f9566d99030fe37fd2bb3fc8a95fbe62ced052b7fce74a15c8fb1ffe87d63472
                                                                                              • Opcode Fuzzy Hash: b85fea25dec4ea15c3112baa1aacefa3684d94dd9bf72796ec557fe918af04ed
                                                                                              • Instruction Fuzzy Hash: EA018C75605240CFEB50CF2AD885766FBE8EF05320F08C4AAED49CB752D379E844CA62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B8CE Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DeleteFileW.KERNELBASE(?), ref: 0074B908
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: DeleteFile
                                                                                              • String ID:
                                                                                              • API String ID: 4033686569-0
                                                                                              • Opcode ID: 9e33a5dd6df198aaf4b3f0fe543e8e8b10962d383da6fb5909cdd7112ec0b6f4
                                                                                              • Instruction ID: ac7cc73148e466bceaaeb5199d06948ea194f1ced994a8aac74e928d2a6ee46c
                                                                                              • Opcode Fuzzy Hash: 9e33a5dd6df198aaf4b3f0fe543e8e8b10962d383da6fb5909cdd7112ec0b6f4
                                                                                              • Instruction Fuzzy Hash: 80014C75A042408FEB14CF2AD885766BBD8DF45720F18C4AADE49CB652D379E8448AA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0074A5DE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: a5760e71d73bf3609a3d43527824a55a1570d497366d5328f005d5f402603d0c
                                                                                              • Instruction ID: e2ebb18c4e977e901a0219ebe87a869f6cf5b88d47aa0c1faa6ba6a4240caba9
                                                                                              • Opcode Fuzzy Hash: a5760e71d73bf3609a3d43527824a55a1570d497366d5328f005d5f402603d0c
                                                                                              • Instruction Fuzzy Hash: EC016D76400640AFDB21CF55D984B56FFE0EF48720F08C99AEE494B651D37AE428DF62
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074BE76 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0074BEA8
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: 47fd9925ce4c379d90033bf77f4e61d4354a89fd50b0374c2d65184e1d56fe2b
                                                                                              • Instruction ID: e6cd5df7e3a37bd35d138d1b5bc3fb34aad87a8f8c4bfda5f1b539eea696de4d
                                                                                              • Opcode Fuzzy Hash: 47fd9925ce4c379d90033bf77f4e61d4354a89fd50b0374c2d65184e1d56fe2b
                                                                                              • Instruction Fuzzy Hash: D001DF755042408FDB10CF1AD884796FBE4EF84320F08C4AAED498F652D379E808DAA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074ABBE Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0074ABF0
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: 306346afbe98752833f16c06b8e55ca3f42ccb935736c43833320f75e248e42b
                                                                                              • Instruction ID: 849d7c012fdb66af7e78140c6b43009190637bf3950888332bfb55f593aaec06
                                                                                              • Opcode Fuzzy Hash: 306346afbe98752833f16c06b8e55ca3f42ccb935736c43833320f75e248e42b
                                                                                              • Instruction Fuzzy Hash: A4018F759042409FEB50CF16E8857A6FBE4DF45320F08C4ABDD498F652D379E848DAA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0074A77E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: Clipboard
                                                                                              • String ID:
                                                                                              • API String ID: 220874293-0
                                                                                              • Opcode ID: 985a9aa38061d6a2d6ffdd4f719f7ffacbaa9e426afbd05ed13e05b91b3c82ad
                                                                                              • Instruction ID: c3140e8cbb5996560f60cb69b009392c582fce14b1fd8105dd5d406e756fbad2
                                                                                              • Opcode Fuzzy Hash: 985a9aa38061d6a2d6ffdd4f719f7ffacbaa9e426afbd05ed13e05b91b3c82ad
                                                                                              • Instruction Fuzzy Hash: AC01A271600200ABD210DF16CC86B26FBE8FB89A20F14815AED085B741E775F955CBE5
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074A186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: send
                                                                                              • String ID:
                                                                                              • API String ID: 2809346765-0
                                                                                              • Opcode ID: 3d31c074565b11a319a29ed4211b6d8694118c309693a2447c30d4153460be40
                                                                                              • Instruction ID: 875aecec156f9409e6aad8ced51d7df4aa74b02ef51981bc98f93d48d7eeef09
                                                                                              • Opcode Fuzzy Hash: 3d31c074565b11a319a29ed4211b6d8694118c309693a2447c30d4153460be40
                                                                                              • Instruction Fuzzy Hash: 17019E354042449FDB20CF55D884B66FBE0EF44320F08C49AED494B611D379E458DBA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074B69E Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WaitForInputIdle.USER32(?,?), ref: 0074B6D3
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: IdleInputWait
                                                                                              • String ID:
                                                                                              • API String ID: 2200289081-0
                                                                                              • Opcode ID: 7e1504c4554ed95003da52f8b055f9569fb1a31cd4345e624e9b8ba455ad649e
                                                                                              • Instruction ID: 9d428810b7fa3e65a166dce4ac16b78bdea6bff734d5399b1fd2b1f6b29e8f04
                                                                                              • Opcode Fuzzy Hash: 7e1504c4554ed95003da52f8b055f9569fb1a31cd4345e624e9b8ba455ad649e
                                                                                              • Instruction Fuzzy Hash: C00178758042409FEB10CF15D884B65FBE4EF44320F09C4AADD488F652D3BAE808DAA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074A65E Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0074A690
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: ChangeCloseFindNotification
                                                                                              • String ID:
                                                                                              • API String ID: 2591292051-0
                                                                                              • Opcode ID: 7aa981cbad59465da6a252f0424a7a841272904673d81e4b539cfecb676a7dc4
                                                                                              • Instruction ID: bb7d8bd7db77dad1614c68935552e6ad98674f0557ce9359e3549da8745948d5
                                                                                              • Opcode Fuzzy Hash: 7aa981cbad59465da6a252f0424a7a841272904673d81e4b539cfecb676a7dc4
                                                                                              • Instruction Fuzzy Hash: F1018B758042409FEB10CF16D884766FBA4EF45320F0EC4AADD488F652D379A408CAA3
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074BACE Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: CloseFind
                                                                                              • String ID:
                                                                                              • API String ID: 1863332320-0
                                                                                              • Opcode ID: b461841ee6c605f1d3a652bef56055c08a6a425aa03f4f0621f256f2676283a8
                                                                                              • Instruction ID: 10ecda63987f6c703d5705efaf86da8320a4eb548c23dcc5776e71056d7b67de
                                                                                              • Opcode Fuzzy Hash: b461841ee6c605f1d3a652bef56055c08a6a425aa03f4f0621f256f2676283a8
                                                                                              • Instruction Fuzzy Hash: 0201A4756042408FDB148F16D8857A6FBE4DF05720F08C0EADD458FB56D3B9E848CEA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0074AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetErrorMode.KERNELBASE(?), ref: 0074AA44
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689011732.000000000074A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_74a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorMode
                                                                                              • String ID:
                                                                                              • API String ID: 2340568224-0
                                                                                              • Opcode ID: aa0858dff072d74de5e210cc1b7c072e9a970987bc981d5df18f5ef565e0e378
                                                                                              • Instruction ID: 3a54222fc096e2510dc11fd4a11d500ad3d9cc1fa2d0fba6cee66d266edbb84b
                                                                                              • Opcode Fuzzy Hash: aa0858dff072d74de5e210cc1b7c072e9a970987bc981d5df18f5ef565e0e378
                                                                                              • Instruction Fuzzy Hash: D2F08C75A44240AFDB208F05D984765FBE0EF45724F08C09ADD494B752D3B9A948CEA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE97CD Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl
                                                                                              • API String ID: 0-1360559020
                                                                                              • Opcode ID: 929cbfd26e18820209d7f1934a5307bd41adc6a29802b818433f0852ffb74032
                                                                                              • Instruction ID: 0093da8b22d199fea4d176d5f3d52138b49785694594ebb5b50ee10fec842a83
                                                                                              • Opcode Fuzzy Hash: 929cbfd26e18820209d7f1934a5307bd41adc6a29802b818433f0852ffb74032
                                                                                              • Instruction Fuzzy Hash: 58914D34A00604DFCB09AF75F854AAD77B2EF88348B6095A9D816A77A9DF369C05CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE987B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl
                                                                                              • API String ID: 0-1360559020
                                                                                              • Opcode ID: dbefe73231f8d6a93052565850cf2a83213ea8460bc206865957e70e937c6e7f
                                                                                              • Instruction ID: e466fd1fa01b195c0a5fc88437697e5739a99026bd014da9c9d509341c941810
                                                                                              • Opcode Fuzzy Hash: dbefe73231f8d6a93052565850cf2a83213ea8460bc206865957e70e937c6e7f
                                                                                              • Instruction Fuzzy Hash: CD815B34A00614DFCB09EF75E854AAD73B2EFC8348B6095A9E815A77A9DF369C01CB40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE98FD Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl
                                                                                              • API String ID: 0-1360559020
                                                                                              • Opcode ID: 1b71725cf441eec756521f984716cd02813fba6ff63ac57b2113371fbf4ab895
                                                                                              • Instruction ID: 0a1d862f3db1b3a76e4543bc04e546f9436802e523c78145acdfb04246e0bc1f
                                                                                              • Opcode Fuzzy Hash: 1b71725cf441eec756521f984716cd02813fba6ff63ac57b2113371fbf4ab895
                                                                                              • Instruction Fuzzy Hash: C9717B34A01604DFCB09AF75F855AAD73B2EFC8348B6095A9D806A77A9DF369C11CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE39BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 2jl
                                                                                              • API String ID: 0-3618021078
                                                                                              • Opcode ID: 49f82d2bc8b2b1dc8aaf05a5fd017c9d68b3574a9894f2d150c762d7eac17e6b
                                                                                              • Instruction ID: b0583c470aac285babe84f38a44a79fbe8802b0f33c3b9355e865add9fb69e73
                                                                                              • Opcode Fuzzy Hash: 49f82d2bc8b2b1dc8aaf05a5fd017c9d68b3574a9894f2d150c762d7eac17e6b
                                                                                              • Instruction Fuzzy Hash: 2A817C30A00258CFCB14EFB4D855BECB7B2AF89308F5084A9D00AAB394DB759E84CF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE6C46 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl
                                                                                              • API String ID: 0-1360559020
                                                                                              • Opcode ID: 31134a7af345723d0a244593796fe721e7b15fbf591cc73ad0b57fffab5eb7bb
                                                                                              • Instruction ID: b7f24c090cc030be3710109633f54728132a6733402d5fc9277c89953d2034fc
                                                                                              • Opcode Fuzzy Hash: 31134a7af345723d0a244593796fe721e7b15fbf591cc73ad0b57fffab5eb7bb
                                                                                              • Instruction Fuzzy Hash: B5613870A01268CFDB25EB35D994BEDB7B2AB89308F5042E9D5096B394DF359E85CF00
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE99ED Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl
                                                                                              • API String ID: 0-1360559020
                                                                                              • Opcode ID: cbf889c42a61190063e71bd567602facecb6c86a8c7bfcac5efd220af371167d
                                                                                              • Instruction ID: f58d9a56052bab3e5a0c3d1a02f67465557774a943ece49d37ac09328ed64af4
                                                                                              • Opcode Fuzzy Hash: cbf889c42a61190063e71bd567602facecb6c86a8c7bfcac5efd220af371167d
                                                                                              • Instruction Fuzzy Hash: 8951BF30B00618DFCB18AFB1E8516AD73A6EFC8348F209569D816A77A9DF35AC05CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE02C0 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: :@Cl
                                                                                              • API String ID: 0-1360559020
                                                                                              • Opcode ID: d0e35d41daeba16086c615b9591d060a13a3a4f60c9fa3146bfadc1d807cc6a6
                                                                                              • Instruction ID: dd222fc1878fad8258a7a954d2368da8a21594b141b4e4b1931ad133d9e58a0c
                                                                                              • Opcode Fuzzy Hash: d0e35d41daeba16086c615b9591d060a13a3a4f60c9fa3146bfadc1d807cc6a6
                                                                                              • Instruction Fuzzy Hash: 6D310630B006059FCB04BB75D8117BE33A6DB88308F148479D405D77A9EF799D49C792
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE3DCC Relevance: .2, Instructions: 193COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 387e73f17e49071574b319b8b28add83fe8aa71738ef69a5838922f5fc75b6ef
                                                                                              • Instruction ID: 7a09004fc4ed8b05e6613b157bdbb6eea6253d395c43c4e5e563995c29b7a947
                                                                                              • Opcode Fuzzy Hash: 387e73f17e49071574b319b8b28add83fe8aa71738ef69a5838922f5fc75b6ef
                                                                                              • Instruction Fuzzy Hash: C5A1D174A01228CFCB24EF75D944AECB7B2BB89309F1051E9D809AB795DB359E80CF40
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE7FDE Relevance: .1, Instructions: 137COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b81ed974ae7745189c9365d52f5e77c5131afc05712bc7fc3fe6db26fa94fd16
                                                                                              • Instruction ID: 9ac413bd0497d4dd7efd37ef608b91ec7e68652f7e82649d5b0dc6f95534d278
                                                                                              • Opcode Fuzzy Hash: b81ed974ae7745189c9365d52f5e77c5131afc05712bc7fc3fe6db26fa94fd16
                                                                                              • Instruction Fuzzy Hash: 6641E6306086858FD714DF3798057BC72E6AF45358F2895A4E451EB2E1EF38CD46CB21
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE9FC8 Relevance: .1, Instructions: 107COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2831dbaaeceac15869aa36373d71d835d3cc9985088120cd4e2784b2af294a11
                                                                                              • Instruction ID: 8564ae442e62771cfd191c698227aba3866b7c2c7b4f53688aaf8b73ff8a8ed0
                                                                                              • Opcode Fuzzy Hash: 2831dbaaeceac15869aa36373d71d835d3cc9985088120cd4e2784b2af294a11
                                                                                              • Instruction Fuzzy Hash: 9B31B534B002099FDB04DB75D8547AEBBF6AF88354F284079E405EB3A1DF71AD048B91
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE9CE7 Relevance: .1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a6c780a45238249bee03f6eba9aa9dc30d93999b2f563519dd4d25c4ee94f5b3
                                                                                              • Instruction ID: 5b66393ded61b85adacb12cfce167d40fe52c1cb05d6673261dcbe7997a39b10
                                                                                              • Opcode Fuzzy Hash: a6c780a45238249bee03f6eba9aa9dc30d93999b2f563519dd4d25c4ee94f5b3
                                                                                              • Instruction Fuzzy Hash: 4411BF71E00219CF8F44EBB9E8052ADBBF6EF8A25472114B9C90AF7395DB315E01CB90
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05C322B8 Relevance: .1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3704766320.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_5c30000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 664327727c726345981fdd3aa6268ae7ce29ddb9429d1fec682e602ffe595fb2
                                                                                              • Instruction ID: 8ded2172c638986f377432ee0dac1dec2e3ba7cf087046ee9f9687553df01e7f
                                                                                              • Opcode Fuzzy Hash: 664327727c726345981fdd3aa6268ae7ce29ddb9429d1fec682e602ffe595fb2
                                                                                              • Instruction Fuzzy Hash: 1511BAB5908341AFD340CF19D880A5BFBE4FBC9664F04895EF998D7311D275E9148FA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05C3215C Relevance: .1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3704766320.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_5c30000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b61ecaf7b08fdfc426000c4bcf2cd21010d12c70141c48a5aa291551dc0870fb
                                                                                              • Instruction ID: 58a5d216c8cbca498cee707651ce389812e2663852bd8719d70863dd2615200d
                                                                                              • Opcode Fuzzy Hash: b61ecaf7b08fdfc426000c4bcf2cd21010d12c70141c48a5aa291551dc0870fb
                                                                                              • Instruction Fuzzy Hash: ED11FEB5508301AFD750CF09DC80E57FBE8EB88660F04881EF95897311D275E9088FA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0075B454 Relevance: .1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689246026.000000000075A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_75a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2d1c8e541aef1c6148a6665ecce3245fa058368bfcb09fab4cbf08891b7ae5ba
                                                                                              • Instruction ID: 2399724d4e134533e765a4be0a697cf6461c57c43e5a01bc2bce07ac2abba143
                                                                                              • Opcode Fuzzy Hash: 2d1c8e541aef1c6148a6665ecce3245fa058368bfcb09fab4cbf08891b7ae5ba
                                                                                              • Instruction Fuzzy Hash: 0311FEB5508301AFD350CF09DC80E57FBE8EB88660F04891EF95897311D375E9088FA2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE3C66 Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 33a599f9296e0822d85e72061f708e835ce3a96c0614bc95c33520eca068001c
                                                                                              • Instruction ID: b1e1a6b19837bc513c74a8b69ef494a8f36ec363b118d9a335a68b01af333a6b
                                                                                              • Opcode Fuzzy Hash: 33a599f9296e0822d85e72061f708e835ce3a96c0614bc95c33520eca068001c
                                                                                              • Instruction Fuzzy Hash: 45113A74E01258CFEB24EBB5D914BECF7B1AF88305F5081AAC419AB280D7784A84DF51
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE00A8 Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a80b9f005dbe06bccc00df01b7a3347ec0e27f56ab04cdc72f7c2a3e9b8b8812
                                                                                              • Instruction ID: 07129a66575064f0d784fd8f3dc5bee69e310444f277910bc112ba72da5bd68c
                                                                                              • Opcode Fuzzy Hash: a80b9f005dbe06bccc00df01b7a3347ec0e27f56ab04cdc72f7c2a3e9b8b8812
                                                                                              • Instruction Fuzzy Hash: C4F0C232A00348AFEB049FB1CC1279E7F66EB81724F1481AAE5459B2D1EA759945C790
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE74E0 Relevance: .0, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fea2cf9ab4747448309fe5274f56f438c1cb648df13759ea79e85b8b5932a78e
                                                                                              • Instruction ID: 88d9acf4c5719e45f730d4587f503f5239be89a1c385ddb630fb7367852cefb0
                                                                                              • Opcode Fuzzy Hash: fea2cf9ab4747448309fe5274f56f438c1cb648df13759ea79e85b8b5932a78e
                                                                                              • Instruction Fuzzy Hash: 10F090343047908BC7176734942416C3726EBC231BB9544FAD8429F397DB3A9C0687A1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE9F88 Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 513b0098ca95fb9b35858943e2c2731fbe1b8454abca036784a4b759bbe81bd2
                                                                                              • Instruction ID: a830bb6ab7c4f59c2bf9e9f5821b3597ea316806a8435665a7267a90e2ce39a7
                                                                                              • Opcode Fuzzy Hash: 513b0098ca95fb9b35858943e2c2731fbe1b8454abca036784a4b759bbe81bd2
                                                                                              • Instruction Fuzzy Hash: 20F0A731A0938C9FCF02CBB298050FCBFB5EB42365B1950E7D415E7162DA355D09D7A2
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05C31BCF Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3704766320.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_5c30000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 55e11950f010ac233d344957c6662dcaf3923875a4db635b855a402c3216ed5d
                                                                                              • Instruction ID: 2920146c09e3d91335ac5deaa170db3cee6be4d406005aae8a87aac5b63a7551
                                                                                              • Opcode Fuzzy Hash: 55e11950f010ac233d344957c6662dcaf3923875a4db635b855a402c3216ed5d
                                                                                              • Instruction Fuzzy Hash: 82E0D8B250020467D250DE069C85F63FBD8DB80A30F08C457ED081F701E1B6B514C9E1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05C321AB Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3704766320.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_5c30000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d547c8b596ff09b2502ff3f3ac1594caf4e00fe93409b138c90311cf09bb9f12
                                                                                              • Instruction ID: 4f1728daa51eff87aa95a313d3c967fd70eea8381b4658cfd2ac5670e240177a
                                                                                              • Opcode Fuzzy Hash: d547c8b596ff09b2502ff3f3ac1594caf4e00fe93409b138c90311cf09bb9f12
                                                                                              • Instruction Fuzzy Hash: 08E0D8B25002046BD650DE069C85F63FBD8DB80A30F08C457ED081F702E1B6B51489F1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 05C32323 Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3704766320.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_5c30000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7785d1801273d3bb1cd2653843b51f435ed2fe6157ebed501355effb4b74ef26
                                                                                              • Instruction ID: 073a8ba6e9a47d3ca5f7ebeacb312dc414afec15dbe0ac3ebbc00683eac7c46a
                                                                                              • Opcode Fuzzy Hash: 7785d1801273d3bb1cd2653843b51f435ed2fe6157ebed501355effb4b74ef26
                                                                                              • Instruction Fuzzy Hash: D9E0D8B254020067D650CE069C85F62FBD8DB94A30F48C467ED081F741E1B6B5148AE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 0075B4A3 Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3689246026.000000000075A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0075A000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_75a000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4c9215d46285ae5bcfee7f18f9f3ec23aba8e243e15cf0b6f3913b544225983a
                                                                                              • Instruction ID: 251d4b242fe7f26116a39160fdcdf378a95c448cd317ca1b2d88ff1cbe2914a1
                                                                                              • Opcode Fuzzy Hash: 4c9215d46285ae5bcfee7f18f9f3ec23aba8e243e15cf0b6f3913b544225983a
                                                                                              • Instruction Fuzzy Hash: E3E0D8B254020467D2508F069C85F52FBD8DB80A30F08C557ED085F701E2B6B51489F1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE8048 Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 20f3186986a276e469b570b934a8f472eb3c24a247570930c995498de0f5a8c9
                                                                                              • Instruction ID: c33d3628bf6bf19f73eec21c5f79ada6298cd7c0649230bfe9dfed21bcb309a9
                                                                                              • Opcode Fuzzy Hash: 20f3186986a276e469b570b934a8f472eb3c24a247570930c995498de0f5a8c9
                                                                                              • Instruction Fuzzy Hash: 08E01A71D042199E8B40EFBA98055DFBBF8EA48224B10043AC218E7201E73942058BE1
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%

                                                                                              Function 00EE36A8 Relevance: .0, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.3698229161.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_ee0000_server.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9748de411cbc678b4a3c2f521c77e802db47d8ca4dd0532db04f040bffe1808f
                                                                                              • Instruction ID: 63e7f3035169293510d589c0b5eefbb39f1dc454b5b908ad8d2ae6a1e4eb507c
                                                                                              • Opcode Fuzzy Hash: 9748de411cbc678b4a3c2f521c77e802db47d8ca4dd0532db04f040bffe1808f
                                                                                              • Instruction Fuzzy Hash: 1DE0EC301573C8CFCB166B34A45945C3B75EB473097D604FDC8568F2A6EA7A9C46CB50
                                                                                              Uniqueness

                                                                                              Uniqueness Score: -1.00%